Backdoored Open Source Malware Repositories Target Novice Cybercriminals

Cybercriminals too face malware infection when using open source repositories without properly checking them, new research from Sophos shows.

This year alone, dozens of reports have revealed supply chain attacks targeting developers, enterprises, or end users to deploy information stealer malware and backdoors, many through malicious NPM packages.

On Wednesday, however, Sophos shed light on a similar attack, this time targeting game cheaters and inexperienced threat actors, via backdoored GitHub repositories.

The cybersecurity firm’s investigation began with the open source malware project Sakura RAT, which was found injected with code designed to infect people who compiled the RAT with information stealers and other backdoors.

The cybersecurity firm discovered four types of backdoors used in the campaign: a PreBuild backdoor, a Python backdoor, a screensaver backdoor, and JavaScript backdoor.

Going down the rabbit hole, Sophos discovered that the individual who published Sakura RAT’s repository created over a hundred other backdoored projects that claimed to offer malware, attack tools, and gaming cheats.

“The upshot is that a threat actor is creating backdoored repositories at scale, predominantly targeting game cheaters and inexperienced threat actors – and has likely been doing so for some time,” Sophos notes.

A common occurrence in the repositories, the cybersecurity firm notes, was the presence of the ‘ischhfd83’ email address, even on those that did not contain backdoors. Another was the large number of commits the repositories had – an average of 4,446 – despite their short life span.

The campaign is likely part of a distribution-as-a-service (DaaS) operation that started years ago, with activity apparently linked to it initially exposed in August 2022, when a threat actor was forking legitimate repositories to inject backdoors en masse.

Since then, over a dozen other reports uncovered malicious packages and repositories distributing various malware families and backdoors, including last year’s research on Stargazer Goblin, a threat actor that used over 3,000 GitHub accounts for malware distribution.

The operations flagged over the years – many relying on repositories related to malware and game cheats – can be tied to one another through overlaps and changes in tactics, as some appear to be variations of the current campaign, Sophos says.

The DaaS service is being advertised by a threat actor on a Russian-language cybercrime forum, but Sophos could not link the threat actor to the fresh backdoor campaign.

“The threat actor behind the backdoor campaign may have simply taken code from other sources (potentially including other threat actors), added a backdoor, and then uploaded the result to a repository they controlled,” the company says.

However, Sophos uncovered aliases such as ‘Unknown’ and ‘Muck’ that could be used by the individual behind the campaign, as well as potential links to the arturshi[.]ru and octofin[.]co domains, a social media influencer, a Pastebin user called ‘Ali888Z’, and a Glitch user called ‘searchBRO @artproductgames’.

“We uncovered a significant amount of backdoored GitHub repositories, containing multiple kinds of backdoors. And the backdoors are not simple; as it turned out, they were only the first step in a long and convoluted infection chain, eventually leading to multiple RATs and infostealers. Ironically, the threat actor seems to predominantly target cheating gamers and inexperienced cybercriminals,” Sophos notes.

Related: Vietnamese Hackers Distribute Malware via Fake AI-Themed Websites

Related: March Madness Requires Vigilance on Both an Individual and Corporate Level

Related: Beware of DeepSeek Hype: It’s a Breeding Ground for Scammers

Related: Popular Scraping Tool’s NPM Package Compromised in Supply Chain Attack