How to Trick a Hacker? Give Them a Malicious Exploit with Thousands of Commits
A recently uncovered malware campaign is using GitHub as a trap for security researchers, gamers, and even other hackers—distributing malicious code disguised as utilities, cheats, and exploits. Behind seemingly harmless repositories lies a carefully orchestrated operation involving hundreds of projects loaded with backdoors that activate during compilation or execution.
The scale of this scheme came to light thanks to Sophos researchers, who were approached by a client investigating a remote access threat—Sakura RAT. While the RAT itself turned out to be non-functional, its Visual Studio project contained a PreBuildEvent command that automatically downloaded and installed malware on any machine attempting to compile the code.
The investigation led to a GitHub account named "ischhfd83", directly or indirectly linked to 141 repositories, 133 of which contained backdoors. What appeared to be normal coding activity was actually a deceptive ploy—tricking users into running malware under the guise of legitimate tools.
A Variety of Malicious Techniques
The campaign employs multiple infection methods, including:- Obfuscated Python scripts
- Malicious .scr files (disguised as screensavers)
- Encrypted JavaScript logic
- Unicode tricks to hide malicious actions
- Visual Studio automation triggering payloads without user awareness
Evasion Tactics
- Each repository has only three contributors.
- No more than nine projects are linked to a single account.
- This spreads attention and avoids GitHub’s automated detection.
Luring the Victims
The attackers promote their traps via:- YouTube videos
- Discord discussions
- Cybercrime forum posts
The Infection Chain
- Execution/compilation triggers VBS scripts.
- PowerShell fetches an encrypted payload from a predefined URL.
- A 7zip archive is downloaded from GitHub.
- An Electron app ("SearchFilter.exe") runs, containing obfuscated main.js that:
- Collects system data
- Executes remote commands
- Disables Windows Defender
- Downloads additional malware
- Final payloads include:
- Lumma Stealer
- AsyncRAT
- Remcos RAT
Who’s at Risk?
While the main targets are aspiring hackers exploring malware frameworks, the bait extends to:- Gamers (fake game mods/cheats)
- Students (coding tools)
- Security professionals (fake pentesting utilities)
How to Stay Safe?
Given GitHub’s open nature and lack of pre-moderation:- Always review source code before compiling.
- Check for suspicious PreBuild/PostBuild scripts.
- Be wary of repositories with excessive commits but little real activity.
