Cybersecurity researchers are calling consideration to a brand new marketing campaign that is leveraging GitHub-hosted Python repositories to distribute a beforehand undocumented JavaScript-based Distant Entry Trojan (RAT) dubbed PyStoreRAT.
“These repositories, usually themed as improvement utilities or OSINT instruments, include only some strains of code accountable for silently downloading a distant HTA file and executing it through ‘mshta.exe,'” Morphisec researcher Yonatan Edri mentioned in a report shared with The Hacker Information.
PyStoreRAT has been described as a “modular, multi-stage” implant that may execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware additionally deploys an data stealer often known as Rhadamanthys as a follow-on payload.
Assault chains contain distributing the malware by means of Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT instruments, DeFi bots, GPT wrappers, and security-themed utilities which might be designed to attraction to analysts and builders.
The earliest indicators of the marketing campaign return to mid-June 2025, with a gentle stream of “repositories” printed since then. The instruments are promoted through social media platforms like YouTube and X, in addition to artificially inflate the repositories’ star and fork metrics – a method paying homage to the Stargazers Ghost Community.
The menace actors behind the marketing campaign leverage both newly created GitHub accounts or those who lay dormant for months to publish the repositories, stealthily slipping the malicious payload within the type of “upkeep” commits in October and November after the instruments started to achieve recognition and landed on GitHub’s prime trending lists.
Actually, most of the instruments didn’t perform as they had been marketed, solely displaying static menus or non-interactive interfaces in some instances, whereas others carried out minimal placeholder operations. The intention behind the operation was to lend them a veneer of legitimacy by abusing GitHub’s inherent belief and deceiving customers into executing the loader stub that is accountable for initiating the an infection chain.
This successfully triggers the execution of a distant HTML Utility (HTA) payload that, in flip, delivers the PyStoreRAT malware, which comes with capabilities to profile the system, examine for administrator privileges, and scan the system for cryptocurrency wallet-related recordsdata, particularly these related to Ledger Dwell, Trezor, Exodus, Atomic, Guarda, and BitBox02.
The loader stub gathers a listing of put in antivirus merchandise and examine strings matching “Falcon” (a reference to CrowdStrike Falcon) or “Purpose” (a reference to Cybereason or ReasonLabs) seemingly in an try to scale back visibility. Within the occasion they’re detected, it launches “mshta.exe” by way of “cmd.exe.” In any other case, it proceeds with direct “mshta.exe” execution.
Persistence is achieved by organising a scheduled process that is disguised as an NVIDIA app self-update. Within the ultimate stage, the malware contacts an exterior server to fetch instructions to be executed on the host. A number of the supported instructions are listed beneath –
Obtain and execute EXE payloads, together with Rhadamanthys
Obtain and extract ZIP archives
Downloads a malicious DLL and executes it utilizing “rundll32.exe”
Fetch uncooked JavaScript code and execute it dynamically in reminiscence utilizing eval()
Obtain and set up MSI packages
Spawn a secondary “mshta.exe” course of to load further distant HTA payloads
Execute PowerShell instructions immediately in reminiscence
Unfold through detachable drives by changing reputable paperwork with malicious Home windows Shortcut (LNK) recordsdata
Delete the scheduled process to take away the forensic path
It is at the moment not recognized who’s behind the operation, however the presence of Russian-language artifacts and coding patterns alludes to a menace actor of seemingly Japanese European origin, Morphisec mentioned.
“PyStoreRAT represents a shift towards modular, script-based implants that may adapt to safety controls and ship a number of payload codecs,” Edri concluded. “Its use of HTA/JS for execution, Python loaders for supply, and Falcon-aware evasion logic creates a stealthy first-stage foothold that conventional EDR options detect solely late within the an infection chain.”
The disclosure comes as Chinese language safety vendor QiAnXin detailed one other new distant entry trojan (RAT) codenamed SetcodeRat that is seemingly being propagated throughout the nation since October 2025 through malvertising lures. A whole bunch of computer systems, together with these belonging to governments and enterprises, are mentioned to have been contaminated in a span of 1 month.
“The malicious set up package deal will first confirm the area of the sufferer,” the QiAnXin Risk Intelligence Heart mentioned. “If it’s not within the Chinese language-speaking space, it is going to robotically exit.”
The malware is disguised as reputable installers for in style applications like Google Chrome and proceeds to the following stage provided that the system language corresponds to Mainland China (Zh-CN), Hong Kong (Zh-HK), Macao (Zh-MO), and Taiwan (Zh-TW). It additionally terminates the execution if a connection to a Bilibili URL (“api.bilibili[.]com/x/report/click on/now”) is unsuccessful.
Within the subsequent stage, an executable named “pnm2png.exe” is launched to sideload “zlib1.dll,” which then decrypts the contents of a file referred to as “qt.conf” and runs it. The decrypted payload is a DLL that embeds the RAT payload. SetcodeRat can both hook up with Telegram or a standard command-and-control (C2) server to retrieve directions and perform knowledge theft.
It allows the malware to take screenshots, log keystrokes, learn folders, set folders, begin processes, run “cmd.exe,” set socket connections, accumulate system and community connection data, replace itself to a brand new model.
