EtherRAT Hides C2 in Ethereum Smart Contracts, Lures Admins via GitHub Decoys

Atos researchers tracked a campaign called EtherRAT that targets the high-privilege workstations of sysadmins, DevOps engineers, and security analysts by impersonating tools like PsExec, AzCopy, Sysmon, LAPS, and Kusto Explorer. The delivery chain runs through a two-stage GitHub structure: an SEO-optimized ‘facade’ repository with a clean README ranks at the top of Bing, Yahoo, DuckDuckGo, and Yandex, then funnels victims through a README link to a separate repo hosting the malicious MSI. Decoupling the search-indexed storefront from the payload account lets operators burn and rotate distribution repos without losing rankings — 44 facade repos were observed between December 2025 and April 2026.

The technically notable layer is C2 resolution. Rather than embedding a domain or IP, the MSI payload queries a hardcoded Ethereum smart contract via public RPC endpoints to fetch the live C2 address. Updating a contract value re-points every infected host globally, and takedowns of the underlying gateways are essentially unworkable as long as public Ethereum nodes remain reachable.

The targeting choice is deliberate: admin tooling acts as automated victim profiling, since only privileged operators install these utilities. A single successful execution hands attackers a foothold suited for lateral movement and credential abuse. KISA/KrCERT flagged the activity earlier, and Atos confirms the campaign is still active with multiple malware variants and expanding C2 infrastructure.