THE EtherRAT distribution campaign described by The Hacker News in April 2026 uses a multi-layered GitHub facade approach to deliver malicious MSI installers impersonating common administrative tools, aided by aggressive SEO poisoning across search engines to drive victims to the storefront repositories. Between December 2025 and 1 April 2026, threat actors deployed 44 separate GitHub facades spoofing different administrative or developer tools, with the second, malicious repository hosting the actual payload.
The campaign relies on a dual‑stage GitHub distribution chain and a decentralised C2 model that stores live C2 addresses in an Ethereum smart contract, allowing rapid on‑chain updates without redeploying malware. The in‑memory, four‑stage workflow starts with a staged MSI dropper, followed by an in‑memory loader, a persistence/later stage, and finally a Remote Access Trojan (RAT) stage written in JavaScript, with the payload decrypting and executing in memory.
The threat is linked by Sysdig researchers to Lazarus Group, a claim noted in the article, and EtherRAT’s EtherHiding C2 module relies on public Ethereum RPC gateways to resolve the backend address. The campaign’s longevity is attributed to its facade–payload separation and blockchain‑based C2 resolution, which complicates takedowns and domain blocklists.