EtherRAT: GitHub Fronts and Blockchain C2 — Threat to Administrators

Colleagues, please note: Atos TRC has observed an EtherRAT campaign distributing MSI installers via SEO and GitHub storefronts, masquerading as administrative utilities.
Mechanics: SEO → clean README façade → hidden repository hosting MSI.
C2: address is stored in an Ethereum contract; the RAT retrieves it via public ETH RPC.
Target: privileged administrators/DevOps — exposing "keys to the infrastructure".
Mitigation: block public ETH RPC endpoints, centralize distribution of administrative tools, audit logs and hunt for suspicious behavior (node.exe, conhost --headless, frequent beacons).
Why it matters: enables prolonged covert access to critical infrastructure.
How do you verify the provenance of admin tools in your organization?
#cybersecurity #ThreatIntel #EtherRAT #DevOps


Latest comments
No comments yet.