Fresh Sakura RAT Appears on GitHub

The cyber community is alarmed by the appearance of a new remote access trojan, Sakura RAT, on GitHub. This malware is distinguished by a sophisticated camouflage system, successfully bypassing modern protections and providing full control over infected devices.

1. Sakura RAT, developed, probably by a user under the pseudonym *Haerkasmisk*, provides cybercriminals with a powerful tool for covert control of infected machines. Built-in stealth browser and HVNC (invisible virtual environment) functions allow the attacker to operate without leaving any visible traces.
2. Sakura uses a number of techniques that have already been used in previous RAT families: process injection, mirrored DLL injection, XOR-obfuscation of traffic and strings. For stability in the system, it is registered in auto-boot via the Run keys of the Windows registry, and can also be launched as a system service.
3. Sakura RAT is believed to be able to exploit vulnerabilities like CVE-2014-0322 as an entry point, although the mechanism of its distribution is still being investigated. It allows an attacker to control multiple devices simultaneously through a centralized panel, making it a serious threat to corporate networks.

Sakura RAT combines the characteristics of several malicious frameworks, in particular Sakula, which is known for using HTTP GET and POST requests to manage C2 infrastructure. Its code contains parts similar to open projects on GitHub, such as Veil, Chimera, Process Herpaderping – tools for bypassing antivirus protection, which have long been a concern for specialists. Analysts note that the availability of such frameworks lowers the threshold of entry for new attackers, who can now create full-fledged RAT programs without deep technical knowledge.

The appearance of Sakura RAT is another confirmation that attackers are using open resources to create threats to corporate security. Experts are urging companies to implement multi-layered defenses, including behavioral-based EDR, application whitelisting, signature updates, macro disabling, and employee awareness of phishing.