## Intro The **Atos** Threat Research Center (TRC) identified a sophisticated malicious campaign in March 2026. This operation targets high-privilege professional accounts of enterprise administrators, DevOps engineers, and security analysts by impersonating administrative utilities. By integrating **Search Engine Order (SEO) poisoning**, a **dual-stage GitHub distribution architecture**, and **decentralized blockchain-based command-and-control (C2) resolving**, threat actors have established a highly resilient delivery and persistence mechanism. ### Creative Distribution via GitHub Facades The campaign utilizes a multi-layered delivery chain designed to evade platform-level takedowns and maintain a high search engine ranking. The attack begins with **SEO poisoning** on various search engines, including **Bing**, **Yahoo**, **DuckDuckGo**, and **Yandex**. This ensures malicious results for niche IT terms rank at the top of search results. Users are initially directed to a **primary "facade" GitHub repository**. These repositories are optimized for SEO but contain no malicious code - just a professional-looking README file. To maintain operational flexibility, the README contains a link directing a victim to a **second, hidden GitHub repository**. This serves as the true distribution point for the malware. By separating the SEO-optimized "storefront" from the payload delivery account, the threat actors can rapidly rotate their distribution repositories if flagged, while the primary search-indexed facade remains active and untouched. ### Strategic Tool Impersonation and Victim Profiling The campaign is characterized by its focus on the **administrative stack**. By distributing malicious MSI installers disguised as tools like **PsExec**, **AzCopy**, **Sysmon**, **LAPS**, and **Kusto Explorer**, the adversary performs automated victim profiling. These utilities are almost exclusively used by personnel with elevated network and system permissions. A successful infection on an administrator’s workstation may provide the "keys to the kingdom," which can facilitate lateral movement inside the enterprise environment. ### Decentralized Command and Control via Ethereum The most technically significant aspect of the campaign is its implementation of **Blockchain-based Dead Drop Resolving (DDR)**. Once the malicious MSI is executed, the malware does not reach out to a hardcoded domain or IP address, which could be easily blocklisted. Instead, the malware repetitively initiates a query to a public **Ethereum (ETH) RPC endpoint**. The malware is hardcoded with a specific **Smart Contract address** on the Ethereum blockchain. By querying this contract, the malware dynamically retrieves the live C2 server address. This technique provides the adversary with extreme resilience: * **Infrastructure agility:** The attacker can rotate C2 servers globally simply by updating the value stored in the blockchain contract. * **Robustness:** As long as public Ethereum gateways are accessible, the malware can always find its "home," making traditional domain takedown or blockage efforts ineffective. ## Research analysis This research provides a comprehensive technical analysis of the current campaign, based on long-term observation and active detonation within a controlled environment. Our research moves beyond initial delivery vectors to examine the sophisticated infrastructure and post-exploitation behaviors. The following data points represent the core operational mechanics of the campaign, including: * **Malware Distribution:** breakdown of the dual-stage GitHub repository architecture and the SEO-poisoning usage to manipulate search engine results. * **Administrative Tools Impersonation:** a detailed look at the specific administrative utilities being impersonated to ensure the compromise of high-privilege IT personnel. * **Malware Logic:** malware analysis of the malicious MSI payloads, including their initial staging and persistent components. * **Decentralized C2 Infrastructure:** investigation into the malware's use of Ethereum Smart Contracts and public RPC gateways to dynamically resolve live Command and Control (C2) addresses. *NOTE: During the finalization of the research, we identified a preliminary alert from **KISA**&KrCERT/CC regarding this threat actor’s campaign - [LINK](https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&pageIndex=1&nttId=71998&menuNo=205020). While their initial report provided early visibility, our longitudinal investigation confirms the campaign remains highly active and has undergone significant technical maturation.* *Our investigation further confirms that the malware is evolving, with several distinct variants and additional C2 infrastructure identified since the campaign's inception.* > *Find out the latest threat intelligence and adversary research insights on [Atos Cyber Shield Blogs.](https://atos.net/en/lp/cybershield)* ### Malware Distribution Visualization below demonstrates the dual-stage distribution chain, where SEO-optimized facade repository redirects unsuspecting users to a secondary GitHub account hosting the malicious MSI. This modular architecture allows the threat actors to preserve their search engine rankings even if the individual payload delivery accounts are taken down.  The intrusion lifecycle begins with a search query via Bing (also Yahoo, DuckDuckGo, Yandex) for specialized IT administrative utilities. Through aggressive SEO poisoning, the threat actors ensure that the facade GitHub repository appears prominently among the top search results. In this instance, a user seeking Kusto Explorer – a critical tool for engineers and analysts querying Azure Data Explorer via KQL – is led toward a non-malicious storefront designed to build initial trust. <table><tbody><tr><td></td></tr><tr><td>Bing search for “kusto explorer”</td></tr></tbody></table> <table><tbody><tr><td></td></tr><tr><td>Bing search for “kusto explorer download”</td></tr></tbody></table> The first repository the user opens is a storefront that impersonates the targeted administrative tool. This facade repo is intentionally clean of malware, acting only as a gateway to the second, malicious stage of the delivery process. Thanks to such a design, it maintains a high search engine ranking. First GitHub repo - used only as a facade <table><tbody><tr><td></td></tr></tbody></table>