The Strange Tale of Ischhfd83: When Cybercriminals Eat Their Own

    Tuesday, June 10, 2025 In: Threat Research Print

    Date: 06/10/2025

    Severity: High

    Summary

    Our investigation into Sakura RAT revealed two key findings. First, the RAT itself posed minimal threat to our customer. Second, while the repository contained malicious code, it was actually designed to infect developers compiling the RAT, embedding infostealers and other backdoors. This led us to uncover links between the Sakura RAT “developer” and over a hundred similar backdoored repositories, ranging from hacking tools to gaming cheats. Further analysis exposed a complex web of obfuscation, infection chains, and multiple backdoor variants—indicating a broader campaign aimed at compromising novice hackers and game cheaters at scale.

    Indicators of Compromise (IOC) List 

    Domains\URLs: 

    https://rlim.com/pred-FMoss/raw

    https://paste.fo/raw/e79fba4f734e

    https://pastejustit.com/raw/16qsebqoqq

    https://rlim.com/seraswodinsx/raw

    https://popcorn-soft.glitch.me/popcornsoft.me

    https://pastebin.com/raw/LC0H4rhJ

    https://pastejustit.com/raw/tfauzc15xj

    https://rlim.com/drone-SJ/raw

    https://paste.fo/raw/6c2389ad15f1

    https://pastebin.com/raw/ZTrwn94g

    https://pastejustit.com/raw/zhpwe7mrif

    https://pastebin.com/Jet0TFpK

    https://556d807df8c8a5fe567f66701b2ce4a5.arturshi.ru/tg/webhook/86703

    https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z

    Hash : 

    577c1e288b1d7ef69330a86f0c14d06bb67980fba64896aadf556f52b770cf56

    f062c7884844da7535cb7b4e7e0a517856022fbd410eb62ecf661fded2c473bc

    bcca9de329754c6719b4829919dcb0603f8a5c29a36ab83f9d88a5aa2d00e2d6

    77a5d2b1fa0660f307bfe34294ff612556418685c87fead07e00c43721609a2e

    823da5ffec1b9eed87301fc4685009e4673d72a47e1acec4baeee6df27634d51

    a53ac7466290c9f1e92f8c953d3068f7e72df2929972aa8d4a31a2485009862c

    cb1617e2ffbf07f9e897beddf8565965e881d4b4f45dda9ba30f5e1304d8ec11

    4f1f9a9e7f3457f7b67dbe899781d81b616c3ec57b08230cb4bcb9279c87d9c2

    12f1e6fadf3e9ba2d1feef21d3c852a1d56922b934096247d4b3df54df5af6ec

    9ef04f50bc95f9a20c09c636f2783e5cefc8b31c8938ba2ed6b9d92d838f4b07

    585a9fc16ab2739d9db390004272c3c26817f7d548ff4a9a3a6d3d992a14dc87

    23eda28b82baac326c5878b67510e453603e68e3dfa5dfabd92b145cf95a3e76

    03e1ad603d31b6b116ce0f459986791eb661d5245f9b52e278cd005ec3e081a4

    95be742a617e91d276956b95419667b442f68d43145f6d7ffe70581b4b5b5587

    5d89d66fb5f1410c0ef745fecb286608db4bff9aedc68a8de3b5fb37c1c0f0e8

    9cf5bece2cb9b43686cc0241883bd1932c8dc06e92e29b0e210e9f00e0ef2962

    2b13b1b778356d779abcef5fa6150da9cba9520231a0775218bf6c7b466327dc

    918796b8cc63f91baf22cb1ec8cf8078df36c81dcaadc1428a261ea793ac71b5

    8a6237ac9a90914d96490865d784a2d712ad3d3361a3d50893d33b75b865fbb5

    44d365d47a1f8d103795b7dc25f57068922fe8e0af1887066162c763c1b9f402

    9f34a4db19d67d898420a131c6f31ba0815b009ac82a2a9925eaa07ad687eb0f

    22c5058c274b1f535a6c78c32b42ead9c79bfc1adfb3beb8ee9275fc5006e0e2

    668a338ccb320200dcf4c090a01f372ea49f11cbb83946f5ea893e4c2e3caa57

    e330638bc8c23e8b3d87ffc9615bbfc43bc8b37cfbd317e0e86ab456d5e044f9

    e5b4ce9a84826170d613562ecf86df4e1d3aee36d7b78ff7e4fa468f7e5ce1ee

    180c20e039a427f3154271e2a7a620f6c5b59a81c699758b4c1e7e4eae95c08f

    89f12803ce3ec782cd912e524a4725ade4ccf45f72dd3f47b8923bebe4464553

    424e91a5657753b8d0c45a096f74f59b97f626017e9b2a3a2bff4f543e80edcc

    bcc4d8752143d6327db02e3c52bd74ce744cf98c0aeafd205019ffc87af5bd40

    342b5990845f9dcb8723927da482301cf8e14fcb69603edbe529260ea5207f43

    9838a881148d4fa9c17790ab70cced2e6c9f835d1ad3855f3e4013267dbad90c

    c20f8edb938dff126e8e53add1629495a1c59c351d783eef61d3b9900a0726c5

    5854a2f5a4f5bcbae8488a5abd05095bfe74e8f5b18dfc728d8732b61ecf3118

    11c429b0ce110d4e9380f5a520a682c633e342c1d20538ff74869c0fe3e6e3af

    b5a1afb3b9de392f7478dd7de55dccb1a88ffe53351ce100b2da24bd2022b482

    f3cc80d90c7daee04a31317dfa36c7cb3975cabd6c63fb213aed901c8217a4d4

    19739d8c64656cc2b5110ba9375c54bddfcbb3b13f6e74b2360d48ffbf3b0d5e

    b58a2221aa767a97c49b7347b59dd67d16cb4babc206d444b0195c93c36379a7

    a3039bdf365755c334c8bf4d7f1792b066060daf8a16269659582d2458a7caf7

    ef71dc67ad8de97b39e2c98580e35402ae7dfc8f92015c1f9f689e7f2f1177ab

    70e33d34fd3794ef78d5b7bd0329b65cda8ea9a343458404b6ae3a666a7a259e

    02c67a06b83a1482fa3ffdfe93d9ce409f1a1e92173ab720ddee52f887586ec4

    433138a3783bbf3033b638ed447e6fcddad64832f329cfd6b7b519fa57b31738

    b27f694c974b44fe2f4a8a25680997db574fa35686c30fa4c4dc9dd4ec40005e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs: 

    domainname like "https://pastejustit.com/raw/zhpwe7mrif" or url like "https://pastejustit.com/raw/zhpwe7mrif" or siteurl like "https://pastejustit.com/raw/zhpwe7mrif" or domainname like "https://paste.fo/raw/e79fba4f734e" or url like "https://paste.fo/raw/e79fba4f734e" or siteurl like "https://paste.fo/raw/e79fba4f734e" or domainname like "https://pastebin.com/Jet0TFpK" or url like "https://pastebin.com/Jet0TFpK" or siteurl like "https://pastebin.com/Jet0TFpK" or domainname like "https://popcorn-soft.glitch.me/popcornsoft.me" or url like "https://popcorn-soft.glitch.me/popcornsoft.me" or siteurl like "https://popcorn-soft.glitch.me/popcornsoft.me" or domainname like "https://rlim.com/pred-FMoss/raw" or url like "https://rlim.com/pred-FMoss/raw" or siteurl like "https://rlim.com/pred-FMoss/raw" or domainname like "https://pastejustit.com/raw/tfauzc15xj" or url like "https://pastejustit.com/raw/tfauzc15xj" or siteurl like "https://pastejustit.com/raw/tfauzc15xj" or domainname like "https://pastebin.com/raw/LC0H4rhJ" or url like "https://pastebin.com/raw/LC0H4rhJ" or siteurl like "https://pastebin.com/raw/LC0H4rhJ" or domainname like "https://rlim.com/seraswodinsx/raw" or url like "https://rlim.com/seraswodinsx/raw" or siteurl like "https://rlim.com/seraswodinsx/raw" or domainname like "https://pastejustit.com/raw/16qsebqoqq" or url like "https://pastejustit.com/raw/16qsebqoqq" or siteurl like "https://pastejustit.com/raw/16qsebqoqq" or domainname like "https://rlim.com/drone-SJ/raw" or url like "https://rlim.com/drone-SJ/raw" or siteurl like "https://rlim.com/drone-SJ/raw" or domainname like "https://paste.fo/raw/6c2389ad15f1" or url like "https://paste.fo/raw/6c2389ad15f1" or siteurl like "https://paste.fo/raw/6c2389ad15f1" or domainname like "https://pastebin.com/raw/ZTrwn94g" or url like "https://pastebin.com/raw/ZTrwn94g" or siteurl like "https://pastebin.com/raw/ZTrwn94g" or domainname like "https://556d807df8c8a5fe567f66701b2ce4a5.arturshi.ru/tg/webhook/86703" or url like "https://556d807df8c8a5fe567f66701b2ce4a5.arturshi.ru/tg/webhook/86703" or siteurl like "https://556d807df8c8a5fe567f66701b2ce4a5.arturshi.ru/tg/webhook/86703" or domainname like "https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z" or url like "https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z" or siteurl like "https://github.com/unheard44/fluid_bean/releases/download/releases/SearchFilter.7z"

    Hash : 

    sha256hash IN ("19739d8c64656cc2b5110ba9375c54bddfcbb3b13f6e74b2360d48ffbf3b0d5e","f3cc80d90c7daee04a31317dfa36c7cb3975cabd6c63fb213aed901c8217a4d4","9cf5bece2cb9b43686cc0241883bd1932c8dc06e92e29b0e210e9f00e0ef2962","bcca9de329754c6719b4829919dcb0603f8a5c29a36ab83f9d88a5aa2d00e2d6","433138a3783bbf3033b638ed447e6fcddad64832f329cfd6b7b519fa57b31738","9ef04f50bc95f9a20c09c636f2783e5cefc8b31c8938ba2ed6b9d92d838f4b07","12f1e6fadf3e9ba2d1feef21d3c852a1d56922b934096247d4b3df54df5af6ec","9838a881148d4fa9c17790ab70cced2e6c9f835d1ad3855f3e4013267dbad90c","b27f694c974b44fe2f4a8a25680997db574fa35686c30fa4c4dc9dd4ec40005e","5854a2f5a4f5bcbae8488a5abd05095bfe74e8f5b18dfc728d8732b61ecf3118","f062c7884844da7535cb7b4e7e0a517856022fbd410eb62ecf661fded2c473bc","e5b4ce9a84826170d613562ecf86df4e1d3aee36d7b78ff7e4fa468f7e5ce1ee","577c1e288b1d7ef69330a86f0c14d06bb67980fba64896aadf556f52b770cf56","823da5ffec1b9eed87301fc4685009e4673d72a47e1acec4baeee6df27634d51","a53ac7466290c9f1e92f8c953d3068f7e72df2929972aa8d4a31a2485009862c","cb1617e2ffbf07f9e897beddf8565965e881d4b4f45dda9ba30f5e1304d8ec11","4f1f9a9e7f3457f7b67dbe899781d81b616c3ec57b08230cb4bcb9279c87d9c2","585a9fc16ab2739d9db390004272c3c26817f7d548ff4a9a3a6d3d992a14dc87","23eda28b82baac326c5878b67510e453603e68e3dfa5dfabd92b145cf95a3e76","03e1ad603d31b6b116ce0f459986791eb661d5245f9b52e278cd005ec3e081a4","95be742a617e91d276956b95419667b442f68d43145f6d7ffe70581b4b5b5587","5d89d66fb5f1410c0ef745fecb286608db4bff9aedc68a8de3b5fb37c1c0f0e8","2b13b1b778356d779abcef5fa6150da9cba9520231a0775218bf6c7b466327dc","918796b8cc63f91baf22cb1ec8cf8078df36c81dcaadc1428a261ea793ac71b5","8a6237ac9a90914d96490865d784a2d712ad3d3361a3d50893d33b75b865fbb5","44d365d47a1f8d103795b7dc25f57068922fe8e0af1887066162c763c1b9f402","9f34a4db19d67d898420a131c6f31ba0815b009ac82a2a9925eaa07ad687eb0f","22c5058c274b1f535a6c78c32b42ead9c79bfc1adfb3beb8ee9275fc5006e0e2","668a338ccb320200dcf4c090a01f372ea49f11cbb83946f5ea893e4c2e3caa57","e330638bc8c23e8b3d87ffc9615bbfc43bc8b37cfbd317e0e86ab456d5e044f9","180c20e039a427f3154271e2a7a620f6c5b59a81c699758b4c1e7e4eae95c08f","89f12803ce3ec782cd912e524a4725ade4ccf45f72dd3f47b8923bebe4464553","424e91a5657753b8d0c45a096f74f59b97f626017e9b2a3a2bff4f543e80edcc","bcc4d8752143d6327db02e3c52bd74ce744cf98c0aeafd205019ffc87af5bd40","342b5990845f9dcb8723927da482301cf8e14fcb69603edbe529260ea5207f43","c20f8edb938dff126e8e53add1629495a1c59c351d783eef61d3b9900a0726c5","11c429b0ce110d4e9380f5a520a682c633e342c1d20538ff74869c0fe3e6e3af","b5a1afb3b9de392f7478dd7de55dccb1a88ffe53351ce100b2da24bd2022b482","b58a2221aa767a97c49b7347b59dd67d16cb4babc206d444b0195c93c36379a7","a3039bdf365755c334c8bf4d7f1792b066060daf8a16269659582d2458a7caf7","ef71dc67ad8de97b39e2c98580e35402ae7dfc8f92015c1f9f689e7f2f1177ab","70e33d34fd3794ef78d5b7bd0329b65cda8ea9a343458404b6ae3a666a7a259e","02c67a06b83a1482fa3ffdfe93d9ce409f1a1e92173ab720ddee52f887586ec4")

    Reference:

    https://news.sophos.com/en-us/2025/06/04/the-strange-tale-of-ischhfd83-when-cybercriminals-eat-their-own/


    Tags

    MalwareRATSakura RATBackdoorInfostealerGame Cheaters

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.