Atos Threat Research Center discovered a sophisticated malware campaign in March 2026 targeting enterprise administrators, DevOps engineers, and security analysts. The operation, dubbed EtherRAT, distributes malware by impersonating legitimate administrative tools on GitHub.
Threat actors created fake GitHub repositories designed to mimic popular system administration utilities. When security professionals search for these tools online, the spoofed repositories rank high in search results through SEO manipulation techniques. Engineers downloading what they believe is genuine administrative software actually receive EtherRAT, a remote access trojan.
The attack specifically targets high-privilege accounts. Administrators and DevOps engineers typically run these tools with elevated system permissions, giving EtherRAT immediate access to critical infrastructure once installed. This grants attackers the ability to move laterally across enterprise networks, access sensitive data, and establish persistent backdoors.
The campaign demonstrates a shift in targeting strategy. Rather than broad commodity malware distribution, this operation focuses on precision attacks against specific professional roles responsible for infrastructure security. Security analysts face particular risk because they may lower their guard when downloading tools they expect to be legitimate security products.
GitHub's popularity and perceived trustworthiness work in the attackers' favor. Organizations often permit GitHub access as a legitimate development resource, allowing malicious repositories to bypass network security controls. The SEO component ensures victims find these fake tools organically rather than through suspicious links.
The high-resilience nature of the campaign indicates the operation uses multiple distribution channels, domain registrations, and likely leverages rotating infrastructure to maintain accessibility despite takedown efforts. This suggests a well-resourced threat group rather than opportunistic attackers.
Organizations should implement code signing verification for downloaded administrative tools, restrict GitHub access to approved repositories, and require security review before deployment of new utilities in privileged environments. Security teams monitoring for EtherRAT should flag suspicious GitHub repository names closely resembling