EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
Summary
Hide ▲
Show ▼
The EtherRAT malware is being delivered through malicious MSI installers and gives attackers persistent Windows access, increasing the risk of covert control inside enterprise environments. The operation uses SEO-poisoned GitHub facades to funnel victims toward the payload while disguising the download as legitimate admin software. Its command-and-control design relies on Ethereum smart contracts and public RPC lookups, making takedown and blocking efforts less effective. The malware also uses conhost.exe --headless and a Run registry key to remain active across reboots.
Related Happenings
Rust-based clipboard hijacker spreading via fake crypto tools
Malware Activity
H score13
First: 18.06.2026 18:00
Last: 18.06.2026 18:00
Sources 1
About this happening:
A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware ActivityAbout this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware Activity
H score3
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware ActivityAbout this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Miasma supply-chain malware activity
Malware Activity
H score34
First: 10.06.2026 23:27
Last: 10.06.2026 23:27
Sources 1
About this happening:
The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
Miasma supply-chain malware activity
Malware ActivityAbout this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
Shai-Hulud PyPI supply-chain malware activity
Malware Activity
H score22
First: 08.06.2026 23:41
Last: 08.06.2026 23:41
Sources 1
About this happening:
The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Shai-Hulud PyPI supply-chain malware activity
Malware ActivityAbout this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
AUDIOFIX and MiniRAT macOS malware activity
Malware Activity
H score34
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
AUDIOFIX and MiniRAT macOS malware activity
Malware ActivityAbout this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
Timeline
-
30.04.2026 14:30 2 articles · 2mo ago
Atos TRC identifies SEO-poisoned GitHub delivery chain
Initial DisclosureAtos Threat Research Center identifies a high-resilience campaign that uses SEO poisoning, a clean GitHub facade repository, and a second GitHub repository to deliver malicious MSI installers impersonating administrative tools such as PsExec, AzCopy, Sysmon, LAPS, and Kusto Explorer. The malware resolves command-and-control through Ethereum smart contracts and public ETH RPC endpoints, and the campaign had already accumulated 44 GitHub facades deployed between early December 2025 and April 1, 2026.
Show sources
- EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades — thehackernews.com — 30.04.2026 14:30
- EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades — thehackernews.com — 30.04.2026 14:30