Operation Muck and Load centers on a malicious Go module that staged hidden PowerShell execution, dead-drop resolution, and a password-protected archive to launch Windows malware. The campaign also spans 222 confirmed GitHub repositories across 190 accounts, with confirmed payloads including AsyncRAT, Quasar, Remcos, Vidar, and XMRig-related activity. #AsyncRAT #Quasar #Remcos #Vidar #XMRig #githubcomkaleidoradnsubscanningtool #ischhfd83ramblerru
Keypoints
- The investigation started with a malicious Go module, github[.]com/kaleidora/dnsub-scanning-tool, masquerading as a DNS/subdomain scanner.
- The module launched hidden PowerShell, decoded staged content with certutil, and executed a local script from public directories.
- The loader used public dead drops such as Pastebin, Rlim, Muck-themed domains, and fallback services like YouTube, Telegram, Google Docs, and GitCode.
- The payload chain downloaded and extracted a password-protected Quixo.7z archive, then launched Microsoft.exe from a fake Microsoft Photos path.
- Recovered stages were associated with AsyncRAT, Quasar, Remcos, Vidar infostealer activity, and Monero mining via XMRig/BitMiner-related tooling.
- Researchers confirmed a broader GitHub lure network of 222 repositories across 190 accounts, driven by synthetic commit activity and repeated lure themes.
- The threat actor-linked workflows used the email ischhfd83@rambler[.]ru and were reported to both GitHub and the Go security team, resulting in the malicious module being blocked from the Go proxy.
MITRE Techniques
- [T1195.001 ] Supply Chain Compromise: Compromise Software Dependencies and Development Tools â The malicious Go module was distributed as a package while embedding Windows malware-staging logic (âreported to the Go security team because it had been distributed as a Go module while embedding Windows malware-staging logicâ).
- [T1204.002 ] User Execution: Malicious File â The lure package was intended to be installed or run by users expecting a benign scanner (âposed as a DNS/subdomain scannerâ).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell â PowerShell was used to download, decode, and execute staged content (âlaunches a hidden PowerShell commandâ and âexecute that script with PowerShell execution-policy bypassâ).
- [T1564.003 ] Hide Artifacts: Hidden Window â The initial PowerShell and later execution were run with hidden windows (âWindowStyle Hiddenâ and âkeep the PowerShell window hiddenâ).
- [T1027 ] Obfuscated Files or Information â The content was obscured through encoding, XOR, and layered script structure (âmulti-layer PowerShell loader built around Base64-encoded blobs, XOR decryptionâ).
- [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File â Encrypted blobs and encoded payload-location data were stored and recovered (âcontains an encrypted raw blobâ and ârecovered from the dead-drop materialâ).
- [T1140 ] Deobfuscate/Decode Files or Information â Certutil and script logic decoded staged content (âcertutil -decode api.db to C:UsersPublicPicturesL.ps1â).
- [T1105 ] Ingress Tool Transfer â The loader downloaded scripts and archives from external locations (âInvoke-WebRequest from hxxps://muckcoding[.]comâŚâ and downloaded Quixo.7z).
- [T1102.001 ] Web Service: Dead Drop Resolver â The script pulled encrypted payload-location data from public services and searched for the LastW marker (âretrieves text from these public locations and searches the returned content for the marker LastWâ).
- [T1071.001 ] Application Layer Protocol: Web Protocols â The campaign used HTTP(S) requests to public web services and GitHub resources (âpublic-service stagingâ and âGitHub release archiveâ).
- [T1036.005 ] Masquerading: Match Legitimate Resource Name or Location â Files and paths were disguised to resemble benign Microsoft content (âWindows.Microsoft.Photosâ and âMicrosoft.exeâ).
- [T1685 ] Disable or Modify Tools â Certificate validation was disabled to ease downloads (âServerCertificateValidationCallback = {$true}â).
- [T1112 ] Modify Registry â The post-staging payload set was associated with defense-evasion and persistence behavior that included system configuration changes (âmodifies Microsoft Defender and UAC settingsâ).
- [T1548.002 ] Abuse Elevation Control Mechanism: Bypass User Account Control â The chain used UAC bypass-related activity (âmodifies Microsoft Defender and UAC settingsâ).
- [T1053.005 ] Scheduled Task/Job: Scheduled Task â Persistence used scheduled task activity (âuses scheduled task and service activity for persistenceâ).
- [T1543.003 ] Create or Modify System Process: Windows Service â Persistence also leveraged service creation/modification (âuses scheduled task and service activity for persistenceâ).
- [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers â The payload chain accessed browser-profile data (âaccesses browser-profile dataâ).
- [T1608.001 ] Stage Capabilities: Upload Malware â The loader staged additional payloads through archives and remote content (âstage additional components through 7-Zip toolingâ).
- [T1113 ] Screen Capture â The analyzed activity included screenshot collection (âprepares screenshot collectionâ).
- [T1055 ] Process Injection â Lower-level behaviors such as WriteProcessMemory and SetThreadContext support injection (âWriteProcessMemory, SetThreadContextâ).
- [T1490 ] Inhibit System Recovery â The post-staging payload set included recovery-disruption behavior (âmodifies Microsoft Defender and UAC settingsâ).
- [T1082 ] System Information Discovery â The payload set included discovery behavior (âdiscovery activityâ).
- [T1057 ] Process Discovery â The payload set included process discovery behavior (âdiscovery activityâ).
- [T1012 ] Query Registry â The payload set included registry-query behavior (âQuery Registryâ listed among MITRE techniques).
Indicators of Compromise
- [Malicious Go module] Initial lure module â github[.]com/kaleidora/dnsub-scanning-tool
- [Domains] Muck-themed infrastructure and resolver hosts â muckcoding[.]com, muckdeveloper[.]com
- [URLs] Staging and dead-drop endpoints â hxxps://muckcoding[.]com/LG-LW/Api-Certificate, hxxps://pastebin[.]com/raw/xy32SJgfh
- [URLs] Additional dead drops and fallback sources â hxxps://rlim[.]com/MicrosoftCur/raw, hxxps://gitcode[.]com/LastWer/MicrosoftCur/raw
- [URLs] Fallback social/platform sources â hxxps://youtu[.]be/GAS67zAOssc, hxxps://t[.]me/s/dwmich, hxxps://docs.google[.]com/document/d/1PnogKWvfa3ZcCnmKfnb3pJYXMBmcQe5k_6bBuPUailQ/export?format=txt
- [URL] Final payload archive â hxxps://github[.]com/tb78/expresso/releases/download/Release/Quixo.7z
- [Email address] Threat actor-linked workflow identity â ischhfd83@rambler[.]ru
- [File paths] Staging and execution paths â C:UsersPublicPicturesapi.db, C:UsersPublicPicturesL.ps1
- [File paths] Payload staging and extraction locations â C:UsersPublicDocumentsumun, C:ProgramDatazipathh7zrr.exe
- [File paths] Masqueraded execution path â C:ProgramDataWindows.Microsoft.PhotoscurrentMicrosoft.exe
- [SHA-256 hashes] Loader and payload artifacts â 129de16fe69763f767d8249279a2c4a1a6deafadd1a84563bd84b258ea010bff, 86819efe7319b664920ba2e1fd4b079a4e6b5eaaebeeb1adb2c1c8dc3c81ee0c, and 2 more hashes
- [SHA-256 hashes] Additional decoded and staged artifacts â 51cada347262d7b2bcde70552fcdae221625ad75435cee8a9c3e7b67cc47a807, 73c807df26427d6631088a822fa54c30975afbe681a9d83eff5d19e5b075d6c2, and 2 more hashes
- [String/marker] Resolver marker and hardcoded key â LastW, UIA14fogylw8ogL82FntOFGp6
- [String/password] Archive and secondary strings â r8NnX1b8Xn, 73hvdu342
- [Filename] Suspicious loader and staging names â api.db, L.ps1, Quixo.7z, Microsoft.exe
Read more: https://socket.dev/blog/malicious-go-module-exposes-github-malware-lure-network