- Sophos says it was tipped off to the existence of Sakura RAT
- An in-depth investigation uncovered more than a hundred backdoored GitHub projects
- They are all targeting wannabe hackers and game cheaters
It’s a ‘dog eat dog’ world out there, as Sophos’ security researchers uncovered a major hacking operation targeting – other hackers, with people cheating in computer games also targeted.
In an in-depth analysis posted recently, Sophos said a customer asked if its platform protected against a piece of malware found on GitHub, called Sakura RAT. They were apparently interested in the open source project after media claims of “sophisticated anti-detection capabilities.”
Sophos quickly realized that not only is Sakura RAT harmless to other people – it is only a risk to those compiling it and looking to distribute it to other people.
Down the rabbit hole
“In other words, Sakura RAT was backdoored,” Sophos explained.
The RAT itself wasn’t that peculiar, either. Most of the code was copied from the popular AsyncRAT, and many of the forms inside were left empty, which means it wouldn’t even operate properly on the target device.
But the RAT led the team “down a rabbit hole of obfuscation, convoluted infection chains, identifiers, and multiple backdoor variants.”
Apparently, the person(s) behind the RAT – alias ischhfd83 – actually created more than a hundred backdoored malware variants, all designed to target newbie threat actors and people looking for game cheats.
In total, Sophos found 141 repositories from the same threat actors, 133 being malwared in different ways. 111 contained Sakura.
The majority (58%) were advertised as game cheats, 24% as malware projects, 7% as bots, 5% as crypto tools, and 6% as other miscellaneous tools.
The campaign started in 2024, the researchers added, suggesting that it was targeting newbies because advanced threat actors would run such projects in a sandbox environment. Furthermore, they would analyze the project’s owner and the comments, and quickly realize most of the interaction is done by bots with almost identical names.
The campaign wasn’t attributed to any particular threat actor, but it was stated that it was rather successful.
