Cybersecurity researchers have identified a new threat, PyStoreRAT, a JavaScript-based Remote Access Trojan (RAT) distributed through GitHub-hosted Python repositories. These repositories often appear as useful development tools or OSINT (Open Source Intelligence) utilities but contain minimal code designed to download and execute a remote HTA (HTML Application) file using "mshta.exe." PyStoreRAT is modular, capable of executing various file types like EXE, DLL, and PowerShell, and can deploy an information stealer called Rhadamanthys as a secondary payload. The campaign dates back to mid-June 2025, with attackers using newly created or dormant GitHub accounts to publish these repositories. They promote the tools through social media, artificially inflating their popularity metrics to lure users. Many of these tools lack functionality, serving only to mislead users into executing the malicious loader that initiates the infection process. Once executed, PyStoreRAT can gather extensive system information, including scanning for cryptocurrency wallet files and installed antivirus products, which it tries to evade. Persistence mechanisms include setting up scheduled tasks disguised as NVIDIA app updates. The malware can execute a variety of commands, such as downloading and running additional payloads, executing PowerShell scripts, and spreading through removable drives. The origins of the threat actors may point to Eastern Europe, given the presence of Russian-language artifacts in the code. In a related development, another RAT called SetcodeRat has emerged, primarily targeting systems in Chinese-speaking regions. This malware disguises itself as legitimate software installers and checks the system language before proceeding. If the language is appropriate, it executes a sequence of commands that allow it to steal data, take screenshots, and log keystrokes. Both PyStoreRAT and SetcodeRat highlight the evolving landscape of cyber threats, with increasingly sophisticated methods for distribution and evasion.