A complex malware distribution initiative has exploited over 140 GitHub repositories to target novice cybercriminals and users of gaming cheats, marking one of the most extensive documented instances of supply chain attacks on the platform.
The repositories, disguised as genuine malware tools and gaming cheats, harbor intricate backdoors aimed at infecting users who compile the apparently legitimate code.
This initiative revolves around repositories associated with the email address ischhfd83@rambler.ru, with the earliest harmful commits tracing back to November 2023.
Out of the 141 identified repositories, 133 included backdoors using four unique infection techniques, with the majority claiming to provide gaming cheats (58%), while others assert to be malware projects, exploits, or attack utilities (24%).
The leftover repositories concentrate on cryptocurrency tools, bot-centric projects, and various utilities.
Sophos analysts detected the campaign following a customer query regarding “Sakura RAT,” an open-source malware initiative that initially seemed to have advanced anti-detection capabilities.
.webp)
Upon further examination, researchers uncovered that while the RAT itself was ineffective due to empty forms and copied code from AsyncRAT, it embedded harmful PreBuild events intended to discreetly download malware onto users’ devices during the compilation process.
The scale and sophistication of this endeavor imply a coordinated effort likely connected to Distribution-as-a-Service operations previously noted in 2024-2025, though findings suggest the campaign might have existed in various manifestations since 2022.
The threat actor utilizes multiple deception strategies, including automated GitHub Actions workflows that fabricate the appearance of active development through frequent commits, with some repositories amassing nearly 60,000 commits despite being established merely months earlier.
The PreBuild Backdoor: A Multi-Stage Infection Sequence
The most widespread backdoor variant, located in 111 repositories, leverages Visual Studio’s PreBuild event functionality to carry out malicious commands prior to project compilation.
The assault commences when developers attempt to build ostensibly legitimate Visual Basic projects, activating a complex four-stage infection process concealed within the project’s .vbproj file.
The initial stage involves a highly obfuscated batch command embedded in the PreBuild event field. This command generates a VBS script in the user’s temporary directory containing three Base64-encoded strings.
The script then merges these strings, decodes them, and writes the outcome to a PowerShell script before executing it with bypassed execution policies.
The PowerShell payload integrates a sophisticated decoding mechanism utilizing a hardcoded key stored in the $prooc variable: “UtCkt-h6=my1_zt”.
This script continuously cycles through four functions that decode hardcoded URLs, retrieve additional encoded content, and ultimately download a 7zip archive from GitHub.
The malware checks for existing 7zip installations and, if necessary, downloads the tool before extracting and executing a file named SearchFilter.exe.
.webp)
The initial backdoor architecture reveals how the threat actor employs HTML encoding and string obfuscation to conceal malicious batch commands.
The final payload, delivered as a substantial Electron application, encompasses over 17,000 lines of heavily obfuscated JavaScript code intended to disable Windows Defender, eliminate shadow copies, and deploy multiple information stealers including AsyncRAT, Remcos, and Lumma Stealer.
The campaign’s persistence mechanisms involve creating scheduled tasks with names mimicking legitimate Microsoft services and altering registry entries to prevent common analysis tools from antivirus scanning.
The malware also establishes communication with threat actors via hardcoded Telegram bot tokens, automatically alerting operators of successful infections with basic system details including usernames, hostnames, and network configurations.
The post Hundreds of GitHub Malware Repos Targeting Novice Cybercriminals Linked to Single User appeared first on Cyber Security News.