Ddos 
In a recent deep dive, Sophos X-Ops uncovered a sophisticated campaign that’s not targeting enterprises or governments, but instead other hackers and game cheaters. And it all starts with a backdoored malware called Sakura RAT.
The investigation began when a customer asked Sophos whether they were protected against a tool called Sakura RAT, an open-source remote access trojan hosted on GitHub. But upon examining the code, Sophos researchers quickly discovered that this RAT wouldn’t even function if built—many parts were incomplete or stolen from other malware like AsyncRAT.
A hidden <PreBuild> event in the Visual Basic project file that secretly downloaded and installed malware when the project was compiled.
“Sakura RAT was backdoored. The code was intended to target people who compiled the RAT, with infostealers and other RATs.”
Sophos traced the attack to an email address found in a GitHub YAML file: ischhfd83[at]rambler.ru. Searching for this identifier and code snippets led to an important discovery—over 141 repositories, of which 133 were backdoored.
“We discovered 141 repositories. 133 of them were backdoored, with 111 containing the PreBuild backdoor.”
These repositories masqueraded as everything from game cheats to malware tools, exploiting the curiosity and greed of script kiddies and wannabe hackers. Even media coverage unwittingly promoted these repositories, further spreading the trap.
The infection chain was remarkably complex. In just the Visual Studio version:
- A PreBuild script quietly dropped a .vbs file.
- That script wrote and executed a PowerShell payload.
- The payload fetched a 7z archive containing an Electron-based malware app named SearchFilter.exe.
- Inside, a massive, obfuscated JavaScript file performed data theft, scheduled tasks, Defender bypasses, and communicated with attackers via Telegram.
“The malware collects… username, hostname, network interfaces… and sends it to the attacker via Telegram.”
Besides the PreBuild backdoor, researchers identified three others:
- Python backdoor using Fernet encryption and hidden with whitespace.
- Screensaver (.scr) files disguised with right-to-left override tricks.
- JavaScript backdoors using eval() and obfuscated multi-stage payloads.
Each variation employed unique obfuscation and clever tricks to evade detection and maximize infection.
Sophos also uncovered a pattern of automation: auto-commits via GitHub Actions, fake contributors with recycled usernames (like Mastoask, Maskts, and Mastrorz), and YAML scripts that mimicked active development.
“The threat actor may want to give the illusion that their repositories are regularly maintained, so as to attract more potential victims.”
The identity of ischhfd83 remains a mystery, but connections emerged between this persona and past Distribution-as-a-Service (DaaS) networks such as Stargazer Goblin. A Telegram bot embedded in the malware pointed to unknownx, a likely alias. The team even uncovered a suspicious domain—arturshi.ru—which once hosted a fake influencer course and now redirects to a financial scam site.
“Whether ‘Unknown’ is an actual alias… or the intentional absence of one, isn’t clear.”
Sophos concludes with this warning:
“We suspect there may be more to this story, and will continue to monitor for further developments.”
Related Posts:
- Roblox Cheaters Targeted: Skuld Stealer and Blank Grabber Malware Lurks in PyPI Packages
- Gootloader Malware Expands Its Reach with Advanced Social Engineering and SEO Poisoning
- Sophos X-Ops Alerts: ‘Inhospitality’ Malspam Targets Hotels with Deceptive Tactics
- Pacific Rim: Sophos Exposes 5 Years of Chinese Cyber Espionage
Donate