Researchers linked the hundreds of GitHub repositories to a single Russian email address (ischhfd83[at]rambler[.]ru) after a Sophos customer inquired about a remote access trojan (RAT) featured in tech journalism and social media posts in April.

Sakura RAT supposedly had sophisticated evasion mechanisms built in, leading the customer to ask whether they were protected from it – a relatively common type of interaction, the researchers said.