News: A new malware campaign, 'Administrative Utility Spoofing,' targets enterprise administrators by impersonating legitimate administrative tools (PsExec, Sysmon, etc.) and distributing malware via a dual-stage GitHub architecture. The campaign utilizes SEO poisoning to direct users to malicious repositories disguised as legitimate software download sites. Once executed, the malware (EtherRAT) uses Ethereum smart contracts to dynamically resolve its command-and-control (C2) server address, making traditional takedown methods ineffective. The campaign has been ongoing since December 2025 and has deployed 44 GitHub facades. It is linked to both the Lazarus Group and MuddyWater APT groups.
AI Analysis: This campaign represents a significant escalation in malware resilience and sophistication. The use of blockchain-based C2 infrastructure and a dynamic GitHub distribution network makes it exceptionally difficult to disrupt, posing a serious threat to organizations with high-privilege IT personnel.
