The EtherRAT campaign exploits search engine rankings and trust in GitHub to deliver a remote access trojan to system administrators through fake installer downloads.
Attack Method and SEO Poisoning
The EtherRAT campaign uses a technique called SEO poisoning to trick enterprise system administrators into downloading malware. Attackers create fake websites that appear in top search results for popular software like Putty, WinSCP, and Notepad++. When an admin searches for these tools, the malicious sites look legitimate and offer infected downloads instead of the real software.
GitHub Abuse and Payload Delivery
Once a victim downloads and runs the fake installer, it connects to a fraudulent GitHub repository that hosts the actual payload, EtherRAT. This remote access trojan gives attackers complete control over the compromised machine, allowing them to steal credentials, move laterally within the network, and exfiltrate sensitive data. The use of GitHub as a hosting platform helps the campaign evade detection by security tools that trust GitHub domains.
Impact and Defense Recommendations
Enterprise IT teams are the primary targets because they have elevated privileges to critical systems. A single compromised admin can lead to a full network takeover. Defenders should verify software downloads from official sources only, implement URL filtering for typosquatted domains, and monitor for unusual GitHub repository interactions. No specific CVEs have been assigned to this campaign yet.
Source: Cyber Security News
