A customer wanted to know if we had protections for ‘Sakura RAT,’ an open-source malware project hosted on GitHub, because of media claims that it had “sophisticated anti-detection capabilities.”

When we looked into Sakura RAT, we quickly realized two things. First, the RAT itself was likely of little threat to our customer. Second, while the repository did indeed contain malicious code, that code was intended to target people who compiled the RAT, with infostealers and other RATs. In other words, Sakura RAT was backdoored.

Given our previous explorations of the niche world of threat actors targeting each other, we thought we’d investigate further, and that’s where things got odd. We found a link between the Sakura RAT ‘developer’ and over a hundred other backdoored repositories – some purporting to be malware and attack tools, others gaming cheats.

When we analyzed the backdoors, we ended up down a rabbit hole of obfuscation, convoluted infection chains, identifiers, and multiple backdoor variants. The upshot is that a threat actor is creating backdoored repositories at scale, predominantly targeting game cheaters and inexperienced threat actors – and has likely been doing so for some time.

Our research suggests a link to a Distribution-as-a-Service operation previously reported on in 2024-2025 (see Prior work), but which may have existed in some form as early as 2022.

We have reported all the backdoored repositories still active at the time of our research to GitHub, as well as a repository hosting a malicious 7z archive. We also contacted the owners/operators of relevant paste sites hosting obfuscated malicious code. As of this writing, the repository hosting the malicious 7z archive, the vast majority of the backdoored repositories, and many of the malicious pastes, have been taken down.