Sakura RAT: Cybercriminals Sabotaged by Their Own Malware Campaign, Sophos Finds
How a Simple Query Led to a Wave of Curious Findings
Ever heard of the “Sakura RAT”? Well, you will now.
Cybercriminals have been lacing their own malware and gaming cheats with backdoors. This was the overarching finding of a Sophos study in response to what initially seemed like a routine support request. What was a simple query instead shed light on a cunning and large-scale campaign tied to the alias “ischhfd83.”
According to Sophos, Sophos X‑Ops researchers started investigating after a customer inquiry about “Sakura RAT,” which was initially advertised as a sophisticated malware on GitHub. Sophos’s initial finding was that the Sakura RAT itself was ineffective. However, a deeper analysis ultimately revealed hidden infostealers and backdoors aimed at users who compiled the code—suggesting a deliberate trap.
Sakura RAT and the Web of Backdoored Repositories
Pursuing the trail, Sophos found 141 backdoored GitHub projects linked by the email ischhfd83@rambler.ru. Among them were 133 contained backdoor code and 111 injected during PreBuild in VB projects. Python, JavaScript, and screensavers were also used, according to Sophos. In addition, most repositories were gaming cheats (58%), followed by malware tools (24%), bots (7%), crypto utilities (5%), and miscellaneous tools (6%). The earliest backdoor appeared in November 2023.
One backdoor variant, in particular, slipped malicious batch commands into the Visual Basic PreBuild script. This script generated a VBS file, which decoded PowerShell code. The PowerShell, in turn, fetched a password-protected 7z archive from hardcoded URLs, installed 7-Zip if needed, extracted the payload, and executed a file named SearchFilter.exe. This multi-stage obfuscation suggests careful design to evade detection.
Possible Criminal Infrastructure of the Sakura RAT
So far, the evidence links the campaign to a malware Distribution‑as‑a‑Service (DaaS) operation, which potentially could be Stargazer Goblin—or a rival. While conducting the investigation, Sophos alerted GitHub and removal has since taken place, with the malicious 7z-hosting repo, most backdoored projects, and harmful paste‑site entries already taken down. However, some repositories vanished before analysis finished, and new backdoors continue to surface. This, according to Sophos, is indicative of an active, evolving operation.
Although these backdoors primarily target gamers and amateur cybercriminals, the potential collateral impact is wide-reaching. Security researchers and curious users who download and test code from public repos could inadvertently trigger malware execution. In response, Sophos is recommending the following:
- Be extremely cautious with unverified code—inspect for obfuscation or hidden build steps.
- Always use isolated environments (sandbox, VM) for testing.
- Scan unknown files with reputable tools (e.g., VirusTotal).
These measures are crucial whether you’re a hacker, a gamer, or a developer. sophos.com
Indeed, a seemingly simple customer support question exposed a sprawling, deliberate campaign of self-sabotaging cybercrime. This latest incident underscores one critical lesson in this modern security landscape: When it comes to cybersecurity, trust nothing and always verify everything.
