Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads thehackernews.com/2025/12/f…
Cybersecurity researchers are calling attention to a new campaign that’s leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT.
“These repositories, often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing it via ‘mshta.exe,'” Morphisec researcher Yonatan Edri said in a report shared with The Hacker News.
PyStoreRAT has been described as a “modular, multi-stage” implant that can execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. The malware also deploys an information stealer known as Rhadamanthys as a follow-on payload.
Attack chains involve distributing the malware through Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities that are designed to appeal to analysts and developers.
The earliest signs of the campaign go back to mid-June 2025, with a steady stream of “repositories” published since then. The tools are promoted via social media platforms like YouTube and X, as well as artificially inflate the repositories’ star and fork metrics – a technique reminiscent of the Stargazers Ghost Network.
