Fake OSINT And Gpt Utility Github Repos Spread Pystorerat Malware...

Cybersecurity researchers are calling attention to a new campaign that's leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT.

"These repositories, often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing it via 'mshta.exe,'" Morphisec researcher Yonatan Edri said in a report shared with The Hacker News.

PyStoreRAT has been described as a "modular, multi-stage" implant that can execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware also deploys an information stealer known as Rhadamanthys as a follow-on payload.

Attack chains involve distributing the malware through Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities that are designed to appeal to analysts and developers.

The earliest signs of the campaign go back to mid-June 2025, with a steady stream of "repositories" published since then. The tools are promoted via social media platforms like YouTube and X, as well as artificially inflate the repositories' star and fork metrics – a technique reminiscent of the Stargazers Ghost Network.

The threat actors behind the campaign leverage either newly created GitHub accounts or those that lay dormant for months to publish the repositories, stealthily slipping the malicious payload in the form of "maintenance" commits in October and November after the tools began to gain popularity and landed on GitHub's top trending lists.

In fact, many of the tools did not function as they were advertised, only displaying static menus or non-interactive interfaces in some cases, while others performed minimal placeholder operations. The intention behind the operation was to lend them a veneer of legitimacy by abusing GitHub's inherent trust and deceiving users into executing the loader stub that's responsible for initiating the infection chain.

This effectively triggers the execution of a remote HTML Application (HTA) payload that, in turn, delivers the PyStoreRAT malware, which comes with capabilities to profile the system, check for administrator privileges, and scan the system for cryptocurrency wallet-related files, specifically those associated with Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02.

The loader stub gathers a list of installe

Source: The Hacker News