PyStoreRAT Malware Distributed via Fake GitHub OSINT and Utility Repositories
A sophisticated malware campaign has been uncovered in which threat actors use GitHub to distribute a new Remote Access Trojan (RAT) called PyStoreRAT. The attackers reactivated dormant GitHub accounts or created new ones to publish repositories masquerading as legitimate OSINT tools, DeFi bots, and AI chat wrappers. These repositories, often promoted on social media and artificially boosted in popularity, were designed to appeal to IT administrators, cybersecurity professionals, and open-source intelligence researchers. Once the repositories gained trust and visibility, the attackers introduced malicious code through subtle 'maintenance' updates, enabling the silent deployment of PyStoreRAT.
PyStoreRAT is a modular, multi-stage malware capable of executing a variety of payloads, including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. It profiles victim systems and can deploy additional threats such as the Rhadamanthys information stealer and Python Loader. Many of the fake tools hosted on GitHub were non-functional or provided only minimal placeholder features, serving primarily as a delivery mechanism for the malware. The campaign demonstrates a calculated abuse of GitHub's trust model and highlights the risks of downloading and executing code from seemingly reputable open-source repositories.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Further analysis characterizes PyStoreRAT as fileless malware targeting developers
Subsequent reporting described PyStoreRAT as a fileless RAT hidden in fake GitHub repositories, emphasizing its ability to avoid writing payloads to disk and evade traditional detection. This coverage broadened the victim focus to developers in addition to IT and security professionals.
Additional reporting reveals persistence and wallet-targeting behavior
Follow-on coverage detailed that PyStoreRAT establishes persistence through scheduled tasks disguised as NVIDIA updates and targets cryptocurrency wallet files. Reporting also highlighted the use of social media promotion and GitHub metric manipulation to boost the malicious repositories' reach.
Morphisec discloses PyStoreRAT GitHub supply-chain campaign
Morphisec Threat Labs publicly reported the campaign and described PyStoreRAT as a stealthy, adaptive RAT with rotating command-and-control infrastructure, removable-drive propagation, and evasion checks for security products. The report also noted Russian-language artifacts and said several malicious repositories had been identified and removed while others remained active.
Popularized repositories are updated to deliver PyStoreRAT
After the repositories gained popularity, the attackers introduced malicious commits that turned them into loaders for a multi-stage infection chain. The campaign delivered the newly identified PyStoreRAT remote access trojan and, in some cases, the Rhadamanthys information stealer.
Attackers seed dormant GitHub accounts with fake utility and OSINT projects
Threat actors reactivated dormant GitHub accounts and published AI-generated repositories themed as development, GPT, and OSINT tools to attract IT administrators, cybersecurity professionals, developers, and OSINT researchers. The repositories were made to look legitimate and were promoted to gain visibility and trust.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
PyStoreRAT Uncovered: Fileless RAT Hides in Fake GitHub Repos to Launch Invisible Attacks on Developers
securityonline.info
Open sourceNew PyStoreRAT Malware Targets OSINT Researchers Through GitHub
hackread.com
Open sourceFake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads
thehackernews.com
Open sourcePyStoreRAT: A New AI-Driven Supply Chain Malware Campaign Targeting IT & OSINT Professionals
morphisec.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Spoofed GitHub IT Tools Spread EtherRAT via Ethereum-Based C2
Researchers reported a stealthy malware campaign targeting enterprise administrators, DevOps engineers, and security analysts by impersonating trusted administrative and developer utilities in malicious MSI installers. The operation used SEO poisoning to push victims toward spoofed tool listings and a dual-stage GitHub distribution chain in which benign-looking facade repositories redirected users to secondary repositories hosting the real payload, enabling operators to rotate malware quickly while preserving search credibility. At least 44 GitHub facade repositories spoofing IT tools were observed between December 2025 and early April 2026. The payload, **EtherRAT**, is a multi-stage Node.js remote access trojan that downloads Node.js at runtime, establishes registry-based persistence, and executes through `conhost.exe` with a `--headless` argument to reduce visibility. Researchers said the malware uses layered `AES-256-CBC` encryption and retrieves its live command-and-control endpoint through public Ethereum RPC services and a hardcoded smart contract, effectively using the blockchain as a dead-drop resolver that complicates domain and IP takedowns. Reporting linked the campaign to prior EtherRAT and EtherHiding activity and said the tradecraft overlaps with malware previously associated with **Lazarus Group**, while also noting code similarities to **Tsundere**, a malware family tied in other research to **MuddyWater (APT34)**.
May 11, 2026
GitHub Gaming Cheat Projects Used to Deliver AsyncRAT and VileRAT Malware
Security researchers and sandbox telemetry identified malware campaigns abusing GitHub-hosted gaming cheat projects to distribute remote access trojans, including **AsyncRAT** and **VileRAT**. One analyzed sample was delivered from a GitHub raw URL and disguised as an *Escape from Tarkov* cheat-related `.scr` file, using a gaming-themed lure to entice users seeking cheats, DLL injectors, or other unauthorized tools. ANY.RUN classified the sample as malicious and linked it to **AsyncRAT**, a trojan that can provide remote control, keystroke capture, webcam access, and data theft from infected Windows systems. Additional reporting warned that attackers were packaging malware inside purported open-source game cheat repositories and injector utilities on GitHub, broadening the campaign beyond a single title or payload. Technical analysis tied related activity to **VileRAT**, indicating that threat actors are using trusted developer platforms and cheat-seeking communities as an infection channel for commodity and custom RAT malware. Reported indicators for the AsyncRAT sample included `SHA1 3065DA0D35988807C34C98164D35385F846AB1DF` and `SHA256 84C8AD42D82A82951A1968C738FC813A83FC5CD6F1C2F446F2960CF21A373E14`.
Nov 14, 2023
Webrat Malware Distributed via Fake Exploit PoCs on GitHub
A new malware family named **Webrat** has been distributed through GitHub repositories, masquerading as proof-of-concept (PoC) exploits for high-profile vulnerabilities. The campaign, uncovered in late 2025, initially targeted gamers and users seeking cheats or cracked software, but later expanded to include inexperienced information security professionals and students. Attackers crafted repositories with detailed, AI-generated descriptions of vulnerabilities, including guides and mitigation steps, to build credibility and lure victims into downloading malicious files. The malware is delivered as a password-protected archive containing an executable that escalates privileges, disables Windows Defender, and downloads the Webrat payload from a hardcoded URL. Once installed, Webrat can steal credentials from Telegram, Discord, Steam, and cryptocurrency wallets, log keystrokes, record screens, access webcams and microphones, and provide remote access to attackers. The campaign leverages vulnerabilities with high CVSSv3 scores, such as those in Internet Explorer, WordPress plugins, Windows services, and Tenda routers, to attract victims searching for exploit code.
Mar 21, 2026