A sophisticated malware distribution campaign has weaponized over 140 GitHub repositories to target inexperienced cybercriminals and gaming cheat users, representing one of the largest documented cases of supply chain attacks on the platform.
The repositories, masquerading as legitimate malware tools and game cheats, contain elaborate backdoors designed to infect users who compile the seemingly authentic code.
The campaign centers around repositories linked to the email address [email protected], with the oldest malicious commits dating back to November 2023.
One of the malicious repositories (Source – Sophos)
Of the 141 discovered repositories, 133 contained backdoors utilizing four distinct infection methods, with the majority claiming to offer gaming cheats (58%) while others purport to be malware projects, exploits, or attack tools (24%).
The remaining repositories focus on cryptocurrency tools, bot-related projects, and miscellaneous utilities.
Sophos analysts identified the campaign after receiving a customer inquiry about “Sakura RAT,” an open-source malware project that initially appeared to possess sophisticated anti-detection capabilities.
A post on a cybercrime forum asking for help with Sakura RAT (Source – Sophos)
Upon investigation, researchers discovered that while the RAT itself was non-functional due to empty forms and copied code from AsyncRAT, it contained malicious PreBuild events designed to silently download malware onto users’ devices during compilation.
The scope and sophistication of this operation suggests a coordinated effort potentially linked to Distribution-as-a-Service operations previously reported in 2024-2025, though evidence indicates the campaign may have existed in various forms since 2022.
The threat actor employs multiple deception techniques, including automated GitHub Actions workflows that create the illusion of active development through frequent commits, with some repositories accumulating nearly 60,000 commits despite being created only months earlier.
The PreBuild Backdoor: A Multi-Stage Infection Chain
The most prevalent backdoor variant, found in 111 repositories, exploits Visual Studio’s PreBuild event functionality to execute malicious commands before project compilation.
The attack begins when developers attempt to build seemingly legitimate Visual Basic projects, triggering a complex four-stage infection process hidden within the project’s .vbproj file.
The initial stage involves a heavily obfuscated batch command embedded in the PreBuild event field. This command creates a VBS script in the user’s temporary directory containing three Base64-encoded strings.
The script then concatenates these strings, decodes them, and writes the result to a PowerShell script before executing it with bypassed execution policies.
The PowerShell payload implements a sophisticated decoding mechanism using a hardcoded key stored in the $prooc variable: “UtCkt-h6=my1_zt”.
This script continuously loops through four functions that decode hardcoded URLs, fetch additional encoded content, and ultimately download a 7zip archive from GitHub.
The malware checks for existing 7zip installations and downloads the tool if necessary before extracting and executing a file called SearchFilter.exe.
The initial backdoor (Source – Sophos)
The initial backdoor structure, showing how the threat actor uses HTML encoding and string obfuscation to disguise malicious batch commands.
The final payload, delivered as a massive Electron application, contains over 17,000 lines of heavily obfuscated JavaScript code designed to disable Windows Defender, delete shadow copies, and deploy multiple information stealers including AsyncRAT, Remcos, and Lumma Stealer.
The campaign’s persistence mechanisms include creating scheduled tasks with names mimicking legitimate Microsoft services and manipulating registry entries to exclude common analysis tools from antivirus scanning.
The malware also establishes communication with threat actors through hardcoded Telegram bot tokens, automatically notifying operators of successful infections with basic system information including usernames, hostnames, and network configurations.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
Source: cybersecuritynews.com
