Hundreds of Malicious GitHub Repos Targeting Novice Cybercriminals Traced to Single User
Sophos X-Ops researchers have identified over 140 GitHub repositories laced with malicious backdoors, orchestrated by a single threat actor associated with the email address ischhfd83[at]rambler[.]ru.
Initially sparked by a customer inquiry into the Sakura RAT, a supposed open-source malware touted for its “sophisticated anti-detection capabilities,” the investigation revealed a much broader and more insidious campaign.
Uncovering a Web of Backdoored Repositories
The Sakura RAT itself proved non-functional for its intended purpose, but its repository harbored hidden malicious code designed not to target typical victims, but rather novice cybercriminals and gamers seeking cheats.
This tactical pivot threat actors targeting their own kind underscores a growing trend of infighting within the cybercrime ecosystem, where even aspiring hackers are not safe from deception.
Delving deeper, the team uncovered 133 backdoored repositories out of the 141 identified, employing four distinct types of backdoors: PreBuild event scripts in Visual Basic project files, Python scripts, screensaver (.scr) files disguised as solution files, and JavaScript payloads.
The PreBuild backdoor, found in 111 repositories, leverages encoded batch commands within .vbproj files to execute a multi-stage infection chain.
This begins with a VBS script that spawns a PowerShell script, ultimately downloading a malicious 7z archive named SearchFilter.7z from GitHub releases.
Sophisticated Infection Chains
Once extracted using a hardcoded password, it deploys an Electron-based application, TeamsPackage, which embeds infostealers and RATs like AsyncRAT, Remcos, and Lumma Stealer.
The Python backdoors, hidden via whitespace obfuscation, and JavaScript variants similarly route through encoded URLs hosted on paste sites like Pastebin and glitch[.]me, culminating in the same payload.
The screensaver backdoors, using Unicode right-to-left override tricks to masquerade as legitimate files, also point to historical payloads linked to AsyncRAT, demonstrating the threat actor’s persistent and evolving tactics.
The scale of this operation is staggering, with repositories showing automated commits some reaching nearly 60,000 to feign legitimacy and attract downloads.
Predominantly themed around gaming cheats (58%) and malware tools (24%), these repositories exploit the naivety of inexperienced threat actors and curious gamers.
Distribution likely occurs via underground forums, Discord servers, and YouTube channels, with inadvertent amplification through media coverage of Sakura RAT.
Sophos reported the active repositories to GitHub, resulting in the takedown of most, alongside notifications to paste site operators hosting intermediate malicious content.
Links to prior campaigns, such as the Stargazer Goblin Distribution-as-a-Service operation reported by Check Point in 2024, suggest this actor may be part of a larger network or a repeat offender active since at least 2022.
Identifiers like “Unknown” and “Muck” recurrent in code comments, encryption keys, and staging URLs hint at a consistent persona, though their exact role remains under investigation.
This campaign’s complexity, from obfuscated infection chains to Telegram-based C2 notifications, reveals a calculated effort to maximize infections among a niche audience.
For the cybersecurity community, it serves as a reminder to scrutinize open-source code meticulously and execute unverified repositories only in isolated environments.
As threat actors refine such deceptive strategies, the risk of collateral damage to unintended victims looms large, necessitating heightened vigilance across all user groups.