TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The Hacker News

EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades

[email protected] (The Hacker News) · 5 days ago · Read original ↗

ATT&CK techniques detected

14 predictions
T1547.001Registry Run Keys / Startup Folder
99%
“##rypted and executed in - memory by stage 1. it is an intermediary stage that decrypts the content of obfuscated stage 3 payload ( 0czeedpzmsxwtak. cfg ), writes this content into a new file ( 4s3hkjraap. cfg ) and then executes it via node. exe wrapped by “ conhost. exe – headl…”
T1608.006SEO Poisoning
73%
“etherrat distribution spoofing administrative tools via github facades intro a sophisticated, high - resilience malicious campaign was identified by atos threat research center ( trc ) in march 2026. this operation specifically targets the high - privilege professional accounts o…”
T1071Application Layer Protocol
71%
“os command, and the ability to exfiltrate data - all without ever dropping a traditional executable to disk. " every action that the malware makes, like startup, blockchain resolution, re - obfuscation, every poll request, task receipt, task execution, errors, url updates are bei…”
T1071Application Layer Protocol
54%
“##ralized infrastructure access : block access to the public ethereum ( eth ) rpc endpoints used by etherrat, attached in the appendixes ' section. these gateways are the primary heartbeat for the decentralized c2 resolution mechanism. - retrospective communication review : revie…”
T1041Exfiltration Over C2 Channel
53%
“os command, and the ability to exfiltrate data - all without ever dropping a traditional executable to disk. " every action that the malware makes, like startup, blockchain resolution, re - obfuscation, every poll request, task receipt, task execution, errors, url updates are bei…”
T1218.007Msiexec
52%
“4. 7 mb ) at the cost of requiring internet access during infection. ultimately, atos researchers identified it to be an etherrat malware, a recently emerging threat using ethereum to store c2 url addresses, preventing takedown of the infrastructure. latest versions of installers…”
T1059.007JavaScript
48%
“##fuscation mechanism splits all sensitive command names - including curl, tar, copy, start, and cmd - across multiple set variable assignments that are silently concatenated at runtime, ensuring no recognizable keywords appear in the raw file and defeating simple string - based …”
T1055.001Dynamic-link Library Injection
47%
“: conhost. exe - - headless 1fgure \ node. exe 4s3hkjraap. cfg stage 3 - rat file : 0czeedpzmsxwtak. cfg ( encrypted ) / 4s3hkjraap. cfg ( plaintext, ~ 9. 8 kb ) stage 3 is the malware ' s main payload - a javascript file that runs silently in the background on every system boot.…”
T1608.006SEO Poisoning
41%
“##ware is evolving, with several distinct variants and additional c2 infrastructure identified since the campaign ' s inception. find out the latest threat intelligence and adversary research insights on atos cyber shield blogs. malware distribution visualisation below demonstrat…”
T1608.006SEO Poisoning
40%
“##s at the very top of bing. this dominant search presence effectively masks the threat, as the facade repositories appear as the primary, verified download locations for essential it tools. such high visibility on the front page is the critical factor that could help campaign ’ …”
T1566.004Spearphishing Voice
38%
“persistent backdoors within corporate environments, which can lead to large - scale breaches. the current threat landscape is defined by the strategic impersonation of utilities foundational to modern it operations, such as psexec, azcopy, sysmon, and laps. the rationale for sele…”
T1071.001Web Protocols
34%
“##ralized infrastructure access : block access to the public ethereum ( eth ) rpc endpoints used by etherrat, attached in the appendixes ' section. these gateways are the primary heartbeat for the decentralized c2 resolution mechanism. - retrospective communication review : revie…”
T1583.001Domains
32%
“contracts creates an infrastructure that is particularly difficult to dismantle. malware analysis of the msi payload distributed across this campaign identifies it as an etherrat, a modular node. js backdoor distinguished by its high - resilience " etherhiding " c2 module. the sy…”
T1218.007Msiexec
31%
“given the administrative nature of the victims, this often transitions into a " keys to the kingdom " scenario. find out the latest threat intelligence and adversary research insights on atos cyber shield blogs. malware logic atos trc has analyzed a number of. msi installers from…”

Summary

Intro A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically targets the high-privilege professional accounts of enterprise administrators, DevOps engineers, and security analysts by impersonating administrative utilities they rely on for daily operations. By integrating Search Engine Order (SEO)