Attackers exploit trusted search results and fake GitHub pages to deliver a remote access trojan specifically targeting enterprise system administrators.
Hijacked Search Results and Fake Repositories
Attackers are running a new campaign that poisons search engine results to lure enterprise system administrators to malicious websites. The technique, known as SEO poisoning, manipulates search rankings so that fake software download pages appear at the top of Google results. When an admin searches for popular enterprise tools, they may click on a sponsored or highly ranked link that leads to a counterfeit GitHub repository. These repositories are carefully designed to look identical to legitimate project pages, complete with realistic code snippets and documentation.
Payload Delivery and Initial Access
Once a victim lands on the fake repository, they are prompted to download what appears to be a standard installer or code archive. The downloaded file actually contains a remote access trojan named EtherRAT. This malware establishes a persistent backdoor on the compromised system, giving attackers full control over the endpoint. From there, the intruder can move laterally across the network, steal credentials, and deploy additional payloads. The campaign specifically targets enterprise environments by focusing on tools that system administrators commonly use, increasing the likelihood of a high value compromise.
Impact and Mitigation
Organizations should verify the authenticity of any software download links, even those appearing in legitimate search results. Administrators are advised to bookmark official project pages and use checksum verification before running any downloaded binaries. Security teams can detect EtherRAT through its unique network communication patterns and process injection behaviors. While no specific CVEs are assigned to this campaign, the technique exploits user trust in search engine results and open source code repositories. Enterprise security awareness training should now include scenarios involving fake GitHub pages and SEO poisoned links.
Source: Cyber Security News
