Sakura RAT Released on GitHub: Bypasses AV and EDR Protections

Cybersecurity researchers have identified a new remote access trojan (RAT) called “Sakura RAT” that has reportedly appeared on GitHub, raising concerns among security professionals.

This tool claims to combine several advanced capabilities, including hidden browser functionality, HVNC (Hidden Virtual Network Computing), and anti-detection mechanisms that could potentially evade modern security solutions.

Threat Capabilities and Technical Profile

According to the post from cyberundergroundfeed, the Sakura RAT appears to represent an evolution in malicious remote administration tools, combining features from established threats.

Like many advanced RATs, it offers attackers complete system access while remaining undetected by security solutions.

Primary reported capabilities include a hidden browser function that allows threat actors to conduct web activities through the victim’s machine without detection.

The HVNC feature provides attackers with access to a hidden virtual desktop, similar to capabilities seen in other malware families like Xeno-RAT.

This technology creates a separate desktop session invisible to the user while giving attackers full graphical control over the compromised system.

“RATs like this give attackers the ability to execute commands, manipulate file systems, and even access webcams and microphones,” explains a security researcher familiar with such threats.

“The command and control architecture typically relies on outbound connections that bypass traditional security controls”

Technical Architecture

According to the available information, Sakura RAT likely employs a client-server architecture common to remote administration tools.

The malware establishes communication channels, often referred to as C2 (Command and Control), which enable threat actors to send instructions and receive data from infected systems.

The anti-detection capabilities reportedly include fileless execution techniques, where malicious code runs directly in memory without touching the disk, making it considerably more difficult for traditional antivirus solutions to detect.

Relation to Other Threats

This is not the first time the “Sakura” name has appeared in the threat landscape.

Previous security research identified a Sakura ransomware variant based on Chaos ransomware that encrypted files with a “.Sakura” extension and dropped ransom notes named “read_it.txt”.

However, the current Sakura RAT appears to be a distinct tool with different functionality focused on system control rather than encryption.

The tool’s release comes amid growing concerns about the proliferation of malicious software on code repositories.

Earlier this year, administrators of the Python Package Index (PyPI) temporarily suspended new user registrations due to a surge in malicious packages.

Security Implications and Recommendations

Security professionals warn that tools combining RAT and HVNC capabilities present serious risks to organizations.

The National Cyber Security Center recommends several defensive measures:

1. Implemented application allowlisting to prevent unauthorized executables
2. Deploy modern endpoint detection and response (EDR) solutions
3. Maintain regular system updates and patches
4. Utilize behavior-based detection technologies
5. Train employees to recognize phishing attempts, which are common delivery vectors

“The rise of sophisticated remote administration tools requires a multi-layered security approach,” notes a senior threat analyst.

“Organizations should focus on both prevention and detection strategies, assuming that some attacks may bypass perimeter defenses”

Security researchers continue to analyze this new threat and recommend that organizations enhance monitoring for unusual network connections, unauthorized remote access attempts, and suspicious process behavior that might indicate a RAT infection.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates