A sophisticated campaign is targeting hackers, gamers, and researchers with backdoored source code distributed through GitHub repositories. The malicious code, hidden within projects often advertised as exploits, bots, or game cheats, grants attackers remote access to infected devices.
The operation was uncovered by Sophos researchers while investigating “Sakura RAT,” a remote access trojan reportedly available on GitHub. Their analysis revealed that the Sakura RAT code itself was largely non-functional. However, the Visual Studio project contained a malicious PreBuildEvent designed to download and install malware when users attempted to compile the code.
Further investigation linked the publisher “ischhfd83” to a network of 141 GitHub repositories. Out of these, 133 were found to contain hidden backdoors, indicating a coordinated effort to distribute malware.
The methods used to embed backdoors vary, including Python scripts with obfuscated payloads, malicious screensaver (.scr) files utilizing Unicode tricks, JavaScript files containing encoded payloads, and malicious Visual Studio PreBuild events. While some repositories were abandoned in late 2023, many remain active with automated commits designed to create a false sense of legitimacy and activity. These automated workflows result in unusually high commit counts; one project created in March 2025 had nearly 60,000 commits, with the average across all repositories standing at 4,446 at the time of Sophos’ initial data collection.
Each repository consistently featured three contributors. Different publisher accounts were also employed, with no single account managing more than nine repositories. Traffic to these malicious repositories is driven by promotion on YouTube, Discord, and cybercrime forums. The media attention surrounding Sakura RAT, specifically, is believed to have drawn unsuspecting users to search for it on GitHub.
When a victim downloads these files, simply running or building the code triggers a multi-stage infection process. This process involves the execution of VBS scripts, followed by PowerShell downloading an encoded payload from hardcoded URLs. This leads to the fetching of a 7zip archive from GitHub and the execution of an Electron app named ‘SearchFilter.exe’. This Electron app contains a bundled archive with heavily obfuscated ‘main.js’ and related files. These files include code for system profiling, command execution, disabling Windows Defender, and retrieving additional payloads.
The secondary payloads downloaded by the backdoor include well-known information stealers and remote access trojans such as Lumma Stealer, AsyncRAT, and Remcos, all equipped with extensive data theft capabilities.
While a portion of the trojanized repositories target other hackers, a broad range of lures, including game cheats, mod tools, and fake exploits, are also used to ensnare gamers, students, and even cybersecurity researchers.
Given the ease with which anyone can upload source code to GitHub, users are strongly advised to carefully examine source code and verify any pre- and post-build events within projects before compiling software downloaded from open-source repositories.
