A sophisticated malware campaign targeting hackers, gamers, and cybersecurity researchers has been uncovered on GitHub, leveraging fake exploits, game cheats, and open-source tools to distribute backdoors. The operation, linked to a threat actor using the alias “ischhfd83,” was discovered by Sophos researchers after analyzing the non-functional Sakura RAT, which concealed malicious code in its build process.
Campaign overview
The campaign revolves around 133 backdoored GitHub repositories posing as legitimate tools. Key findings include:
- Sakura RAT: A seemingly broken remote access trojan that hid a
PreBuildEventcommand to silently download malware during compilation. - Automated Deception: Repositories used GitHub Actions to generate thousands of automated commits (one had 60,000 commits since March 2025), creating a false impression of active development.
- Multi-Stage Payloads: Victims compiling the code triggered infection chains involving VBS scripts, PowerShell downloads, and obfuscated Electron apps, ultimately deploying info-stealers (Lumma Stealer) and RATs (AsyncRAT, Remcos).
Targets and distribution
The threat actor cast a wide net:
- Cybercriminals: 24% of repositories masqueraded as hacking tools or malware kits, exploiting curiosity about “sophisticated” tools like Sakura RAT.
- Gamers: 58% of repos offered game cheats or mods, luring users seeking competitive advantages.
- Researchers: Security analysts downloading malware for study risked infection if precautions like isolated environments were overlooked.
Traffic to these repositories was fueled by YouTube tutorials, Discord channels, and posts on cybercrime forums.
Technical sophistication
- Obfuscation: Payloads were hidden in Python scripts, malicious screensavers (.scr), and JavaScript files using Unicode tricks.
- Modular Infrastructure: The attacker used separate GitHub accounts for each repository cluster, never assigning more than nine repos to a single account.
- Link to Cybercrime Services: Sophos theorizes ties to “Stargazer Goblin,” a known distributor of malware-as-a-service, based on code similarities and Russian-language comments.
Recommendations for developers
- Audit Build Events: Check Visual Studio project files (
.vbproj,.csproj) for suspiciousPreBuildorPostBuildcommands. - Verify Repository Activity: High commit counts with minimal substantive changes may indicate automation designed to deceive.
- Isolate Analysis: Researchers should use sandboxed environments when testing code from unvetted sources.
This campaign underscores the risks of blindly trusting open-source projects, even those hosted on platforms like GitHub. As Sophos notes, “Cybercriminals are increasingly turning on each other – but collateral damage to gamers and researchers remains a serious threat”.