522/68 Monday, December 15, 2025
Cybersecurity researchers have identified a new malware campaign targeting developers and data analysts. Threat actors are creating Python-based GitHub repositories that appear legitimate, claiming to be OSINT tools, DeFi bots, or GPT utilities. In reality, these repositories conceal malicious code that installs a new malware strain called PyStoreRAT. The malware executes JavaScript via the Windows mshta.exe process, allowing it to evade traditional security inspections.
What makes this campaign particularly dangerous is its highly deceptive social engineering strategy. Attackers create GitHub accounts and publish these tools, leaving them online for some time while artificially inflating star and fork counts and promoting them on social media to build credibility. Malicious code is then quietly introduced later under the guise of routine maintenance updates. The malware is also designed to check for installed security solutions (such as CrowdStrike or ReasonLabs) and establishes persistence by creating a fake scheduled task disguised as an NVIDIA update.
Once fully deployed, PyStoreRAT functions as an information stealer, with a particular focus on files related to cryptocurrency wallets. It also acts as a backdoor, enabling the download of additional malware, including the infostealer Rhadamanthys, for follow-on attacks. The malware further includes USB-based self-propagation capabilities. Preliminary analysis of the code suggests the attackers may originate from Eastern Europe. Developers are therefore strongly advised to carefully review repository code before use, even when projects appear popular or trustworthy.
Source https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.html
