Cybersecurity researchers are calling consideration to a brand new marketing campaign that is leveraging GitHub-hosted Python repositories to distribute a beforehand undocumented JavaScript-based Distant Entry Trojan (RAT) dubbed PyStoreRAT.
“These repositories, typically themed as growth utilities or OSINT instruments, comprise only some strains of code answerable for silently downloading a distant HTA file and executing it through ‘mshta.exe,'” Morphisec researcher Yonatan Edri stated in a report shared with The Hacker Information.
PyStoreRAT has been described as a “modular, multi-stage” implant that may execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware additionally deploys an info stealer often called Rhadamanthys as a follow-on payload.
Assault chains contain distributing the malware by means of Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT instruments, DeFi bots, GPT wrappers, and security-themed utilities which are designed to enchantment to analysts and builders.
The earliest indicators of the marketing campaign return to mid-June 2025, with a gentle stream of “repositories” printed since then. The instruments are promoted through social media platforms like YouTube and X, in addition to artificially inflate the repositories’ star and fork metrics – a way paying homage to the Stargazers Ghost Community.
The menace actors behind the marketing campaign leverage both newly created GitHub accounts or people who lay dormant for months to publish the repositories, stealthily slipping the malicious payload within the type of “upkeep” commits in October and November after the instruments started to achieve reputation and landed on GitHub’s prime trending lists.
Actually, most of the instruments didn’t operate as they have been marketed, solely displaying static menus or non-interactive interfaces in some instances, whereas others carried out minimal placeholder operations. The intention behind the operation was to lend them a veneer of legitimacy by abusing GitHub’s inherent belief and deceiving customers into executing the loader stub that is answerable for initiating the an infection chain.
This successfully triggers the execution of a distant HTML Software (HTA) payload that, in flip, delivers the PyStoreRAT malware, which comes with capabilities to profile the system, verify for administrator privileges, and scan the system for cryptocurrency wallet-related recordsdata, particularly these related to Ledger Stay, Trezor, Exodus, Atomic, Guarda, and BitBox02.
The loader stub gathers a listing of put in antivirus merchandise and verify strings matching “Falcon” (a reference to CrowdStrike Falcon) or “Motive” (a reference to Cybereason or ReasonLabs) probably in an try to scale back visibility. Within the occasion they’re detected, it launches “mshta.exe” by way of “cmd.exe.” In any other case, it proceeds with direct “mshta.exe” execution.
Persistence is achieved by establishing a scheduled activity that is disguised as an NVIDIA app self-update. Within the last stage, the malware contacts an exterior server to fetch instructions to be executed on the host. A few of the supported instructions are listed under –
- Obtain and execute EXE payloads, together with Rhadamanthys
- Obtain and extract ZIP archives
- Downloads a malicious DLL and executes it utilizing “rundll32.exe”
- Fetch uncooked JavaScript code and execute it dynamically in reminiscence utilizing eval()
- Obtain and set up MSI packages
- Spawn a secondary “mshta.exe” course of to load further distant HTA payloads
- Execute PowerShell instructions immediately in reminiscence
- Unfold through detachable drives by changing reliable paperwork with malicious Home windows Shortcut (LNK) recordsdata
- Delete the scheduled activity to take away the forensic path
It is at the moment not identified who’s behind the operation, however the presence of Russian-language artifacts and coding patterns alludes to a menace actor of probably Jap European origin, Morphisec stated.
“PyStoreRAT represents a shift towards modular, script-based implants that may adapt to safety controls and ship a number of payload codecs,” Edri concluded. “Its use of HTA/JS for execution, Python loaders for supply, and Falcon-aware evasion logic creates a stealthy first-stage foothold that conventional EDR options detect solely late within the an infection chain.”
The disclosure comes as Chinese language safety vendor QiAnXin detailed one other new distant entry trojan (RAT) codenamed SetcodeRat that is probably being propagated throughout the nation since October 2025 through malvertising lures. A whole lot of computer systems, together with these belonging to governments and enterprises, are stated to have been contaminated in a span of 1 month.
“The malicious set up package deal will first confirm the area of the sufferer,” the QiAnXin Menace Intelligence Middle stated. “If it isn’t within the Chinese language-speaking space, it should routinely exit.”
The malware is disguised as reliable installers for well-liked applications like Google Chrome and proceeds to the following stage provided that the system language corresponds to Mainland China (Zh-CN), Hong Kong (Zh-HK), Macao (Zh-MO), and Taiwan (Zh-TW). It additionally terminates the execution if a connection to a Bilibili URL (“api.bilibili[.]com/x/report/click on/now”) is unsuccessful.
Within the subsequent stage, an executable named “pnm2png.exe” is launched to sideload “zlib1.dll,” which then decrypts the contents of a file known as “qt.conf” and runs it. The decrypted payload is a DLL that embeds the RAT payload. SetcodeRat can both connect with Telegram or a standard command-and-control (C2) server to retrieve directions and perform knowledge theft.
It allows the malware to take screenshots, log keystrokes, learn folders, set folders, begin processes, run “cmd.exe,” set socket connections, gather system and community connection info, replace itself to a brand new model.
