EtherRAT Campaign Uses Ethereum Smart Contracts for Resilient C2, Spoofs Enterprise Admin Tools via GitHub
Atos TRC has uncovered a March 2026 campaign targeting enterprise admins and DevOps with malicious MSI installers disguised as PsExec, AzCopy, and Sysmon, using Ethereum smart contracts for takedown-resistant command and control.
Atos Threat Research Center (TRC) identified in March 2026 a sophisticated malware campaign that targets enterprise administrators, DevOps engineers, and security analysts by impersonating trusted administrative utilities. The operation, which distributes malicious MSI installers disguised as tools like PsExec, AzCopy, Sysmon, LAPS, and Kusto Explorer, uses a dual-stage GitHub facade architecture and blockchain-based command-and-control to achieve extreme operational resilience.
The attack begins with SEO poisoning across search engines including Bing, Yahoo, DuckDuckGo, and Yandex, ensuring that malicious results for niche IT terms rank prominently. Users are directed to a primary "facade" GitHub repository that contains no malicious code — only a professional-looking README file optimized for search rankings. That README contains a link to a second, hidden GitHub repository that serves as the true distribution point for the malware. By separating the SEO-optimized storefront from the payload delivery account, the threat actors can rapidly rotate distribution repositories if flagged while the primary facade remains active.
The campaign focuses on the administrative stack, distributing malware disguised as utilities almost exclusively used by personnel with elevated network and system permissions. A successful infection on an administrator's workstation may provide the "keys to the kingdom," enabling lateral movement inside enterprise environments. The impersonated tools include PsExec for remote execution, AzCopy for Azure data transfer, Sysmon for system monitoring, LAPS for local administrator password management, and Kusto Explorer for Azure Data Explorer queries.
The most technically significant aspect of the campaign is its implementation of blockchain-based Dead Drop Resolving (DDR). Once the malicious MSI is executed, the malware does not reach out to a hardcoded domain or IP address that could be easily blocklisted. Instead, it repetitively queries a public Ethereum (ETH) RPC endpoint, hardcoded with a specific Smart Contract address on the Ethereum blockchain. By querying this contract, the malware dynamically retrieves the live C2 server address. This technique provides the adversary with extreme resilience: the attacker can rotate C2 servers globally simply by updating the value stored in the blockchain contract, and as long as public Ethereum gateways are accessible, the malware can always find its "home," making traditional domain takedown or blockage efforts ineffective.
Atos TRC's investigation confirms that the malware is evolving, with several distinct variants and additional C2 infrastructure identified since the campaign's inception. The researchers noted a preliminary alert from KISA&KrCERT/CC regarding this threat actor's campaign, but their longitudinal investigation confirms the campaign remains highly active and has undergone significant technical maturation.
The campaign represents a significant escalation in malware resilience techniques, leveraging decentralized blockchain infrastructure to create command-and-control channels that are virtually impossible to disrupt through traditional takedown methods. For enterprise defenders, the targeting of high-privilege administrative accounts and the use of SEO poisoning to distribute malware through trusted platforms like GitHub underscore the need for enhanced vetting of downloaded tools and monitoring of blockchain-based communication patterns.