GitHub Gaming Cheat Projects Used to Deliver AsyncRAT and VileRAT Malware
Security researchers and sandbox telemetry identified malware campaigns abusing GitHub-hosted gaming cheat projects to distribute remote access trojans, including AsyncRAT and VileRAT. One analyzed sample was delivered from a GitHub raw URL and disguised as an Escape from Tarkov cheat-related .scr file, using a gaming-themed lure to entice users seeking cheats, DLL injectors, or other unauthorized tools. ANY.RUN classified the sample as malicious and linked it to AsyncRAT, a trojan that can provide remote control, keystroke capture, webcam access, and data theft from infected Windows systems.
Additional reporting warned that attackers were packaging malware inside purported open-source game cheat repositories and injector utilities on GitHub, broadening the campaign beyond a single title or payload. Technical analysis tied related activity to VileRAT, indicating that threat actors are using trusted developer platforms and cheat-seeking communities as an infection channel for commodity and custom RAT malware. Reported indicators for the AsyncRAT sample included SHA1 3065DA0D35988807C34C98164D35385F846AB1DF and SHA256 84C8AD42D82A82951A1968C738FC813A83FC5CD6F1C2F446F2960CF21A373E14.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
ANY.RUN analyzes GitHub-hosted AsyncRAT gaming lure sample
ANY.RUN conducted a sandbox analysis of a malicious Windows sample hosted at a GitHub raw URL and identified it as AsyncRAT. The file masqueraded as an Escape from Tarkov cheat-related executable or screensaver, indicating a gaming-themed social-engineering lure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Malware analysis https://github.com/supoyev/Escape-from-Tarkov-External-Esp-Aimbot-Cheat/raw/main/escape%20from%20tarkov/Escape%20From%20Tarkov/Escape%20From%20Tarkov%E2%80%AEnls..scr Malicious activity | ANY.RUN - Malware Sandbox Online
any.run
Open source警惕,黑客通过伪装游戏作弊器dll注入器等的GitHub开源项目传播多种恶意软件 - 哔哩哔哩
bilibili.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Trojanized Gaming Utilities Deliver Java-Based RAT via Browser and Chat Platforms
Microsoft Threat Intelligence reported an active malware campaign targeting gamers by distributing **trojanized gaming utilities** through browsers and chat platforms, leading victims to execute a multi-stage downloader that ultimately installs a **Java-based remote access trojan (RAT)**. The infection chain was observed staging a portable Java runtime and launching a malicious JAR (`jd-gui.jar`), while using **PowerShell** and living-off-the-land binaries such as `cmstp.exe` to reduce detection. The activity includes defense evasion by deleting the initial downloader and adding **Microsoft Defender exclusions**, and persistence via a scheduled task and a startup script named `world.vbs`; the RAT then beacons to **`79.110.49[.]15`** for C2, enabling data theft and follow-on payload delivery. Reporting also noted the campaign’s use of gaming-adjacent filenames to increase execution likelihood (e.g., `Xeno.exe`, `RobloxPlayerBeta.exe`) and emphasized that the final payload functions as a **loader/runner/downloader/RAT** rather than a single-purpose stealer, increasing the risk of secondary malware deployment. Separately, one report highlighted the emergence of *Steaelite*, a Windows RAT advertised on criminal forums with claimed “FUD” capabilities and an integrated panel combining data theft and ransomware features, underscoring broader commoditization of multi-function RAT ecosystems even when not directly tied to the specific trojanized-gaming-tools intrusion chain.
Mar 21, 2026
PyStoreRAT Malware Distributed via Fake GitHub OSINT and Utility Repositories
A sophisticated malware campaign has been uncovered in which threat actors use GitHub to distribute a new Remote Access Trojan (RAT) called PyStoreRAT. The attackers reactivated dormant GitHub accounts or created new ones to publish repositories masquerading as legitimate OSINT tools, DeFi bots, and AI chat wrappers. These repositories, often promoted on social media and artificially boosted in popularity, were designed to appeal to IT administrators, cybersecurity professionals, and open-source intelligence researchers. Once the repositories gained trust and visibility, the attackers introduced malicious code through subtle 'maintenance' updates, enabling the silent deployment of PyStoreRAT. PyStoreRAT is a modular, multi-stage malware capable of executing a variety of payloads, including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules. It profiles victim systems and can deploy additional threats such as the Rhadamanthys information stealer and Python Loader. Many of the fake tools hosted on GitHub were non-functional or provided only minimal placeholder features, serving primarily as a delivery mechanism for the malware. The campaign demonstrates a calculated abuse of GitHub's trust model and highlights the risks of downloading and executing code from seemingly reputable open-source repositories.
Mar 21, 2026
Webrat Malware Distributed via Fake Exploit PoCs on GitHub
A new malware family named **Webrat** has been distributed through GitHub repositories, masquerading as proof-of-concept (PoC) exploits for high-profile vulnerabilities. The campaign, uncovered in late 2025, initially targeted gamers and users seeking cheats or cracked software, but later expanded to include inexperienced information security professionals and students. Attackers crafted repositories with detailed, AI-generated descriptions of vulnerabilities, including guides and mitigation steps, to build credibility and lure victims into downloading malicious files. The malware is delivered as a password-protected archive containing an executable that escalates privileges, disables Windows Defender, and downloads the Webrat payload from a hardcoded URL. Once installed, Webrat can steal credentials from Telegram, Discord, Steam, and cryptocurrency wallets, log keystrokes, record screens, access webcams and microphones, and provide remote access to attackers. The campaign leverages vulnerabilities with high CVSSv3 scores, such as those in Internet Explorer, WordPress plugins, Windows services, and Tenda routers, to attract victims searching for exploit code.
Mar 21, 2026