New Sakura RAT Emerges on GitHub, Successfully Evading AV & EDR Protections

A new Remote Access Trojan (RAT) called Sakura has been published on GitHub. Due to its sophisticated anti-detection capabilities and comprehensive system control features, Sakura is raising significant concerns in the cybersecurity community.

The malware, identified in a repository allegedly created by a user named “Haerkasmisk,” provides attackers with an extensive toolkit that can evade modern antivirus and Endpoint Detection and Response (EDR) solutions through multiple obfuscation techniques similar to those seen in previously documented malware families.

Advanced Capabilities and Evasion Techniques

Sakura RAT implements several advanced capabilities that make it particularly dangerous. 

According to Cyberfeeddigest post shared on X, the RAT includes a hidden browser functionality allowing attackers to conduct web activities through the victim’s machine without detection, and Hidden Virtual Network Computing (HVNC) capability that creates an invisible desktop session for stealthy remote control.

Application Security is no longer just a defensive play, Time to Secure -> Free Webinar

The malware reportedly utilizes techniques similar to those observed in previous RAT families, including process injection, reflective DLL injection, and single-byte XOR encoding to obfuscate network communications and embedded strings, making detection significantly more difficult for security solutions.

Technically, Sakura appears to combine elements from various existing malware frameworks. 

Like the previously documented Sakula malware family identified by Dell SecureWorks researchers, it likely uses HTTP GET and POST requests for command and control (C2) communications.

The tool reportedly maintains persistence through Windows registry Run keys and can configure itself as a service, similar to other advanced RATs. 

Its multi-session capability allows attackers to control numerous compromised systems simultaneously through a centralized control panel.

Security researchers noted that the malware may leverage vulnerability CVE-2014-0322 or similar exploits as initial infection vectors, though specific delivery mechanisms remain under investigation.

This release joins a growing ecosystem of publicly available antivirus evasion tools. According to researchers examining GitHub’s “antivirus-evasion” topic, numerous frameworks like Veil, Chimera, and Process Herpaderping are openly accessible, contributing to the proliferation of evasive malware.

Experts say the availability of these tools dramatically lowers the barrier to entry for would-be attackers. What previously required significant expertise can now be accomplished with downloadable frameworks.

Protection Recommendations

Security experts recommend organizations implement the following protective measures:

• Deploy advanced EDR solutions with behavioral analysis capabilities.
• Implement application whitelisting to prevent unauthorized code execution.
• Regularly update security software to incorporate the latest detection signatures.
• Disable macros in Microsoft Office applications unless specifically required.
• Educate employees about phishing attacks, as email remains a primary delivery method.

Researchers continue to analyze Sakura RAT’s code and capabilities. Organizations are advised to monitor for suspicious network communications, unexpected registry modifications, and unauthorized process creations as potential indicators of compromise.

As threat actors increasingly leverage publicly available offensive security tools, the growing sophistication of RATs like Sakura highlights the critical importance of implementing multi-layered security defenses.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free