A complicated malware distribution marketing campaign has weaponized over 140 GitHub repositories to focus on inexperienced cybercriminals and gaming cheat customers, representing one of many largest documented circumstances of provide chain assaults on the platform.
The repositories, masquerading as legit malware instruments and sport cheats, include elaborate backdoors designed to contaminate customers who compile the seemingly genuine code.
The marketing campaign facilities round repositories linked to the e-mail handle [email protected], with the oldest malicious commits relationship again to November 2023.
One of many malicious repositories (Supply – Sophos)
Of the 141 found repositories, 133 contained backdoors using 4 distinct an infection strategies, with the bulk claiming to supply gaming cheats (58%) whereas others purport to be malware initiatives, exploits, or assault instruments (24%).
The remaining repositories concentrate on cryptocurrency instruments, bot-related initiatives, and miscellaneous utilities.
Sophos analysts recognized the marketing campaign after receiving a buyer inquiry about “Sakura RAT,” an open-source malware undertaking that originally appeared to own subtle anti-detection capabilities.
A publish on a cybercrime discussion board asking for assist with Sakura RAT (Supply – Sophos)
Upon investigation, researchers found that whereas the RAT itself was non-functional resulting from empty kinds and copied code from AsyncRAT, it contained malicious PreBuild occasions designed to silently obtain malware onto customers’ units throughout compilation.
The scope and class of this operation suggests a coordinated effort probably linked to Distribution-as-a-Service operations beforehand reported in 2024-2025, although proof signifies the marketing campaign might have existed in varied kinds since 2022.
The risk actor employs a number of deception methods, together with automated GitHub Actions workflows that create the phantasm of lively improvement by frequent commits, with some repositories accumulating practically 60,000 commits regardless of being created solely months earlier.
The PreBuild Backdoor: A Multi-Stage An infection Chain
Probably the most prevalent backdoor variant, present in 111 repositories, exploits Visible Studio’s PreBuild occasion performance to execute malicious instructions earlier than undertaking compilation.
The assault begins when builders try to construct seemingly legit Visible Fundamental initiatives, triggering a fancy four-stage an infection course of hidden throughout the undertaking’s .vbproj file.
The preliminary stage entails a closely obfuscated batch command embedded within the PreBuild occasion area. This command creates a VBS script within the consumer’s short-term listing containing three Base64-encoded strings.
The script then concatenates these strings, decodes them, and writes the outcome to a PowerShell script earlier than executing it with bypassed execution insurance policies.
The PowerShell payload implements a complicated decoding mechanism utilizing a hardcoded key saved within the $prooc variable: “UtCkt-h6=my1_zt”.
This script constantly loops by 4 features that decode hardcoded URLs, fetch extra encoded content material, and in the end obtain a 7zip archive from GitHub.
The malware checks for current 7zip installations and downloads the software if vital earlier than extracting and executing a file referred to as SearchFilter.exe.
The preliminary backdoor (Supply – Sophos)
The preliminary backdoor construction, exhibiting how the risk actor makes use of HTML encoding and string obfuscation to disguise malicious batch instructions.
The ultimate payload, delivered as an enormous Electron software, incorporates over 17,000 strains of closely obfuscated JavaScript code designed to disable Home windows Defender, delete shadow copies, and deploy a number of info stealers together with AsyncRAT, Remcos, and Lumma Stealer.
The marketing campaign’s persistence mechanisms embody creating scheduled duties with names mimicking legit Microsoft companies and manipulating registry entries to exclude frequent evaluation instruments from antivirus scanning.
The malware additionally establishes communication with risk actors by hardcoded Telegram bot tokens, mechanically notifying operators of profitable infections with primary system info together with usernames, hostnames, and community configurations.
Velocity up and enrich risk investigations with Menace Intelligence Lookup! -> 50 trial search requests
