PyStoreRAT Attacks IT & OSINT Pros for Remote Access

A sophisticated new supply chain attack is actively targeting Information Technology (IT) administrators and Open Source Intelligence (OSINT) professionals. This campaign poses a significant risk to organizations, as threat actors leverage compromised software to gain remote access to critical systems. The attack specifically focuses on individuals in these roles, aiming to exploit their access and specialized tools.

This campaign leverages the reputation of the trusted development platform GitHub to distribute a stealthy backdoor.

Unlike typical opportunistic attacks, this operation employs a high level of planning, using dormant accounts to bypass suspicion and deliver malicious payloads directly to technical users.

The attackers begin by reactivating GitHub accounts that have been inactive for years, likely to leverage their existing reputation.

These accounts suddenly start publishing polished, AI-generated software projects. These repositories often masquerade as useful tools, such as cryptocurrency bots, GPT wrappers, and other security-themed utilities.

The use of AI-generated content allows the threat actors to quickly populate these repositories with legitimate-looking code, making them appear active and maintained.

Morphisec analysts identified this campaign after observing that several of these repositories had climbed into GitHub’s trending lists.

This visibility placed the malicious tools directly in front of their intended targets. Once the repositories gained traction and trust among the community, the attackers introduced subtle “maintenance” commits.

These updates contained a previously undocumented JavaScript and HTA backdoor, which the researchers have named “PyStoreRAT.”

This malware is designed for long-term persistence and data theft. Once installed, it serves as a multi-purpose loader capable of profiling the victim’s system and deploying further payloads.

One of the primary payloads observed is the Rhadamanthys stealer, a tool used to exfiltrate sensitive information.

The malware also possesses the ability to spread through removable drives, increasing its potential reach within an organization’s network.

Adaptive Evasion and Infrastructure

A key feature of PyStoreRAT is its ability to adapt its behavior based on the security environment it encounters.

The malware performs extensive checks to detect the presence of specific antivirus products, such as CrowdStrike Falcon and ReasonLabs. If these defenses are detected, PyStoreRAT alters its execution technique, switching to alternative launch paths to avoid triggering alarms.

Furthermore, the command-and-control (C2) infrastructure supporting this campaign is built for resilience.

It utilizes a rotating set of nodes that enables seamless updates to the malware’s payload.

This circular structure makes it difficult for defenders to take down the operation, as the infrastructure can quickly pivot to new nodes.

The codebase also contains linguistic artifacts, such as Russian strings, suggesting a specific geographic origin or targeting scope.

Experts recommend employing behavior-based defense strategies that do not rely solely on static signatures to detect these evolving threats.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.