Attackers are using GitHub as part of a campaign to spread a novel JavaScript-based RAT called PyStoreRAT, masquerading as widely used OSINT, GPT, and security utilities targeting developers and analysts. The malware campaign leverages small pieces of Python or JavaScript loader code hosted on fake GitHub repositories, which silently fetch and execute remote HTML Application (HTA) files via mshta.exe, initiating a multi-stage infection chain.
PyStoreRAT is said to be a modular, multi-stage implant that can load and execute a wide range of payload formats, including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules, making it highly versatile once a breach has been established. One of the most prominent follow-on payloads is the Rhadamanthys information stealer, which specializes in the exfiltration of sensitive information, including credentials and financial data. The loaders arrive embedded in repositories branded as OSINT frameworks, DeFi trading bots, GPT wrappers, or security tools; many of these hardly work past statically showing menus or other placeholder behavior to appear legitimate.
It is believed the campaign started at around mid-June 2025, with the attackers publishing new repositories at a steady pace, and then artificially inflating
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: