The strange tale of ischhfd83: When cybercriminals eat their own
Essential information
- Published
- 04/06/2025 19:24
- Modified
- 04/06/2025 20:59
- Tags
- 2025-06-04 asyncrat backdoor github infostealer lumma stealer obfuscation rat remcos telegram
- Related entities
- 52 observables, 1 intrusion sets (apt), 13 techniques (mitre)
Description
This investigation uncovered a large-scale campaign involving backdoored GitHub repositories targeting game cheaters and inexperienced cybercriminals. The threat actor, possibly linked to a Distribution-as-a-Service operation, uses multiple types of backdoors and a convoluted infection chain leading to RATs and infostealers. The campaign involves automated commits, obfuscation techniques, and complex payloads. Researchers found over 100 malicious repositories with distinct contributor roles, suggesting an automated framework. The eventual payload includes AsyncRAT, Remcos, and Lumma Stealer. The threat actor uses Telegram for notifications and various paste sites for hosting malicious code. This case highlights the complexity of modern cyber threats and the importance of cautious approaches to open-source repositories.