Malicious Go 'crypto' Module Steals Passwords and Deploys Rekoobe Backdoor
A malicious Go module impersonating the legitimate golang.org/x/crypto has been discovered, containing a backdoor in ssh/terminal/terminal.go. This module captures passwords, exfiltrates them, and executes remote commands. The attack chain includes a Linux stager that installs an SSH key for persistence, weakens firewall settings, and deploys a Rekoobe backdoor. The campaign targets high-trust cryptography libraries and likely aims at cloud environments. The threat actor uses GitHub for staging and disguises payloads as media files. This sophisticated supply chain attack highlights the need for careful scrutiny of Go module changes and implementation of robust security measures in development workflows.
AI Analysis
Technical Summary
This threat involves a malicious Go module that impersonates the widely used golang.org/x/crypto library, a critical cryptography package in the Go programming ecosystem. The malicious code is embedded specifically in the ssh/terminal/terminal.go file, where it introduces a backdoor capable of capturing passwords entered via terminal sessions. Once passwords are captured, they are exfiltrated to attacker-controlled infrastructure. The attack chain further includes a Linux stager component that establishes persistence by installing an SSH key, modifies firewall rules to weaken security, and deploys the Rekoobe backdoor malware, which is known for remote command execution and stealthy persistence. The threat actor leverages GitHub repositories to stage malicious payloads, disguising them as media files (e.g., .mp5 files) to evade detection. This supply chain attack targets high-trust cryptographic libraries, which are often dependencies in cloud-native applications and infrastructure, increasing the potential impact. The adversary behind this campaign is identified as APT31, a sophisticated threat actor group with a history of espionage and supply chain compromises. Indicators of compromise include specific file hashes, IP addresses, domains, and URLs associated with the malicious infrastructure. The campaign underscores the critical need for secure software supply chain practices, including verification of module authenticity, dependency auditing, and monitoring of development workflows for suspicious changes. Although no active exploitation in the wild has been confirmed, the complexity and stealth of this attack vector make it a serious concern for organizations using Go modules in their software stacks.
Potential Impact
The impact of this threat is significant for organizations that develop or deploy software using Go, especially those relying on the golang.org/x/crypto module for cryptographic functions. By compromising a trusted cryptographic library, attackers can steal sensitive credentials such as passwords, leading to unauthorized access to systems and data breaches. The deployment of the Rekoobe backdoor enables persistent remote access, allowing attackers to execute arbitrary commands, move laterally within networks, and potentially exfiltrate sensitive information. Cloud environments are particularly at risk due to their heavy reliance on Go-based microservices and infrastructure automation tools. The weakening of firewall rules further exposes affected systems to external attacks. This supply chain compromise can undermine trust in software dependencies, disrupt development pipelines, and cause widespread security incidents if malicious modules propagate through automated builds and deployments. Organizations may face operational disruptions, data loss, intellectual property theft, and reputational damage. The stealthy nature of the attack and use of legitimate platforms like GitHub for staging complicate detection and response efforts.
Mitigation Recommendations
1. Implement strict verification of Go modules by using cryptographic signatures and checksums to ensure authenticity before integration. 2. Employ dependency scanning tools that can detect impersonation or typosquatting in module names and alert on suspicious changes. 3. Enforce code review policies specifically for third-party dependencies and monitor for unexpected modifications in critical libraries like cryptography modules. 4. Use private module proxies or mirrors to control and vet external dependencies before they enter the build pipeline. 5. Monitor network traffic for unusual connections to known malicious domains and IP addresses associated with this campaign (e.g., spoolsv.cc, spoolsv.net, and related URLs). 6. Harden Linux host configurations by restricting SSH key installations and firewall rule changes through configuration management and auditing. 7. Deploy endpoint detection and response (EDR) solutions capable of identifying backdoor behaviors such as Rekoobe’s persistence mechanisms. 8. Educate developers and DevOps teams about supply chain risks and encourage the use of reproducible builds and dependency locking. 9. Regularly audit and rotate credentials to limit the impact of stolen passwords. 10. Establish incident response plans that include supply chain compromise scenarios to enable rapid containment and remediation.
Affected Countries
United States, China, Germany, United Kingdom, Japan, South Korea, India, Canada, France, Australia
Indicators of Compromise
- hash: 4be68d5690e8df506583e86e42fbb934
- hash: 590dc30098a1bedf28e1717ded91cbfed72ae06d
- hash: 4afdb3f5914beb0ebe3b086db5a83cef1d3c3c4312d18eff672dd0f6be2146bc
- hash: 8b0ec8d0318347874e117f1aed1b619892a7547308e437a20e02090e5f3d2da6
- ip: 154.84.63.184
- url: http://img.spoolsv.cc/seed.php
- url: http://img.spoolsv.cc/snn50.txt
- url: http://img.spoolsv.net/seed.php
- url: https://img.spoolsv.cc/555.mp5
- url: https://img.spoolsv.cc/seed.php
- url: https://img.spoolsv.cc/sss.mp5
- url: https://img.spoolsv.net/seed.php
- domain: spoolsv.cc
- domain: spoolsv.net
- domain: img.spoolsv.cc
- domain: img.spoolsv.net
Malicious Go 'crypto' Module Steals Passwords and Deploys Rekoobe Backdoor
Description
A malicious Go module impersonating the legitimate golang.org/x/crypto has been discovered, containing a backdoor in ssh/terminal/terminal.go. This module captures passwords, exfiltrates them, and executes remote commands. The attack chain includes a Linux stager that installs an SSH key for persistence, weakens firewall settings, and deploys a Rekoobe backdoor. The campaign targets high-trust cryptography libraries and likely aims at cloud environments. The threat actor uses GitHub for staging and disguises payloads as media files. This sophisticated supply chain attack highlights the need for careful scrutiny of Go module changes and implementation of robust security measures in development workflows.
AI-Powered Analysis
Technical Analysis
This threat involves a malicious Go module that impersonates the widely used golang.org/x/crypto library, a critical cryptography package in the Go programming ecosystem. The malicious code is embedded specifically in the ssh/terminal/terminal.go file, where it introduces a backdoor capable of capturing passwords entered via terminal sessions. Once passwords are captured, they are exfiltrated to attacker-controlled infrastructure. The attack chain further includes a Linux stager component that establishes persistence by installing an SSH key, modifies firewall rules to weaken security, and deploys the Rekoobe backdoor malware, which is known for remote command execution and stealthy persistence. The threat actor leverages GitHub repositories to stage malicious payloads, disguising them as media files (e.g., .mp5 files) to evade detection. This supply chain attack targets high-trust cryptographic libraries, which are often dependencies in cloud-native applications and infrastructure, increasing the potential impact. The adversary behind this campaign is identified as APT31, a sophisticated threat actor group with a history of espionage and supply chain compromises. Indicators of compromise include specific file hashes, IP addresses, domains, and URLs associated with the malicious infrastructure. The campaign underscores the critical need for secure software supply chain practices, including verification of module authenticity, dependency auditing, and monitoring of development workflows for suspicious changes. Although no active exploitation in the wild has been confirmed, the complexity and stealth of this attack vector make it a serious concern for organizations using Go modules in their software stacks.
Potential Impact
The impact of this threat is significant for organizations that develop or deploy software using Go, especially those relying on the golang.org/x/crypto module for cryptographic functions. By compromising a trusted cryptographic library, attackers can steal sensitive credentials such as passwords, leading to unauthorized access to systems and data breaches. The deployment of the Rekoobe backdoor enables persistent remote access, allowing attackers to execute arbitrary commands, move laterally within networks, and potentially exfiltrate sensitive information. Cloud environments are particularly at risk due to their heavy reliance on Go-based microservices and infrastructure automation tools. The weakening of firewall rules further exposes affected systems to external attacks. This supply chain compromise can undermine trust in software dependencies, disrupt development pipelines, and cause widespread security incidents if malicious modules propagate through automated builds and deployments. Organizations may face operational disruptions, data loss, intellectual property theft, and reputational damage. The stealthy nature of the attack and use of legitimate platforms like GitHub for staging complicate detection and response efforts.
Mitigation Recommendations
1. Implement strict verification of Go modules by using cryptographic signatures and checksums to ensure authenticity before integration. 2. Employ dependency scanning tools that can detect impersonation or typosquatting in module names and alert on suspicious changes. 3. Enforce code review policies specifically for third-party dependencies and monitor for unexpected modifications in critical libraries like cryptography modules. 4. Use private module proxies or mirrors to control and vet external dependencies before they enter the build pipeline. 5. Monitor network traffic for unusual connections to known malicious domains and IP addresses associated with this campaign (e.g., spoolsv.cc, spoolsv.net, and related URLs). 6. Harden Linux host configurations by restricting SSH key installations and firewall rule changes through configuration management and auditing. 7. Deploy endpoint detection and response (EDR) solutions capable of identifying backdoor behaviors such as Rekoobe’s persistence mechanisms. 8. Educate developers and DevOps teams about supply chain risks and encourage the use of reproducible builds and dependency locking. 9. Regularly audit and rotate credentials to limit the impact of stolen passwords. 10. Establish incident response plans that include supply chain compromise scenarios to enable rapid containment and remediation.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/malicious-go-crypto-module-steals-passwords-and-deploys-rekoobe-backdoor"]
- Adversary
- APT31
- Pulse Id
- 69a1276fbef301b2eb97cd94
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash4be68d5690e8df506583e86e42fbb934 | — | |
hash590dc30098a1bedf28e1717ded91cbfed72ae06d | — | |
hash4afdb3f5914beb0ebe3b086db5a83cef1d3c3c4312d18eff672dd0f6be2146bc | — | |
hash8b0ec8d0318347874e117f1aed1b619892a7547308e437a20e02090e5f3d2da6 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip154.84.63.184 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://img.spoolsv.cc/seed.php | — | |
urlhttp://img.spoolsv.cc/snn50.txt | — | |
urlhttp://img.spoolsv.net/seed.php | — | |
urlhttps://img.spoolsv.cc/555.mp5 | — | |
urlhttps://img.spoolsv.cc/seed.php | — | |
urlhttps://img.spoolsv.cc/sss.mp5 | — | |
urlhttps://img.spoolsv.net/seed.php | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainspoolsv.cc | — | |
domainspoolsv.net | — | |
domainimg.spoolsv.cc | — | |
domainimg.spoolsv.net | — |
Threat ID: 69a15f7732ffcdb8a2102f0a
Added to database: 2/27/2026, 9:10:15 AM
Last enriched: 2/27/2026, 9:29:20 AM
Last updated: 2/28/2026, 5:04:19 AM
Views: 49
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Maltrail IOC for 2026-02-28
MediumThreatFox IOCs for 2026-02-27
MediumMaltrail IOC for 2026-02-27
MediumFake Fedex Email Delivers Donuts!, (Fri, Feb 27th)
MediumNew Dohdoor malware campaign targets education and health care
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.