The strange tale of ischhfd83: When cybercriminals eat their own

June 4, 2025, 8:59 p.m.

Description

This investigation uncovered a large-scale campaign involving backdoored GitHub repositories targeting game cheaters and inexperienced cybercriminals. The threat actor, possibly linked to a Distribution-as-a-Service operation, uses multiple types of backdoors and a convoluted infection chain leading to RATs and infostealers. The campaign involves automated commits, obfuscation techniques, and complex payloads. Researchers found over 100 malicious repositories with distinct contributor roles, suggesting an automated framework. The eventual payload includes AsyncRAT, Remcos, and Lumma Stealer. The threat actor uses Telegram for notifications and various paste sites for hosting malicious code. This case highlights the complexity of modern cyber threats and the importance of cautious approaches to open-source repositories.

External References

https://news.sophos.com/en-us/2025/06/04/the-strange-tale-of-ischhfd83-when-cybercriminals-eat-their-own
https://otx.alienvault.com/pulse/68409d66fe68571150ccaad4
Tags
backdoor
obfuscation
rat
infostealer
remcos
lumma stealer
asyncrat
github
telegram
2025-06-04

Date

  • Created: June 4, 2025, 7:24 p.m.
  • Published: June 4, 2025, 7:24 p.m.
  • Modified: June 4, 2025, 8:59 p.m.

Indicators

  • f3cc80d90c7daee04a31317dfa36c7cb3975cabd6c63fb213aed901c8217a4d4
  • f062c7884844da7535cb7b4e7e0a517856022fbd410eb62ecf661fded2c473bc
  • ef71dc67ad8de97b39e2c98580e35402ae7dfc8f92015c1f9f689e7f2f1177ab
  • e330638bc8c23e8b3d87ffc9615bbfc43bc8b37cfbd317e0e86ab456d5e044f9
  • e5b4ce9a84826170d613562ecf86df4e1d3aee36d7b78ff7e4fa468f7e5ce1ee
  • cb1617e2ffbf07f9e897beddf8565965e881d4b4f45dda9ba30f5e1304d8ec11
  • c20f8edb938dff126e8e53add1629495a1c59c351d783eef61d3b9900a0726c5
  • bcca9de329754c6719b4829919dcb0603f8a5c29a36ab83f9d88a5aa2d00e2d6
  • bcc4d8752143d6327db02e3c52bd74ce744cf98c0aeafd205019ffc87af5bd40
  • b5a1afb3b9de392f7478dd7de55dccb1a88ffe53351ce100b2da24bd2022b482
  • b58a2221aa767a97c49b7347b59dd67d16cb4babc206d444b0195c93c36379a7
  • b27f694c974b44fe2f4a8a25680997db574fa35686c30fa4c4dc9dd4ec40005e
  • a53ac7466290c9f1e92f8c953d3068f7e72df2929972aa8d4a31a2485009862c
  • a3039bdf365755c334c8bf4d7f1792b066060daf8a16269659582d2458a7caf7
  • 9ef04f50bc95f9a20c09c636f2783e5cefc8b31c8938ba2ed6b9d92d838f4b07
  • 9f34a4db19d67d898420a131c6f31ba0815b009ac82a2a9925eaa07ad687eb0f
  • 9cf5bece2cb9b43686cc0241883bd1932c8dc06e92e29b0e210e9f00e0ef2962
  • 9838a881148d4fa9c17790ab70cced2e6c9f835d1ad3855f3e4013267dbad90c
  • 95be742a617e91d276956b95419667b442f68d43145f6d7ffe70581b4b5b5587
  • 918796b8cc63f91baf22cb1ec8cf8078df36c81dcaadc1428a261ea793ac71b5
  • 8a6237ac9a90914d96490865d784a2d712ad3d3361a3d50893d33b75b865fbb5
  • 823da5ffec1b9eed87301fc4685009e4673d72a47e1acec4baeee6df27634d51
  • 89f12803ce3ec782cd912e524a4725ade4ccf45f72dd3f47b8923bebe4464553
  • 77a5d2b1fa0660f307bfe34294ff612556418685c87fead07e00c43721609a2e
  • 70e33d34fd3794ef78d5b7bd0329b65cda8ea9a343458404b6ae3a666a7a259e
  • 668a338ccb320200dcf4c090a01f372ea49f11cbb83946f5ea893e4c2e3caa57
  • 5d89d66fb5f1410c0ef745fecb286608db4bff9aedc68a8de3b5fb37c1c0f0e8
  • 585a9fc16ab2739d9db390004272c3c26817f7d548ff4a9a3a6d3d992a14dc87
  • 5854a2f5a4f5bcbae8488a5abd05095bfe74e8f5b18dfc728d8732b61ecf3118
  • 577c1e288b1d7ef69330a86f0c14d06bb67980fba64896aadf556f52b770cf56
  • 4f1f9a9e7f3457f7b67dbe899781d81b616c3ec57b08230cb4bcb9279c87d9c2
  • 44d365d47a1f8d103795b7dc25f57068922fe8e0af1887066162c763c1b9f402
  • 433138a3783bbf3033b638ed447e6fcddad64832f329cfd6b7b519fa57b31738
  • 424e91a5657753b8d0c45a096f74f59b97f626017e9b2a3a2bff4f543e80edcc
  • 342b5990845f9dcb8723927da482301cf8e14fcb69603edbe529260ea5207f43
  • 2b13b1b778356d779abcef5fa6150da9cba9520231a0775218bf6c7b466327dc
  • 23eda28b82baac326c5878b67510e453603e68e3dfa5dfabd92b145cf95a3e76
  • 22c5058c274b1f535a6c78c32b42ead9c79bfc1adfb3beb8ee9275fc5006e0e2
  • 19739d8c64656cc2b5110ba9375c54bddfcbb3b13f6e74b2360d48ffbf3b0d5e
  • 180c20e039a427f3154271e2a7a620f6c5b59a81c699758b4c1e7e4eae95c08f
  • 12f1e6fadf3e9ba2d1feef21d3c852a1d56922b934096247d4b3df54df5af6ec
  • 11c429b0ce110d4e9380f5a520a682c633e342c1d20538ff74869c0fe3e6e3af
  • 03e1ad603d31b6b116ce0f459986791eb661d5245f9b52e278cd005ec3e081a4
  • 02c67a06b83a1482fa3ffdfe93d9ce409f1a1e92173ab720ddee52f887586ec4
  • img.guildedcdn.com
  • octofin.co
  • muckdeveloper.com
  • arturshi.ru
  • 556d807df8c8a5fe567f66701b2ce4a5.arturshi.ru
  • pastejustit.com
  • popcornsoft.me
  • paste.fo
Download all indicators here!

Attack Patterns

  • ischhfd83