Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories

Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories
Operation Muck and Load centers on a malicious Go module that staged hidden PowerShell execution, dead-drop resolution, and a password-protected archive to launch Windows malware. The campaign also spans 222 confirmed GitHub repositories across 190 accounts, with confirmed payloads including AsyncRAT, Quasar, Remcos, Vidar, and XMRig-related activity. #AsyncRAT #Quasar #Remcos #Vidar #XMRig #githubcomkaleidoradnsubscanningtool #ischhfd83ramblerru

Keypoints

  • The investigation started with a malicious Go module, github[.]com/kaleidora/dnsub-scanning-tool, masquerading as a DNS/subdomain scanner.
  • The module launched hidden PowerShell, decoded staged content with certutil, and executed a local script from public directories.
  • The loader used public dead drops such as Pastebin, Rlim, Muck-themed domains, and fallback services like YouTube, Telegram, Google Docs, and GitCode.
  • The payload chain downloaded and extracted a password-protected Quixo.7z archive, then launched Microsoft.exe from a fake Microsoft Photos path.
  • Recovered stages were associated with AsyncRAT, Quasar, Remcos, Vidar infostealer activity, and Monero mining via XMRig/BitMiner-related tooling.
  • Researchers confirmed a broader GitHub lure network of 222 repositories across 190 accounts, driven by synthetic commit activity and repeated lure themes.
  • The threat actor-linked workflows used the email ischhfd83@rambler[.]ru and were reported to both GitHub and the Go security team, resulting in the malicious module being blocked from the Go proxy.

MITRE Techniques

  • [T1195.001 ] Supply Chain Compromise: Compromise Software Dependencies and Development Tools – The malicious Go module was distributed as a package while embedding Windows malware-staging logic (‘reported to the Go security team because it had been distributed as a Go module while embedding Windows malware-staging logic’).
  • [T1204.002 ] User Execution: Malicious File – The lure package was intended to be installed or run by users expecting a benign scanner (‘posed as a DNS/subdomain scanner’).
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell was used to download, decode, and execute staged content (‘launches a hidden PowerShell command’ and ‘execute that script with PowerShell execution-policy bypass’).
  • [T1564.003 ] Hide Artifacts: Hidden Window – The initial PowerShell and later execution were run with hidden windows (‘WindowStyle Hidden’ and ‘keep the PowerShell window hidden’).
  • [T1027 ] Obfuscated Files or Information – The content was obscured through encoding, XOR, and layered script structure (‘multi-layer PowerShell loader built around Base64-encoded blobs, XOR decryption’).
  • [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Encrypted blobs and encoded payload-location data were stored and recovered (‘contains an encrypted raw blob’ and ‘recovered from the dead-drop material’).
  • [T1140 ] Deobfuscate/Decode Files or Information – Certutil and script logic decoded staged content (‘certutil -decode api.db to C:UsersPublicPicturesL.ps1’).
  • [T1105 ] Ingress Tool Transfer – The loader downloaded scripts and archives from external locations (‘Invoke-WebRequest from hxxps://muckcoding[.]com…’ and downloaded Quixo.7z).
  • [T1102.001 ] Web Service: Dead Drop Resolver – The script pulled encrypted payload-location data from public services and searched for the LastW marker (‘retrieves text from these public locations and searches the returned content for the marker LastW’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The campaign used HTTP(S) requests to public web services and GitHub resources (‘public-service staging’ and ‘GitHub release archive’).
  • [T1036.005 ] Masquerading: Match Legitimate Resource Name or Location – Files and paths were disguised to resemble benign Microsoft content (‘Windows.Microsoft.Photos’ and ‘Microsoft.exe’).
  • [T1685 ] Disable or Modify Tools – Certificate validation was disabled to ease downloads (‘ServerCertificateValidationCallback = {$true}’).
  • [T1112 ] Modify Registry – The post-staging payload set was associated with defense-evasion and persistence behavior that included system configuration changes (‘modifies Microsoft Defender and UAC settings’).
  • [T1548.002 ] Abuse Elevation Control Mechanism: Bypass User Account Control – The chain used UAC bypass-related activity (‘modifies Microsoft Defender and UAC settings’).
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence used scheduled task activity (‘uses scheduled task and service activity for persistence’).
  • [T1543.003 ] Create or Modify System Process: Windows Service – Persistence also leveraged service creation/modification (‘uses scheduled task and service activity for persistence’).
  • [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – The payload chain accessed browser-profile data (‘accesses browser-profile data’).
  • [T1608.001 ] Stage Capabilities: Upload Malware – The loader staged additional payloads through archives and remote content (‘stage additional components through 7-Zip tooling’).
  • [T1113 ] Screen Capture – The analyzed activity included screenshot collection (‘prepares screenshot collection’).
  • [T1055 ] Process Injection – Lower-level behaviors such as WriteProcessMemory and SetThreadContext support injection (‘WriteProcessMemory, SetThreadContext’).
  • [T1490 ] Inhibit System Recovery – The post-staging payload set included recovery-disruption behavior (‘modifies Microsoft Defender and UAC settings’).
  • [T1082 ] System Information Discovery – The payload set included discovery behavior (‘discovery activity’).
  • [T1057 ] Process Discovery – The payload set included process discovery behavior (‘discovery activity’).
  • [T1012 ] Query Registry – The payload set included registry-query behavior (‘Query Registry’ listed among MITRE techniques).

Indicators of Compromise

  • [Malicious Go module] Initial lure module – github[.]com/kaleidora/dnsub-scanning-tool
  • [Domains] Muck-themed infrastructure and resolver hosts – muckcoding[.]com, muckdeveloper[.]com
  • [URLs] Staging and dead-drop endpoints – hxxps://muckcoding[.]com/LG-LW/Api-Certificate, hxxps://pastebin[.]com/raw/xy32SJgfh
  • [URLs] Additional dead drops and fallback sources – hxxps://rlim[.]com/MicrosoftCur/raw, hxxps://gitcode[.]com/LastWer/MicrosoftCur/raw
  • [URLs] Fallback social/platform sources – hxxps://youtu[.]be/GAS67zAOssc, hxxps://t[.]me/s/dwmich, hxxps://docs.google[.]com/document/d/1PnogKWvfa3ZcCnmKfnb3pJYXMBmcQe5k_6bBuPUailQ/export?format=txt
  • [URL] Final payload archive – hxxps://github[.]com/tb78/expresso/releases/download/Release/Quixo.7z
  • [Email address] Threat actor-linked workflow identity – ischhfd83@rambler[.]ru
  • [File paths] Staging and execution paths – C:UsersPublicPicturesapi.db, C:UsersPublicPicturesL.ps1
  • [File paths] Payload staging and extraction locations – C:UsersPublicDocumentsumun, C:ProgramDatazipathh7zrr.exe
  • [File paths] Masqueraded execution path – C:ProgramDataWindows.Microsoft.PhotoscurrentMicrosoft.exe
  • [SHA-256 hashes] Loader and payload artifacts – 129de16fe69763f767d8249279a2c4a1a6deafadd1a84563bd84b258ea010bff, 86819efe7319b664920ba2e1fd4b079a4e6b5eaaebeeb1adb2c1c8dc3c81ee0c, and 2 more hashes
  • [SHA-256 hashes] Additional decoded and staged artifacts – 51cada347262d7b2bcde70552fcdae221625ad75435cee8a9c3e7b67cc47a807, 73c807df26427d6631088a822fa54c30975afbe681a9d83eff5d19e5b075d6c2, and 2 more hashes
  • [String/marker] Resolver marker and hardcoded key – LastW, UIA14fogylw8ogL82FntOFGp6
  • [String/password] Archive and secondary strings – r8NnX1b8Xn, 73hvdu342
  • [Filename] Suspicious loader and staging names – api.db, L.ps1, Quixo.7z, Microsoft.exe


Read more: https://socket.dev/blog/malicious-go-module-exposes-github-malware-lure-network