← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades
WHITE Lazarus PetrP.73 2026-05-08 Modified: 2026-05-08
132
IOCs
HIGH VOLUME
In March 2026, a highly sophisticated cyber threat campaign was discovered by the Atos Threat Research Center, which specifically targets high-privilege IT personnel like enterprise administrators and security analysts. The attackers employ a dual-layered GitHub repository distribution method, leveraging Search Engine Optimization (SEO) poisoning to manipulate search results for administrative utilities, directing victims to malicious MSI installers masquerading as legitimate tools. This approach maximizes the campaign's resilience, allowing the attackers to evade takedown efforts by keeping the malicious code on secondary repositories while the primary facade remains benign and SEO-optimized.
c2 addressc2 ipjavascript filewindows processtask managerethereum smartethereum apiip addressurl pathrun registrylazarusapt34remote accessmsinode.jstsundereutility spoofingthreat
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
EtherRAT
Indicators of Compromise (132)
All IPv4 URL hostname domain
TYPEINDICATORDESCRIPTIONCREATED
IPv4 135.125.255.55 CC=EE ASN=AS16276 ovh sas 2026-05-08
URL http://rpc.flashbots.net/fast 2026-05-08
hostname eth-mainnet.public.blastapi.io 2026-05-08
hostname eth.drpc.org 2026-05-08
hostname eth.llamarpc.com 2026-05-08
hostname eth.merkle.io 2026-05-08
hostname ethereum-rpc.publicnode.com 2026-05-08
hostname mainnet.gateway.tenderly.co 2026-05-08
hostname rpc.flashbots.net 2026-05-08
hostname rpc.mevblocker.io 2026-05-08
hostname rpc.payload.de 2026-05-08
IPv4 173.249.8.102 CC=DE ASN=AS51167 contabo gmbh 2026-05-08
IPv4 193.233.126.94 CC=RU ASN=ASNone 2026-05-08
IPv4 91.215.85.42 CC=RU ASN=AS34665 petersburg internet network ltd. 2026-05-08
IPv4 91.221.190.12 CC=UA ASN=AS50643 pp lurenet 2026-05-08
URL http://135.125.255.55 2026-05-08
URL http://173.249.8.102 2026-05-08
URL http://173.249.8.102/ 2026-05-08
URL http://193.233.126.94 2026-05-08
URL http://91.215.85.42:3000 2026-05-08
URL http://91.221.190.12 2026-05-08
URL http://jariosos.com/ 2026-05-08
URL https://9jaarenaxtra.com 2026-05-08
URL https://aabstone.com 2026-05-08
URL https://ahdaratlegalservices.com 2026-05-08
URL https://ameenafshin.com 2026-05-08
URL https://api-gateway-prod.com 2026-05-08
URL https://api-gateway-softupdate.io 2026-05-08
URL https://apparatus-contributions-understood-accommodation.trycloudflare.com 2026-05-08
URL https://appstartlabs.com 2026-05-08
URL https://aurineuroth.com 2026-05-08
URL https://bdstop.net 2026-05-08
URL https://bermanlawrsk.com 2026-05-08
URL https://cerumo.shop 2026-05-08
URL https://chjunhao.com 2026-05-08
URL https://dealing-economics-enrollment-firms.trycloudflare.com 2026-05-08
URL https://depot-reunion-listings-targets.trycloudflare.com 2026-05-08
URL https://dreambigworkharddomore.com 2026-05-08
URL https://egyptinfo.shop 2026-05-08
URL https://euclidrent.com 2026-05-08
URL https://extended-king-tone-polar.trycloudflare.com 2026-05-08
URL https://fastgamesltd.club 2026-05-08
URL https://fluxnet.life 2026-05-08
URL https://gateway001kir.com 2026-05-08
URL https://grabify.link/SEFKGU 2026-05-08
URL https://grabify.link/SEFKGU?dry87932wydes/fdsgdsfdsjfkl 2026-05-08
URL https://hayesmed.com 2026-05-08
URL https://imported-spread-amplifier-chemicals.trycloudflare.com 2026-05-08
URL https://jariosos.com 2026-05-08
URL https://johnguava.com 2026-05-08
URL https://justtalken.com 2026-05-08
URL https://lepaniermagic.com 2026-05-08
URL https://logevents.club 2026-05-08
URL https://luminer.work 2026-05-08
URL https://mastluner.club 2026-05-08
URL https://mbml-writer-info.info 2026-05-08
URL https://mebeliotmasiv.com 2026-05-08
URL https://microsoft-tools.com 2026-05-08
URL https://millersteel.digital 2026-05-08
URL https://mmdis-worls.com 2026-05-08
URL https://mymexico.social 2026-05-08
URL https://mymexico.social/ 2026-05-08
URL https://o-parana.com 2026-05-08
URL https://okhash.org 2026-05-08
URL https://palshona.com 2026-05-08
URL https://permission-resident-lots-ebooks.trycloudflare.com 2026-05-08
URL https://peterson-assets-visible-secrets.trycloudflare.com 2026-05-08
URL https://regancontrols.com 2026-05-08
URL https://salinasrent.com 2026-05-08
URL https://sistemablackatz.com 2026-05-08
URL https://sjrhs.org 2026-05-08
URL https://solidactivate.com 2026-05-08
URL https://sslgateway001.com 2026-05-08
URL https://terminal-labels-fan-witness.trycloudflare.com 2026-05-08
URL https://tokio-sallys.net 2026-05-08
URL https://twicegrand.com 2026-05-08
URL https://waygatterol002.com 2026-05-08
URL https://wpuadmin.shop 2026-05-08
domain 9jaarenaxtra.com 2026-05-08
domain aabstone.com 2026-05-08
domain ahdaratlegalservices.com 2026-05-08
domain ameenafshin.com 2026-05-08
domain api-gateway-prod.com 2026-05-08
domain api-gateway-softupdate.io 2026-05-08
domain appstartlabs.com 2026-05-08
domain aurineuroth.com 2026-05-08
domain bdstop.net 2026-05-08
domain bermanlawrsk.com 2026-05-08
domain cerumo.shop 2026-05-08
domain chjunhao.com 2026-05-08
domain dreambigworkharddomore.com 2026-05-08
domain egyptinfo.shop 2026-05-08
domain euclidrent.com 2026-05-08
domain fastgamesltd.club 2026-05-08
domain fluxnet.life 2026-05-08
domain gateway001kir.com 2026-05-08
domain grabify.link 2026-05-08
domain hayesmed.com 2026-05-08
domain jariosos.com 2026-05-08
domain johnguava.com 2026-05-08
domain justtalken.com 2026-05-08
domain lepaniermagic.com 2026-05-08
domain logevents.club 2026-05-08
domain luminer.work 2026-05-08
domain mastluner.club 2026-05-08
domain mbml-writer-info.info 2026-05-08
domain mebeliotmasiv.com 2026-05-08
domain microsoft-tools.com 2026-05-08
domain millersteel.digital 2026-05-08
domain mmdis-worls.com 2026-05-08
domain mymexico.social 2026-05-08
domain o-parana.com 2026-05-08
domain okhash.org 2026-05-08
domain palshona.com 2026-05-08
domain regancontrols.com 2026-05-08
domain salinasrent.com 2026-05-08
domain sistemablackatz.com 2026-05-08
domain sjrhs.org 2026-05-08
domain solidactivate.com 2026-05-08
domain sslgateway001.com 2026-05-08
domain tokio-sallys.net 2026-05-08
domain twicegrand.com 2026-05-08
domain waygatterol002.com 2026-05-08
domain wpuadmin.shop 2026-05-08
hostname apparatus-contributions-understood-accommodation.trycloudflare.com 2026-05-08
hostname dealing-economics-enrollment-firms.trycloudflare.com 2026-05-08
hostname depot-reunion-listings-targets.trycloudflare.com 2026-05-08
hostname extended-king-tone-polar.trycloudflare.com 2026-05-08
hostname imported-spread-amplifier-chemicals.trycloudflare.com 2026-05-08
hostname permission-resident-lots-ebooks.trycloudflare.com 2026-05-08
hostname peterson-assets-visible-secrets.trycloudflare.com 2026-05-08
hostname terminal-labels-fan-witness.trycloudflare.com 2026-05-08
References (1)
↗ https://atos.net/en/lp/cybershield/etherrat-distribution-spoofing-administrative-tools-via-github-facades