PyStoreRAT: A New AI-Driven Supply Chain Malware Campaign Targeting IT & OSINT Professionals
Morphisec Threat Labs has uncovered a coordinated malware operation abusing GitHub in a way that stands apart from typical opportunistic campaigns.
Introduction
Over the last several months, dormant GitHub accounts, some inactive for years, suddenly reactivated and began publishing polished, AI-generated projects that included OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities.
Several of these repositories climbed into GitHub’s top trending lists, placing them directly in front of IT administrators, cybersecurity analysts, and OSINT professionals.
Only after some of these repositories gained traction did attackers introduce subtle “maintenance” commits that deployed a previously undocumented JavaScript/HTA backdoor Morphisec researchers have coined “PyStoreRAT’.
Threat Analysis
PyStoreRAT is a multi-purpose loader designed for stealth, flexibility, and long-term access.
It performs extensive system profiling, deploys multiple payload types (including the Rhadamanthys stealer), and even changes its execution technique when CrowdStrike Falcon or Reason related AV products (e.g. CyberReason, ReasonLabs) are detected, switching to alternate launch paths to reduce visibility. The malware also spreads via removable drives and dynamically pulls additional modules from its operators.
Another notable finding in our investigation is the circular, rotating C2 infrastructure (node{i}-py-store, py-installer, and related nodes), which enables seamless payload updates and resilience against takedown.
Combined with subtle linguistic artifacts in the codebase, including Russian-language strings such as “СИСТЕМА” to validate Russian target as well (targeting both Russian and non-Russian victims), the overall picture suggests development and operational planning far beyond typical GitHub-malware noise.
Implications
If you’re seeing echoes of past supply-chain threats, you’re not wrong, but PyStoreRAT represents a new evolutionary step.
Its operators blend AI-generated legitimacy, long-game social engineering, cloud-based resilience, and adaptive execution paths in a way that makes traditional detection models fundamentally unreliable. What we’ve outlined above is only the surface-level pattern; the deeper mechanics reveal a campaign engineered for persistence, rapid iteration, and cross-environment compromise. For defenders responsible for safeguarding developer ecosystems, sensitive research environments, or distributed IT teams, understanding those mechanics isn’t optional. It’s essential.
How Morphisec Can Help
Morphisec’s prevention-first approach, powered by Automated Moving Target Defense (AMTD), is purpose-built to stop advanced, multi-stage threats like PyStoreRAT before they gain a foothold. Instead of relying on signatures, heuristics, or behavioral detection models that PyStoreRAT deliberately evades, AMTD denies the malware a stable environment to execute, disrupting its loader sequence, blocking its payload delivery paths, and neutralizing its C2-driven module updates.
Within the Morphisec Anti-Ransomware Assurance Suite, infiltration protection thwarts PyStoreRAT at the earliest stage, while impact protection safeguards systems, processes, and high-value assets from downstream payloads such as Rhadamanthys and other stealers.
Combined with Adaptive Exposure Management to minimize attack surface visibility, Morphisec provides a comprehensive, preemptive defense layer designed to stop campaigns like PyStoreRAT long before they can persist, profile, or propagate.
Stay up-to-date
Get the latest resources, news, and threat research delivered to your inbox.
