Attackers use SEO poisoned search results to lure hospital IT staff and device engineers to fake GitHub repositories. The EtherRAT trojan gains backdoor access to hospital networks, risking patient data theft, EHR compromise, and medical device tampering. Healthcare CISOs must enforce download verification, checksums, and updated training against counterfeit repos.
Attackers are exploiting search engine results with counterfeit GitHub repositories to deliver the EtherRAT remote access trojan, specifically targeting hospital system administrators and medical device software engineers.
In a new campaign aimed at healthcare organizations, threat actors are using SEO poisoning to place fake software download pages at the top of Google search results. These pages mimic legitimate repositories for tools commonly used in hospital IT environments such as PACS management utilities, EHR interface libraries, and medical device firmware updaters. When a hospital IT admin or medical device security professional searches for these tools, they may click on a sponsored or highly ranked link leading to a counterfeit GitHub page. The fake repositories are meticulously crafted to include realistic code snippets, documentation, and even fake star counts to appear trustworthy.
Once a victim downloads the file, EtherRAT is installed, establishing a persistent backdoor on the compromised system. From there, attackers can move laterally across the hospital network, access electronic health records (EHRs), steal patient data, or tamper with medical device configurations. For healthcare CISOs, the lateral movement risk is especially concerning because it could allow an attacker to reach surgical robots, infusion pumps, or radiology workstations. The campaign targets enterprise system administrators, but in healthcare, the same roles handle both IT infrastructure and connected medical devices, increasing attack surface.
Organizations should enforce strict verification of all software downloads, even from search results. Hospital IT teams should bookmark official vendor pages and use checksum validation before executing any binaries. Security teams can detect EtherRAT by monitoring for unusual network communication patterns and process injection behaviors. While no specific CVEs are linked to this campaign, similar techniques are tracked under general threat intelligence. Healthcare entities should incorporate fake repository scenarios into security awareness training and update their medical device software procurement policies. The FDA and HHS have issued advisories on supply chain risks for connected devices, making this campaign a direct concern for device security professionals.
Source: Cyber Security News
