EtherRAT Spoofs Admin Tools via GitHub in Supply Chain Attack

Atos Threat Research Center (TRC) uncovered in March 2026 a highly resilient malicious operation that distributes a remote‑access trojan called EtherRAT. The campaign abuses GitHub repositories as facades, publishing seemingly legitimate administrative tools that are in fact trojanized. By targeting high‑privilege professional accounts, the adversaries aim to gain persistent access to corporate environments and exfiltrate sensitive data.

The attack chain begins with the creation of repositories that mimic well‑known system‑administration utilities. These repositories contain modified executables and libraries that load a covert payload when launched. The malicious code leverages advanced obfuscation and employs legitimate code‑signing certificates harvested from compromised build pipelines, making detection by traditional antivirus solutions difficult. Communication with the attacker’s command‑and‑control (C2) servers is performed over encrypted channels, often using domain‑fronting techniques to blend with normal HTTPS traffic.

Organizations that integrate third‑party scripts or binaries into their CI/CD processes are particularly exposed. The TRC analysts observed that the trojanized tools can silently install additional modules, such as credential harvesters and lateral‑movement tools, facilitating rapid escalation within the target network. The campaign’s design demonstrates a deep understanding of supply‑chain trust models, exploiting the common practice of downloading and executing administrative scripts without thorough verification.

Security teams are advised to enforce strict provenance checks for all open‑source components, implement code‑signing verification, and monitor for unexpected DLL loading or network behavior. Deploying endpoint detection and response (EDR) solutions with behavioral analytics can help identify the subtle Indicators of Compromise (IoCs) associated with EtherRAT. Additionally, maintaining an up‑to‑date inventory of third‑party dependencies and isolating high‑privilege accounts with least‑privilege principles will mitigate the risk of a successful intrusion.