Post

Malicious Go Module Exposes GitHub Malware Lure Network

Malicious Go Module Exposes GitHub Malware Lure Network

Malicious Go Module Exposes GitHub Malware Lure Network

Our investigation began with a malicious Go module, github.com/kaleidora/dnsub-scanning-tool, that posed as a DNS/subdomain scanner. The module did more than impersonate a developer utility: it exposed a Windows malware-staging chain that used hidden PowerShell execution, public dead-drop resolution, protected archive delivery, and RAT/infostealer deployment. 🚨

Pivoting from that module revealed the larger finding: a GitHub-based lure network of 222 confirmed repositories across 190 accounts, built to make malicious or deceptive software projects look active, plausible, and recently maintained. We track this activity as Operation Muck and Load because the name captures both the infrastructure and the behavior. Across analyzed threat actor-controlled repositories, we confirmed at least 14 malware files, including loaders and downloaders, Vidar infostealer, spyware/dropper payloads, trojan-downloader activity, and Monero cryptominers related to XMRig/BitMiner. We reported the confirmed GitHub infrastructure to the GitHub security team because the operation uses GitHub-hosted accounts and repositories as its lure and delivery layer. The Go security team responded promptly, reviewed the report, and blocked the malicious module from the Go module proxy. 🔒

Our entry point into Operation Muck and Load was a Go module published as a DNS/subdomain scanning tool: github.com/kaleidora/dnsub-scanning-tool. The threat actor’s repository used the identity and expectations of a known defensive/reconnaissance tool category as cover for a malware loader. The package metadata shows another immediate anomaly: version sprawl. There are more than 1,200 versions for the module, over 700 of them are malicious. Before any meaningful scanner logic could run, main.go launches a hidden PowerShell command that downloads external content from muckcoding.com, saves it as api.db, decodes it with certutil, writes the decoded output as L.ps1, and executes that script with PowerShell execution-policy bypass. The initial staging path is also notable: C:\Users\Public\Pictures\api.db and C:\Users\Public\Pictures\L.ps1. The use of certutil -decode is a common living-off-the-land technique for transforming staged content without bringing a custom decoder binary. The loader’s execution mode further reinforces malicious intent. It launches PowerShell with a hidden window and then invokes the decoded script with: -ExecutionPolicy Bypass. ⚠️

The file downloaded by the Go module from muckcoding.com/LG-LW/Api-Certificate is not the final payload. It is an encoded PowerShell stage disguised as a certificate-like artifact, saved locally as api.db, decoded with certutil, and written to disk as L.ps1. L.ps1 is a multi-layer PowerShell loader built around Base64-encoded blobs, XOR decryption, and Invoke-Expression. The final decoded script is not a standalone RAT or infostealer. It is a resolver, downloader, extractor, and launcher. Its job is to locate encrypted payload metadata, decrypt the real payload URL, retrieve a password-protected archive, extract it into a fake Microsoft-themed directory, and execute the staged payload hidden. The decoded script sets PowerShell to use TLS 1.2 and disables certificate validation: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 and [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}. The resolver logic revolves around two hardcoded values: the marker string LastW and the decryption key UIA14fogylw8ogL82FntOFGp6. The public sources are the dead-drop locations embedded in the script, including Pastebin, Rlim, Muck-themed infrastructure, and fallback locations on public platforms such as YouTube, Instagram, Telegram, Google Docs, and GitCode. Primary dead-drop sources include: hxxps://pastebin.com/raw/xy32SJgf, hxxps://rlim.com/MicrosoftCur/raw, hxxps://muckdeveloper.com/LGTV/MicrosoftCur. The loader also embeds fallback sources across public and social platforms. The value of this design is operational resilience. 💪

To read the complete article see: Read full article

This post is licensed under CC BY 4.0 by the author.