Recommended reading

Friendly fire: Hackers target their own with fake malware and gaming cheats

News
By published

Another reason why looking for malware and game cheats is always a risk

Abstract image of cyber security in action.
OpenVPN-protokollet - därför är det så bra (Image credit: Shutterstock)
  • Sophos says it was tipped off to the existence of Sakura RAT
  • An in-depth investigation uncovered more than a hundred backdoored GitHub projects
  • They are all targeting wannabe hackers and game cheaters

It’s a ‘dog eat dog’ world out there, as Sophos’ security researchers uncovered a major hacking operation targeting - other hackers, with people cheating in computer games also targeted.

In an in-depth analysis posted recently, Sophos said a customer asked if its platform protected against a piece of malware found on GitHub, called Sakura RAT. They were apparently interested in the open source project after media claims of “sophisticated anti-detection capabilities.”

Sophos quickly realized that not only is Sakura RAT harmless to other people - it is only a risk to those compiling it and looking to distribute it to other people.

Down the rabbit hole

“In other words, Sakura RAT was backdoored,” Sophos explained.

The RAT itself wasn’t that peculiar, either. Most of the code was copied from the popular AsyncRAT, and many of the forms inside were left empty, which means it wouldn’t even operate properly on the target device.

But the RAT led the team “down a rabbit hole of obfuscation, convoluted infection chains, identifiers, and multiple backdoor variants.”

Apparently, the person(s) behind the RAT - alias ischhfd83 - actually created more than a hundred backdoored malware variants, all designed to target newbie threat actors and people looking for game cheats.

In total, Sophos found 141 repositories from the same threat actors, 133 being malwared in different ways. 111 contained Sakura.

The majority (58%) were advertised as game cheats, 24% as malware projects, 7% as bots, 5% as crypto tools, and 6% as other miscellaneous tools.

The campaign started in 2024, the researchers added, suggesting that it was targeting newbies because advanced threat actors would run such projects in a sandbox environment. Furthermore, they would analyze the project’s owner and the comments, and quickly realize most of the interaction is done by bots with almost identical names.

The campaign wasn’t attributed to any particular threat actor, but it was stated that it was rather successful.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.