- Sophos says it was tipped to the existence of Sakura Rat
- An in-depth examination revealed more than a hundred Bagdoored Github projects
- They are all targeted at wannabe hackers and play cheating
It’s a ‘dog eating dog’ world out there as Sophos’ security scientists revealed a larger hacking operation that is targeted – other hackers, with people who cheat computer games also targeted.
In an in -depth analysis recently sent, Sophos said a customer asked if its platform protected himself from a piece of malware found on GitHub, called Sakura Rat. They were apparently interested in the Open Source project according to media requirements from “sophisticated anti-detection features.”
Sophos quickly realized that not only is Sakura Rat harmless to other people – it is only a risk to those who work it out and look to distribute it to other people.
Down the rabbit hole
“In other words, Sakura was steered to be backdoored,” Sophos explained.
The rat itself was not so peculiar either. Most of the code was copied from the popular asyncrat, and many of the forms inside were left empty, which means it would not even work properly on the target unit.
But the rat led the team “down in a rabbit hole with veiling, intricate infection chains, identifiers and several back door variants.”
Apparently, the person (s) behind the rat – alias Ischhfd83 – actually created more than a hundred back -covered malware variants, all designed to target beginner threat actors and people looking for gaming cheating.
In total, Sophos found 141 depots from the same threat actors, with 133 being malwared in different ways. 111 contained Sakura.
The majority (58%) was announced as games cheating, 24% such as malware projects, 7% such as bots, 5% such as crypto tools and 6% like other various tools.
The campaign started in 2024, the researchers added, suggesting that it was targeting a beginner because advanced threat players would run such projects in a sandbox environment. In addition, they would analyze the project owner and comments and quickly realize that most of the interaction is performed by bots with almost identical names.
The campaign was not attributed to any particular threat actor, but it was stated that it was pretty successful.
