While we are not the first to report on this type of campaign (we have consolidated and cited previous research in a blog post out today, link below), we did find some potentially new information, including some interesting patterns and identifiers.

We reported the repositories we found to GitHub, and contacted the owners/operators of relevant paste sites hosting intermediate payloads. As of this writing, the vast majority of malicious content has now been taken down.

The threat actor seems to be targeting cheating gamers and inexperienced cybercriminals, with the end goal being infostealer/RAT infections. While there may be some schadenfreude here, it doesn’t mean that nobody else is at risk; threat actors don't always care who they infect.

To avoid falling victim to these kinds of attacks, be wary of downloading/running code from unverified/untrusted repos, and where possible inspect code for anything unusual. Red flags include obfuscated strings, calls to unusual domains, and suspicious behavior/extensions.

Consider submitting files/URLs to online scanners and analysis tools, and where possible, run untested code in an isolated environment first, such as a sandbox or VM, and monitor for anything suspicious.

We don’t know if this campaign is linked to some or all of the previous campaigns we cite in our post, but the approach does seem to be popular and effective, and may continue in the future.

Read the full blog post here: https://news.sophos.com/en-us/2025/06/04/the-strange-tale-of-ischhfd83-when-cybercriminals-eat-their-own/

When we analyzed the backdoors, we ended up down a rabbithole of multiple variants, obfuscation, convoluted infection chains, and identifiers. The upshot is that a threat actor seems to be creating backdoored repos at scale, and may have been doing so for some time.

We’ve previously looked into the niche world of threat actors targeting each other, so we investigated further, and found 133 backdoored repos, most linked to the same threat actor via an email address. Some repos claimed to be malware, others gaming cheats.

The threat actor appears to have gone to some lengths to make their backdoored repos seem legitimate – including multiple accounts and contributors, and automated commits.

We often get queries from customers asking if they’re protected against certain malware variants. A recent question seemed no different – a customer wanted to know if we had protections against ‘Sakura RAT,’ an open-source malware project hosted on GitHub.

We looked into Sakura RAT, and quickly realized two things. First, the RAT itself was likely of little threat to our customer. Second, the repository was backdoored, and intended to target people who compiled the RAT – with RATs and infostealers.

In our five-part series, out today, we explore the businesses and criminal activities that threat actors are discussing on underground forums.

Part 1 provides context and background on our investigation, and explores some of the ways in which cybercriminals launder money.

Parts 2-4 cover business interests, from so-called ‘legitimate’ ventures to legally and ethically dubious (but not necessarily illegal) activities, and finally criminal operations. Part 5 explores the implications and opportunities of this niche of the cybercrime ecosystem.

Read the series here: https://news.sophos.com/en-us/tag/beyond-the-kill-chain/

However, it’s not all bad news. These forum posts also provide potentially useful information about threat actors, open new investigative avenues for law enforcement and regulators, and offer opportunities for the cybersecurity industry to collaborate with law enforcement.

Operation Destabilise – the NCA-led disruption of a large Russian money laundering network with links to ransomware, drugs, and espionage – showed it’s big business. A recent report by Europol also suggests an increasing overlap between cybercrime and real-world organized crime.

Threat actors who expand into new territories and business ventures complicate investigations and draw more victims, collaborators, and innocent people – directly or indirectly – into their orbits.

The prospect of cybercriminals insidiously integrating themselves into legitimate industries – as well as being engaged in a wide range of real-world illegal activities – has significant implications for cybersecurity, law enforcement, and wider society.

In some cases, the aim is likely money laundering. In others, diversification. Just like wealthy ‘real-world’ criminals, threat actors appear to want to diversify, to increase their profits and reduce the likelihood of disruption if their cybercrime activities are curtailed.

Ever wondered what financially-motivated threat actors do with their illicit gains? Sophos X-Ops investigated obscure areas of criminal forums dedicated to ‘legal business’ – where threat actors discuss crimes and businesses beyond cybercrime and malware.

We examined thousands of forum posts, and discovered a dark underbelly of fraud, theft, money laundering, shell companies, stolen and counterfeit goods, counterfeit currency, pornography, sex work, stocks and shares, pyramid schemes, gold, diamonds, insider trading, construction, real estate, drugs, offshore banking, money mules (people hired by launderers to physically or virtually transport/transfer money), smurfs (people hired to conduct small transactions to launder larger amounts), tax evasion, affiliate advertising and traffic generation, restaurants, education, wholesaling, tobacco and vaping, pharmaceuticals, gambling – and, believe it or not, cybersecurity companies and services.

The variations we saw in Lumma Stealer behavior are significant to defenders, because Lumma Stealer infection has been extremely common in recent months. That said, the delivery techniques we saw could easily be adapted to other malware beyond Lumma Stealer, making their documentation useful. (A list of IoCs is available on our GitHub repository.)

https://github.com/sophoslabs/IoCs/blob/master/2025%20Lumma%20Stealer.csv

The other case gave us a very good look at some serious obfuscation efforts. The user visited an infected site and attempted to load what appeared to be a PDF. It was not a PDF, but a shortcut the loaded a highly obfuscated PowerShell script. Our post has the details, including one of the most food-obsessed comment blocks we've seen around here in some time.

The straightforward case was, well, straightforward. The user on the malicious site got two "verification" prompts; the second one actually tricked the unwary user into pasting a PowerShell command into a Run dialog box. Running the pasted command triggered a concealed JavaScript function that dropped a PowerShell script onto the Clipboard and ran it in a hidden window -- a slick little piece of social engineering with unfortunate results.

In one instance, the attacker manipulated users’ trust in CAPTCHA challenges and employed social engineering tactics to deceive victims seeking software downloads. In another, more straightforward case, the user was directed to a malicious site and prompted to open a file in Windows Explorer.

Some of our MDR researchers recently suited up and took a deep dive into Lumma Stealer. Want to see what they found?

https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/

Threat actors regularly look for ways to disable security products. Tamper protection - a mechanism designed to stop threat actors from interfering with security products – is therefore a critical part of any security suite.

In line with our previous efforts to provide transparency into our kernel drivers and content update architecture, and our commitment to CISA’s Secure By Design initiative, we explain our tamper protection feature in a new blog post, published today.

In the post, we cover our design philosophy around secure-by-default, role-based administration, and closing gaps when it comes to updates, upgrades, and downgrades. We also explore what our Tamper Protection feature prevents.

However, we never assume that our defenses are perfect. We have participated in an external bug bounty program since December 2017, and we regularly test our Tamper Protection through internal engineering reviews, external red-teaming, and real-world threat intelligence.

Read more here: https://news.sophos.com/en-us/2025/05/08/putting-the-dampener-on-tamperers/

For more details on trends observed over the past year in cybercrime, and statistics on the most commonly seen malware and abused software, see the full report here: https://news.sophos.com/en-us/2025/04/16/the-sophos-annual-threat-report-cybercrime-on-main-street-2025/ /end

Also of note is the shift by many criminals away from use of malware to establish a foothold, instead using legitimate software. Commercial remote access and remote machine management tools are being used with greater frequency to gain persistent access to targeted organizations' networks, often in combination with social engineering.

This is largely because of vulnerable unpatched (and in some cases, end-of-life and unsupported) devices on the network periphery. This is part of a problem our CEO Joe Levy dubbed "digital detritus" Other contributing factors are weak or improperly configured authentication on VPNs, including an absence of multifactor authentication. /2
https://news.sophos.com/en-us/2024/10/31/digital-detritus-the-engine-of-pacific-rim-and-a-call-to-the-industry-for-action/