Do Son 
A recently uncovered malicious campaign is leveraging GitHub as a trap for security professionals, gamers, and even fellow hackers—disseminating malware disguised as utilities, cheats, and exploit frameworks. Beneath the surface of seemingly mundane repositories lies a meticulously orchestrated operation comprising hundreds of projects laced with backdoors, triggered during code compilation or execution.
The scale of the operation came to light through research by Sophos, after a client sought assistance in analyzing a threat related to remote access malware known as Sakura RAT. While the Sakura RAT code itself proved non-functional, investigators discovered a PreBuildEvent command embedded in its Visual Studio project—automatically downloading and executing malicious payloads on any system attempting to compile the code.
The trail led to a GitHub account under the alias “ischhfd83,” linked directly or indirectly—via proxy identities—to at least 141 repositories, of which 133 were found to contain backdoors. What appeared to be innocuous activity was, in reality, a calculated attempt to deceive users and deploy malware under the guise of helpful tools.
The malicious techniques range from obfuscated Python scripts and .scr files disguised as screensavers to encrypted JavaScript files. Many repositories exploit Unicode manipulation and Visual Studio automation to execute payloads without the user’s awareness.
While some repositories appear abandoned since late 2023, many remain active, with commits generated mere minutes before the analysis began. These commits are entirely automated, creating a façade of continuous development and enhancing the credibility of the projects. One repository alone boasted nearly 60,000 commits since its creation in March 2025—an average of 4,446 per project.
Each repository is typically maintained by three contributors, with no more than nine projects tied to a single account. This fragmented structure dilutes scrutiny and delays detection and takedown efforts on GitHub.
Victims are drawn in through YouTube videos, Discord discussions, and posts on cybercriminal forums. The Sakura RAT itself had recently garnered media attention, sparking interest among novice cybersecurity enthusiasts eager to experiment with the code—making them prime targets.
Upon attempting to run or compile the code, a multi-stage infection process is set in motion. It begins with the execution of VBS scripts, followed by PowerShell commands that retrieve an encrypted component from a predefined URL. Subsequently, a 7zip archive is downloaded from GitHub, launching an Electron-based application under the name “SearchFilter.exe.”
Within this application lies an obfuscated main.js file, which houses logic to harvest system information, execute remote commands, disable Windows Defender, and retrieve additional malware components.
In the final stage, known tools such as Lumma Stealer, AsyncRAT, and Remcos RAT are deployed—each equipped with extensive capabilities for data theft and remote system control.
Though the campaign primarily targets aspiring hackers drawn to malicious frameworks, its reach extends far beyond—to gamers, students, and cybersecurity professionals. Fake exploit builders, game modifiers, cheats, and “penetration testing” utilities are all part of the bait.
Given GitHub’s open nature and lack of preemptive moderation, it is imperative to scrutinize source code thoroughly before building—especially pre- and post-build scripts, which may conceal automated malicious actions.
Donate