Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories

0
Medium
Published: 07/09/2026 (07/09/2026, 08:24:59 UTC)
Source: AlienVault OTX General

Description

A malicious Go module masquerading as a DNS/subdomain scanner has been identified as part of a sophisticated Windows malware staging operation named 'Muck and Load'. This operation uses a large GitHub-based infrastructure of 222 repositories across 190 accounts, employing automated workflows to appear legitimate. The malicious module downloads encoded PowerShell scripts that retrieve encrypted payloads from public platforms like Pastebin and Telegram. These payloads include well-known malware such as AsyncRAT, Quasar, Remcos, and Vidar infostealers, which are executed from disguised Microsoft-themed directories. At least 14 malware files have been confirmed within this network.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/09/2026, 11:47:50 UTC

Technical Analysis

The 'Muck and Load' operation leverages a malicious Go module distributed via GitHub repositories to stage Windows malware infections. The attack chain starts with a deceptive Go module that downloads encoded PowerShell content. This loader queries multiple public platforms (Pastebin, Telegram, YouTube, Instagram) serving as dead drops for encrypted payload locations. The payloads are password-protected archives containing RAT and infostealer malware families including AsyncRAT, Quasar, Remcos, and Vidar. The infrastructure consists of 222 repositories across 190 GitHub accounts, maintained with automated GitHub Actions workflows to simulate legitimate activity. The malware executes from masqueraded Microsoft-themed directories, complicating detection. This operation demonstrates a complex use of commit-farming workflows and public dead drops to evade traditional security controls.

Potential Impact

This threat enables attackers to deploy remote access trojans (RATs) and infostealer malware on Windows systems, potentially leading to unauthorized access, data theft, and system compromise. The use of a large, distributed GitHub infrastructure and public dead drops complicates detection and takedown efforts. The malware families involved are known for stealing sensitive information and enabling persistent remote control, which can result in significant operational and data security impacts for affected organizations.

Mitigation Recommendations

No official patch or remediation is available as this threat involves malicious use of public repositories and social engineering rather than a software vulnerability. Organizations should avoid using untrusted or unknown Go modules, especially those related to DNS or subdomain scanning, and perform thorough code reviews before integrating third-party modules. Monitoring for unusual PowerShell activity and network connections to public platforms used as dead drops can aid detection. GitHub repository owners should be vigilant against account compromise and unauthorized repository creation. Since this is not a cloud service, remediation depends on user vigilance and security controls. Patch status is not yet confirmed — check vendor advisories or security community updates for any emerging mitigations.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://socket.dev/blog/malicious-go-module-exposes-github-malware-lure-network"]
Adversary
null
Pulse Id
6a4f5adbd8cb65e0d44c0d53
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainrlim.com
domainmuckdeveloper.com
domainmuckcoding.com

Hash

ValueDescriptionCopy
hashb27f694c974b44fe2f4a8a25680997db574fa35686c30fa4c4dc9dd4ec40005e
hashec1cac2ada6726623b4bafb94c204c359ce7cdf5325909137fc0e6aef506783f
hash2f416aac027f19f563cc45e3b4b72e992aaafb63da27f968b9a76a391134dc7d
hash458e4c64738e8f46e997eea7cb32a296
hash1a9bbae96ab7a852312b802fd3694211f3bbc43f
hash9df11356c5ac61d2aa7b5425e6322fc016b0ed5790dacb201396500b3eee03f7
hash129de16fe69763f767d8249279a2c4a1a6deafadd1a84563bd84b258ea010bff
hash86819efe7319b664920ba2e1fd4b079a4e6b5eaaebeeb1adb2c1c8dc3c81ee0c
hash57e0449fb13766b0b2f7c057b1f89911e9ed23cac7e71d5d69fde47571239629
hashe576a61e1a2ba71e764647bb2f0883c2f8fa4d591799c60d21a84230ee7a5b63
hash51cada347262d7b2bcde70552fcdae221625ad75435cee8a9c3e7b67cc47a807
hash969b0bfd605aa2cddf353f3638b0dee26b1c2305600231e055fa6d7786a879fe
hash73c807df26427d6631088a822fa54c30975afbe681a9d83eff5d19e5b075d6c2
hasha628ad47fe93ee7413cca90aeca8f9540bfcd5ccdbeb4d9914670b3ef66247f4
hash4ea1c577247b149489506b230e7aa203e1a2fa124109c6056d1986e944f520a4
hash235a64e3520b1c2c27763122b303f78aee8d7c083dfd9f1eb936cd5174383609
hash33497c69c21fa96bbc96f1d7f09608e462f8ab22555364977c0bd35fef27bc29
hash45126b353f1636103da356121cd00b229b635b41b99d91166e6d7d9037482242
hash810614290bdb14d2ddf10f65f8adc988a8272764f2a9e2c378e52fad162da344
hash938054c6bb7dc737fce16513b2882808f199c2f892f808d439525a1650d49089
hasha2e7989742c6b6436ebb47507881946e4f662080dff71d104eb9a9554f38af7a
hashd7747e7a3c782009f4ceb6e9c106115876386853929563b509da5258e3968d15
hashd95bba20f04687b0b821d4fc0a17137db8b9eda5fe3fb34da319abefc45fe0d1
hashe73491065d86b1ad69229bb5d2019e08b947e11a2a57adf5c2d9a2b5d8f4acad
hashf245956c930f220f0bedf355a751a5cd738b4ec6bb6c5d584199ab3fa6c0a1c4
hash0aaea95ad6ef4a9baf02ae05289af617
hash64eb7ad3aaf9b6639ccc5c0b30b6e59f
hashcba1927cf6959dc99ecbd0c553e4db6f
hashebf10abb661350779d24d849f828eb0b
hash1eb377e01e1e649b3290efb0160f25cb5d13bd21
hash25d585a291235936eca70402fbb567017aad860a
hash2d1887930758b98b1a09f2f656079599f88a6bf6
hash7f2d59cfdf2b0550d22ac54d0b1fa5ac8f8b5f57

Url

ValueDescriptionCopy
urlhttps://muckcoding.com/LG-LW/Api-Certificate
urlhttps://rlim.com/MicrosoftCur/raw
urlhttps://muckdeveloper.com/LGTV/MicrosoftCur
urlhttp://muckcoding.com/LG-LW/Api-Certificate

Threat ID: 6a4f86cf68715ace433d713c

Added to database: 07/09/2026, 11:32:31 UTC

Last enriched: 07/09/2026, 11:47:50 UTC

Last updated: 07/09/2026, 16:22:44 UTC

Views: 16

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses