EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
Summary
Hide ▲
Show ▼
The EtherRAT malware is being delivered through malicious MSI installers and gives attackers persistent Windows access, increasing the risk of covert control inside enterprise environments. The operation uses SEO-poisoned GitHub facades to funnel victims toward the payload while disguising the download as legitimate admin software. Its command-and-control design relies on Ethereum smart contracts and public RPC lookups, making takedown and blocking efforts less effective. The malware also uses conhost.exe --headless and a Run registry key to remain active across reboots.
Related Happenings
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
SEO-poisoned GitHub facade campaign targeting enterprise admin tools
Campaign
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
How related:
Between early December 2025 and April 1, 2026, the threat actor deployed 44 separate GitHub facades, each spoofing a different administrative or developer tool.
About this happening:
A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...
SEO-poisoned GitHub facade campaign targeting enterprise admin tools
CampaignHow related: Between early December 2025 and April 1, 2026, the threat actor deployed 44 separate GitHub facades, each spoofing a different administrative or developer tool.
About this happening: A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...
Payouts King ransomware QEMU reverse SSH backdoor activity
Malware Activity
First: 17.04.2026 22:10
Last: 17.04.2026 22:10
Sources 1
About this happening:
**Payouts King ransomware** is using **QEMU** hidden virtual machines and a **reverse SSH backdoor** to keep covert access on compromised hosts and evade endpoint security. The ma...
Payouts King ransomware QEMU reverse SSH backdoor activity
Malware ActivityAbout this happening: **Payouts King ransomware** is using **QEMU** hidden virtual machines and a **reverse SSH backdoor** to keep covert access on compromised hosts and evade endpoint security. The ma...
GlassWorm Zig dropper infecting developer IDEs
Malware Activity
First: 10.04.2026 16:23
Last: 10.04.2026 16:23
Sources 1
About this happening:
The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...
GlassWorm Zig dropper infecting developer IDEs
Malware ActivityAbout this happening: The **GlassWorm** malware set now uses a **Zig dropper** that can silently infect **all VS Code-based IDEs** on a developer's machine, widening the reach of the compromise. The pa...
Timeline
-
30.04.2026 14:30 2 articles · 27d ago
Atos TRC identifies SEO-poisoned GitHub delivery chain
Initial DisclosureAtos Threat Research Center identifies a high-resilience campaign that uses SEO poisoning, a clean GitHub facade repository, and a second GitHub repository to deliver malicious MSI installers impersonating administrative tools such as PsExec, AzCopy, Sysmon, LAPS, and Kusto Explorer. The malware resolves command-and-control through Ethereum smart contracts and public ETH RPC endpoints, and the campaign had already accumulated 44 GitHub facades deployed between early December 2025 and April 1, 2026.
Show sources
- EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades — thehackernews.com — 30.04.2026 14:30
- EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades — thehackernews.com — 30.04.2026 14:30