Monday, June 9, 2025
Homecyber securityHundreds of Malicious GitHub Repos Targeting Novice Cybercriminals Traced to Single User

Hundreds of Malicious GitHub Repos Targeting Novice Cybercriminals Traced to Single User

Published on

SIEM as a Service

Follow Us on Google News

Sophos X-Ops researchers have identified over 140 GitHub repositories laced with malicious backdoors, orchestrated by a single threat actor associated with the email address ischhfd83[at]rambler[.]ru.

Initially sparked by a customer inquiry into the Sakura RAT, a supposed open-source malware touted for its “sophisticated anti-detection capabilities,” the investigation revealed a much broader and more insidious campaign.

Uncovering a Web of Backdoored Repositories

The Sakura RAT itself proved non-functional for its intended purpose, but its repository harbored hidden malicious code designed not to target typical victims, but rather novice cybercriminals and gamers seeking cheats.

- Advertisement - Google News

This tactical pivot threat actors targeting their own kind underscores a growing trend of infighting within the cybercrime ecosystem, where even aspiring hackers are not safe from deception.

Delving deeper, the team uncovered 133 backdoored repositories out of the 141 identified, employing four distinct types of backdoors: PreBuild event scripts in Visual Basic project files, Python scripts, screensaver (.scr) files disguised as solution files, and JavaScript payloads.

The PreBuild backdoor, found in 111 repositories, leverages encoded batch commands within .vbproj files to execute a multi-stage infection chain.

GitHub Repos
The backdoor in one of the malicious project files

This begins with a VBS script that spawns a PowerShell script, ultimately downloading a malicious 7z archive named SearchFilter.7z from GitHub releases.

Sophisticated Infection Chains

Once extracted using a hardcoded password, it deploys an Electron-based application, TeamsPackage, which embeds infostealers and RATs like AsyncRAT, Remcos, and Lumma Stealer.

The Python backdoors, hidden via whitespace obfuscation, and JavaScript variants similarly route through encoded URLs hosted on paste sites like Pastebin and glitch[.]me, culminating in the same payload.

The screensaver backdoors, using Unicode right-to-left override tricks to masquerade as legitimate files, also point to historical payloads linked to AsyncRAT, demonstrating the threat actor’s persistent and evolving tactics.

The scale of this operation is staggering, with repositories showing automated commits some reaching nearly 60,000 to feign legitimacy and attract downloads.

Predominantly themed around gaming cheats (58%) and malware tools (24%), these repositories exploit the naivety of inexperienced threat actors and curious gamers.

Distribution likely occurs via underground forums, Discord servers, and YouTube channels, with inadvertent amplification through media coverage of Sakura RAT.

GitHub Repos
A post on a cybercrime forum asking for help with Sakura RAT

Sophos reported the active repositories to GitHub, resulting in the takedown of most, alongside notifications to paste site operators hosting intermediate malicious content.

Links to prior campaigns, such as the Stargazer Goblin Distribution-as-a-Service operation reported by Check Point in 2024, suggest this actor may be part of a larger network or a repeat offender active since at least 2022.

Identifiers like “Unknown” and “Muck” recurrent in code comments, encryption keys, and staging URLs hint at a consistent persona, though their exact role remains under investigation.

This campaign’s complexity, from obfuscated infection chains to Telegram-based C2 notifications, reveals a calculated effort to maximize infections among a niche audience.

For the cybersecurity community, it serves as a reminder to scrutinize open-source code meticulously and execute unverified repositories only in isolated environments.

As threat actors refine such deceptive strategies, the risk of collateral damage to unintended victims looms large, necessitating heightened vigilance across all user groups.

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Multiple QNAP Flaws Allow Remote Attackers to Hijack User Accounts

QNAP has issued a security advisory warning users of Qsync Central about two critical...

New DuplexSpy RAT Gives Attackers Full Control Over Windows Machines

A new Remote Access Trojan (RAT) named DuplexSpy has surfaced, posing a significant threat...

Jenkins Gatling Plugin Flaw Allows CSP Bypass, Exposing Systems to Attack

On June 6, 2025, the Jenkins Project issued a security advisory (SECURITY-3588 / CVE-2025-5806)...

Beware for Developers: 16 React Native Packages with Millions of Downloads Compromised Overnight

Cybersecurity researchers have uncovered a large-scale attack targeting the npm ecosystem, compromising 16 popular...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Multiple QNAP Flaws Allow Remote Attackers to Hijack User Accounts

QNAP has issued a security advisory warning users of Qsync Central about two critical...

New DuplexSpy RAT Gives Attackers Full Control Over Windows Machines

A new Remote Access Trojan (RAT) named DuplexSpy has surfaced, posing a significant threat...

Jenkins Gatling Plugin Flaw Allows CSP Bypass, Exposing Systems to Attack

On June 6, 2025, the Jenkins Project issued a security advisory (SECURITY-3588 / CVE-2025-5806)...