GitHub facades, Ethereum contracts used to deliver EtherRAT

Atos Threat Research Center reported in March 2026 that attackers used SEO-poisoned GitHub storefront repositories and Ethereum smart contracts to deliver MSI installers that installed a JavaScript remote access trojan called EtherRAT. The campaign targeted enterprise administrators, DevOps engineers and security analysts and ran from early December 2025 through April 1, 2026.

The operation used a two-stage GitHub distribution chain. Public, SEO-optimized facade repositories contained professional README files and a link to secondary, hidden accounts that hosted the malicious MSI files. Atos identified 44 distinct facade repositories that impersonated Windows administrative and developer tools, including PsExec, AzCopy, Sysmon, LAPS, Kusto Explorer and ProcDump.

The installers executed a multi-stage payload. An obfuscated Windows batch dropper ran as a Custom Action from the MSI, downloaded the Node.js runtime at install time and launched an in-memory Node.js loader. The loader decrypted later stages using layered AES-256-CBC encryption. An intermediate stage wrote a persistently named file and added a registry Run key for persistence; the final RAT ran inside conhost.exe with a –headless argument. The malware logs activity to %APPDATA%\\svchost.log and periodically re-encrypts and replaces its own code.

Each sample contained an Ethereum smart contract address rather than a hardcoded domain or IP. The malware queried multiple public Ethereum RPC endpoints in parallel and used the majority response to obtain the current command-and-control server address. Atos observed samples polling nine RPC services and re-checking the contract every five minutes. The researchers mapped at least one contract and its funding wallet and found on-chain updates that matched changes in live C2 addresses. An earlier sample included a fallback hardcoded IP that matched the first value set in the contract.

Atos reported code overlaps between EtherRAT’s resolver module and other malware families previously linked to state-backed activity, and noted similar logic in samples connected to both North Korean and Iranian-linked operations. The researchers reported the campaign remained active and technically evolved.

Atos recommended blocking access to the public Ethereum RPC gateways used by the malware, reviewing historical logs for outbound traffic to those RPC endpoints and the identified C2 domains, and enforcing that administrators obtain utilities from verified internal repositories or authenticated vendor sites. The researchers advised hunting for node.exe processes invoking shell commands and conhost.exe running with the –headless argument. Atos published indicators of compromise and has initiated takedown actions against the identified distribution infrastructure.