Spoofed GitHub IT Tools Spread EtherRAT via Ethereum-Based C2
Researchers reported a stealthy malware campaign targeting enterprise administrators, DevOps engineers, and security analysts by impersonating trusted administrative and developer utilities in malicious MSI installers. The operation used SEO poisoning to push victims toward spoofed tool listings and a dual-stage GitHub distribution chain in which benign-looking facade repositories redirected users to secondary repositories hosting the real payload, enabling operators to rotate malware quickly while preserving search credibility. At least 44 GitHub facade repositories spoofing IT tools were observed between December 2025 and early April 2026.
The payload, EtherRAT, is a multi-stage Node.js remote access trojan that downloads Node.js at runtime, establishes registry-based persistence, and executes through conhost.exe with a --headless argument to reduce visibility. Researchers said the malware uses layered AES-256-CBC encryption and retrieves its live command-and-control endpoint through public Ethereum RPC services and a hardcoded smart contract, effectively using the blockchain as a dead-drop resolver that complicates domain and IP takedowns. Reporting linked the campaign to prior EtherRAT and EtherHiding activity and said the tradecraft overlaps with malware previously associated with Lazarus Group, while also noting code similarities to Tsundere, a malware family tied in other research to MuddyWater (APT34).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
LevelBlue reports updated EtherRAT variant via trojanized Tftpd64
LevelBlue SpiderLabs reported that threat actors were distributing a trojanized Windows Tftpd64 utility from a spoofed GitHub repository to infect IT administrators and network professionals with a more sophisticated EtherRAT variant. The updated malware was described as combining host compromise with cryptocurrency theft, using bundled Node.js components, persistence via Windows Run keys, system reconnaissance, and interaction with Ethereum RPC endpoints and wallet addresses.
The Hacker News reports Atos findings on EtherRAT distribution
The Hacker News summarized Atos Threat Research Center's analysis, highlighting EtherRAT's Node.js-based multi-stage design, AES-256-CBC encryption, registry persistence, and blockchain-based dead-drop C2 resolution via Ethereum smart contracts. The report brought broader public attention to the campaign's technical details and resilience mechanisms.
Research links EtherRAT activity to DPRK-aligned tradecraft
In early April 2026, public threat research described the stealthy spoofed-tool campaign distributing EtherRAT and assessed it as suspected to be linked to a DPRK APT. The reporting also noted prior visibility from KISA and KrCERT/CC and referenced overlaps with previously attributed malware and infrastructure.
April 2026 intrusion ends with The Gentlemen ransomware deployment
In April 2026, DFIR Report described an intrusion that began when a user ran a malicious MSI posing as Sysinternals RAMMap, installing an EtherRAT variant that resolved C2 via Ethereum infrastructure. The actor then deployed TukTuk, conducted credential theft and lateral movement, exfiltrated data with Rclone to Wasabi, and ultimately pushed The Gentlemen ransomware domain-wide via a malicious GPO.
Atos documents 44 spoofed GitHub repositories in the campaign
By April 1, 2026, Atos had identified 44 GitHub facade repositories tied to the EtherRAT distribution effort. The finding showed sustained and organized abuse of GitHub to distribute the malware at scale.
EtherRAT campaign remains active through March 2026
The malware operation continued through March 2026, using SEO poisoning and a dual-stage GitHub distribution model to deliver EtherRAT while allowing operators to rotate payload repositories without losing search visibility. The campaign targeted high-privilege enterprise users with spoofed administrative tools.
Malicious GitHub facades begin spoofing IT and developer tools
Atos observed the campaign using GitHub facade repositories impersonating trusted administrative and developer utilities starting in December 2025. These repositories were used to lure enterprise administrators, DevOps engineers, and security analysts into downloading malicious MSI installers.
EtherRAT GitHub facade activity begins by December 2024
Atos reported that the EtherRAT distribution campaign had deployed at least 17 GitHub facade repositories starting in December 2024. The finding pushes the known start of the operation back a full year earlier than previously captured and shows the campaign had been active well before its 2026 public reporting.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware - The DFIR Report
thedfirreport.com
Open sourceMore sophisticated EtherRAT malware variant delivered via trojanized installer | brief | SC Media
scworld.com
Open sourceEtherRAT Campaign Uses SEO Poisoning and GitHub Facades to Target Enterprise Admins
cybersecuritynews.com
Open sourceEtherRAT Distribution Spoofing Administrative Tools via GitHub Facades
thehackernews.com
Open sourceNew EtherRAT Variant Uses Trojanized Tftpd64 Installer to Bridge Web2 Malware and Web3 Theft
cybersecuritynews.com
Open sourceThreat Research: Spoofed IT Tools Distribute EtherRAT in Highly Stealthy Campaign Suspected Linked to DPRK APT | by PhatomCandle | Apr, 2026 | Medium
medium.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EtherRAT Campaign Linked to Shared Infrastructure Hosting Phishing Kits and Malware
Researchers uncovered a malicious infrastructure distributing **EtherRAT**, a Node.js remote access trojan delivered through exposed open directories alongside phishing pages, malicious documents, remote desktop software, and other malware. EtherRAT can execute arbitrary JavaScript received from its command-and-control servers and uses the **Ethereum blockchain** to retrieve active C2 information, a design that helps the operators maintain access even if parts of the infrastructure are taken down. Analysis of the MSI and PowerShell delivery chains showed the malware installing or reusing Node.js, decrypting staged payloads, establishing persistence, and launching the final RAT via `conhost.exe`. Investigators also observed post-compromise reconnaissance activity and found misconfigured directories exposing phishing kit components, themed landing pages, and URL cloaker source code, indicating the same ecosystem was supporting both credential phishing and malware delivery, potentially for multiple actors or campaigns.
Jun 15, 2026
Multiple malware campaigns using compromised websites and phishing lures to deliver RATs and stealers
Threat actors are using **compromised or spoofed websites** to trick victims into executing malware, with lures ranging from fake browser updates to counterfeit security-software download pages. Recorded Future’s Insikt Group reported that financially motivated **GrayCharlie** (overlapping with **SmartApeSG**) compromised multiple U.S. law-firm WordPress sites—potentially via a shared IT/marketing provider—and injected externally hosted JavaScript that redirected visitors to **bogus update pages** or **fake CAPTCHA** flows. Victims were prompted to run a PowerShell command via the Windows Run dialog, leading to **NetSupport RAT** installation and follow-on delivery of **Stealc** and **SectopRAT**; the operation’s infrastructure was noted as being supported by **MivoCloud** and **HZ Hosting Ltd.** Separately, Malwarebytes-linked reporting described a **typosquatting** campaign impersonating the Huorong antivirus site (`huoronga[.]com` vs. `huorong.cn`) to distribute **ValleyRAT** (built on the **Winos4.0** framework), attributed to the Chinese-speaking **Silver Fox APT**; the payload was routed through an intermediary domain and hosted on **Cloudflare R2**, with a ZIP masquerading as Huorong (`BR火绒445[.]zip`). In a different region and access vector, Group-IB reported Iran-linked **MuddyWater** running **Operation Olalampo** against MENA targets using **phishing emails** with malicious Office documents/macros to deploy new tooling including **GhostFetch** (dropping **GhostBackDoor**) and **CHAR** (a Rust backdoor controlled via a **Telegram bot**), plus variants using **HTTP_VIP** to deploy *AnyDesk*; the campaign also leveraged recently disclosed vulnerabilities on public-facing servers for initial access.
Mar 21, 2026
PyStoreRAT Malware Distributed via Fake GitHub OSINT and Utility Repositories
A sophisticated malware campaign has been uncovered in which threat actors use GitHub to distribute a new Remote Access Trojan (RAT) called PyStoreRAT. The attackers reactivated dormant GitHub accounts or created new ones to publish repositories masquerading as legitimate OSINT tools, DeFi bots, and AI chat wrappers. These repositories, often promoted on social media and artificially boosted in popularity, were designed to appeal to IT administrators, cybersecurity professionals, and open-source intelligence researchers. Once the repositories gained trust and visibility, the attackers introduced malicious code through subtle 'maintenance' updates, enabling the silent deployment of PyStoreRAT. PyStoreRAT is a modular, multi-stage malware capable of executing a variety of payloads, including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. It profiles victim systems and can deploy additional threats such as the Rhadamanthys information stealer and Python Loader. Many of the fake tools hosted on GitHub were non-functional or provided only minimal placeholder features, serving primarily as a delivery mechanism for the malware. The campaign demonstrates a calculated abuse of GitHub's trust model and highlights the risks of downloading and executing code from seemingly reputable open-source repositories.
Mar 21, 2026