Find notable cyber news and cases, enriched with sources, timelines, and signals.

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

The EtherRAT malware is being delivered through malicious MSI installers and gives attackers persistent Windows access, increasing the risk of covert control inside enterprise environments. The operation uses SEO-poisoned GitHub facades to funnel victims toward the payload while disguising the download as legitimate admin software. Its command-and-control design relies on Ethereum smart contracts and public RPC lookups, making takedown and blocking efforts less effective. The malware also uses conhost.exe --headless and a Run registry key to remain active across reboots.

Related Happenings

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

Miasma supply-chain malware activity

Malware Activity
H score34 First: 10.06.2026 23:27 Last: 10.06.2026 23:27 Sources 1

About this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...

Shai-Hulud PyPI supply-chain malware activity

Malware Activity
H score22 First: 08.06.2026 23:41 Last: 08.06.2026 23:41 Sources 1

About this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...

AUDIOFIX and MiniRAT macOS malware activity

Malware Activity
H score34 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...

Timeline

  1. 30.04.2026 14:30 2 articles · 2mo ago

    Atos TRC identifies SEO-poisoned GitHub delivery chain

    Initial Disclosure

    Atos Threat Research Center identifies a high-resilience campaign that uses SEO poisoning, a clean GitHub facade repository, and a second GitHub repository to deliver malicious MSI installers impersonating administrative tools such as PsExec, AzCopy, Sysmon, LAPS, and Kusto Explorer. The malware resolves command-and-control through Ethereum smart contracts and public ETH RPC endpoints, and the campaign had already accumulated 44 GitHub facades deployed between early December 2025 and April 1, 2026.

    Show sources