"Cybersecurity researchers are calling attention to a new campaign that's leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. "These repositories, often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing it via 'mshta.exe,'" Morphisec researcher Yonatan Edri said in a report shared with The Hacker News."
"PyStoreRAT has been described as a "modular, multi-stage" implant that can execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware also deploys an information stealer known as Rhadamanthys as a follow-on payload. Attack chains involve distributing the malware through Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities that are designed to appeal to analysts and developers."
"The earliest signs of the campaign go back to mid-June 2025, with a steady stream of "repositories" published since then. The tools are promoted via social media platforms like YouTube and X, as well as artificially inflate the repositories' star and fork metrics - a technique reminiscent of the Stargazers Ghost Network. The threat actors behind the campaign leverage either newly created GitHub accounts or those that lay dormant for months to publish the repositories,"
A campaign leverages GitHub-hosted repositories masquerading as development utilities, OSINT tools, DeFi bots, and GPT wrappers to deliver a JavaScript-based RAT named PyStoreRAT. Minimal loader stubs in these repositories silently download remote HTA files and execute them via mshta.exe. PyStoreRAT is modular and multi-stage, capable of running EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules, and it commonly follows up with the Rhadamanthys information-stealer. Operators promote repositories on social media and inflate stars and forks to feign popularity. Threat actors use new or dormant accounts and introduce malicious payloads via later "maintenance" commits.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]