Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories
A malicious Go module masquerading as a DNS/subdomain scanner has been identified as part of a sophisticated Windows malware staging operation named 'Muck and Load'. This operation uses a large GitHub-based infrastructure of 222 repositories across 190 accounts, employing automated workflows to appear legitimate. The malicious module downloads encoded PowerShell scripts that retrieve encrypted payloads from public platforms like Pastebin and Telegram. These payloads include well-known malware such as AsyncRAT, Quasar, Remcos, and Vidar infostealers, which are executed from disguised Microsoft-themed directories. At least 14 malware files have been confirmed within this network.
AI Analysis
Technical Summary
The 'Muck and Load' operation leverages a malicious Go module distributed via GitHub repositories to stage Windows malware infections. The attack chain starts with a deceptive Go module that downloads encoded PowerShell content. This loader queries multiple public platforms (Pastebin, Telegram, YouTube, Instagram) serving as dead drops for encrypted payload locations. The payloads are password-protected archives containing RAT and infostealer malware families including AsyncRAT, Quasar, Remcos, and Vidar. The infrastructure consists of 222 repositories across 190 GitHub accounts, maintained with automated GitHub Actions workflows to simulate legitimate activity. The malware executes from masqueraded Microsoft-themed directories, complicating detection. This operation demonstrates a complex use of commit-farming workflows and public dead drops to evade traditional security controls.
Potential Impact
This threat enables attackers to deploy remote access trojans (RATs) and infostealer malware on Windows systems, potentially leading to unauthorized access, data theft, and system compromise. The use of a large, distributed GitHub infrastructure and public dead drops complicates detection and takedown efforts. The malware families involved are known for stealing sensitive information and enabling persistent remote control, which can result in significant operational and data security impacts for affected organizations.
Mitigation Recommendations
No official patch or remediation is available as this threat involves malicious use of public repositories and social engineering rather than a software vulnerability. Organizations should avoid using untrusted or unknown Go modules, especially those related to DNS or subdomain scanning, and perform thorough code reviews before integrating third-party modules. Monitoring for unusual PowerShell activity and network connections to public platforms used as dead drops can aid detection. GitHub repository owners should be vigilant against account compromise and unauthorized repository creation. Since this is not a cloud service, remediation depends on user vigilance and security controls. Patch status is not yet confirmed — check vendor advisories or security community updates for any emerging mitigations.
Indicators of Compromise
- domain: rlim.com
- domain: muckdeveloper.com
- hash: b27f694c974b44fe2f4a8a25680997db574fa35686c30fa4c4dc9dd4ec40005e
- hash: ec1cac2ada6726623b4bafb94c204c359ce7cdf5325909137fc0e6aef506783f
- hash: 2f416aac027f19f563cc45e3b4b72e992aaafb63da27f968b9a76a391134dc7d
- hash: 458e4c64738e8f46e997eea7cb32a296
- hash: 1a9bbae96ab7a852312b802fd3694211f3bbc43f
- hash: 9df11356c5ac61d2aa7b5425e6322fc016b0ed5790dacb201396500b3eee03f7
- domain: muckcoding.com
- url: https://muckcoding.com/LG-LW/Api-Certificate
- url: https://rlim.com/MicrosoftCur/raw
- url: https://muckdeveloper.com/LGTV/MicrosoftCur
- hash: 129de16fe69763f767d8249279a2c4a1a6deafadd1a84563bd84b258ea010bff
- hash: 86819efe7319b664920ba2e1fd4b079a4e6b5eaaebeeb1adb2c1c8dc3c81ee0c
- hash: 57e0449fb13766b0b2f7c057b1f89911e9ed23cac7e71d5d69fde47571239629
- hash: e576a61e1a2ba71e764647bb2f0883c2f8fa4d591799c60d21a84230ee7a5b63
- hash: 51cada347262d7b2bcde70552fcdae221625ad75435cee8a9c3e7b67cc47a807
- hash: 969b0bfd605aa2cddf353f3638b0dee26b1c2305600231e055fa6d7786a879fe
- hash: 73c807df26427d6631088a822fa54c30975afbe681a9d83eff5d19e5b075d6c2
- hash: a628ad47fe93ee7413cca90aeca8f9540bfcd5ccdbeb4d9914670b3ef66247f4
- hash: 4ea1c577247b149489506b230e7aa203e1a2fa124109c6056d1986e944f520a4
- hash: 235a64e3520b1c2c27763122b303f78aee8d7c083dfd9f1eb936cd5174383609
- hash: 33497c69c21fa96bbc96f1d7f09608e462f8ab22555364977c0bd35fef27bc29
- hash: 45126b353f1636103da356121cd00b229b635b41b99d91166e6d7d9037482242
- hash: 810614290bdb14d2ddf10f65f8adc988a8272764f2a9e2c378e52fad162da344
- hash: 938054c6bb7dc737fce16513b2882808f199c2f892f808d439525a1650d49089
- hash: a2e7989742c6b6436ebb47507881946e4f662080dff71d104eb9a9554f38af7a
- hash: d7747e7a3c782009f4ceb6e9c106115876386853929563b509da5258e3968d15
- hash: d95bba20f04687b0b821d4fc0a17137db8b9eda5fe3fb34da319abefc45fe0d1
- hash: e73491065d86b1ad69229bb5d2019e08b947e11a2a57adf5c2d9a2b5d8f4acad
- hash: f245956c930f220f0bedf355a751a5cd738b4ec6bb6c5d584199ab3fa6c0a1c4
- hash: 0aaea95ad6ef4a9baf02ae05289af617
- hash: 64eb7ad3aaf9b6639ccc5c0b30b6e59f
- hash: cba1927cf6959dc99ecbd0c553e4db6f
- hash: ebf10abb661350779d24d849f828eb0b
- hash: 1eb377e01e1e649b3290efb0160f25cb5d13bd21
- hash: 25d585a291235936eca70402fbb567017aad860a
- hash: 2d1887930758b98b1a09f2f656079599f88a6bf6
- hash: 7f2d59cfdf2b0550d22ac54d0b1fa5ac8f8b5f57
- url: http://muckcoding.com/LG-LW/Api-Certificate
Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories
Description
A malicious Go module masquerading as a DNS/subdomain scanner has been identified as part of a sophisticated Windows malware staging operation named 'Muck and Load'. This operation uses a large GitHub-based infrastructure of 222 repositories across 190 accounts, employing automated workflows to appear legitimate. The malicious module downloads encoded PowerShell scripts that retrieve encrypted payloads from public platforms like Pastebin and Telegram. These payloads include well-known malware such as AsyncRAT, Quasar, Remcos, and Vidar infostealers, which are executed from disguised Microsoft-themed directories. At least 14 malware files have been confirmed within this network.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'Muck and Load' operation leverages a malicious Go module distributed via GitHub repositories to stage Windows malware infections. The attack chain starts with a deceptive Go module that downloads encoded PowerShell content. This loader queries multiple public platforms (Pastebin, Telegram, YouTube, Instagram) serving as dead drops for encrypted payload locations. The payloads are password-protected archives containing RAT and infostealer malware families including AsyncRAT, Quasar, Remcos, and Vidar. The infrastructure consists of 222 repositories across 190 GitHub accounts, maintained with automated GitHub Actions workflows to simulate legitimate activity. The malware executes from masqueraded Microsoft-themed directories, complicating detection. This operation demonstrates a complex use of commit-farming workflows and public dead drops to evade traditional security controls.
Potential Impact
This threat enables attackers to deploy remote access trojans (RATs) and infostealer malware on Windows systems, potentially leading to unauthorized access, data theft, and system compromise. The use of a large, distributed GitHub infrastructure and public dead drops complicates detection and takedown efforts. The malware families involved are known for stealing sensitive information and enabling persistent remote control, which can result in significant operational and data security impacts for affected organizations.
Mitigation Recommendations
No official patch or remediation is available as this threat involves malicious use of public repositories and social engineering rather than a software vulnerability. Organizations should avoid using untrusted or unknown Go modules, especially those related to DNS or subdomain scanning, and perform thorough code reviews before integrating third-party modules. Monitoring for unusual PowerShell activity and network connections to public platforms used as dead drops can aid detection. GitHub repository owners should be vigilant against account compromise and unauthorized repository creation. Since this is not a cloud service, remediation depends on user vigilance and security controls. Patch status is not yet confirmed — check vendor advisories or security community updates for any emerging mitigations.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/malicious-go-module-exposes-github-malware-lure-network"]
- Adversary
- null
- Pulse Id
- 6a4f5adbd8cb65e0d44c0d53
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainrlim.com | — | |
domainmuckdeveloper.com | — | |
domainmuckcoding.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashb27f694c974b44fe2f4a8a25680997db574fa35686c30fa4c4dc9dd4ec40005e | — | |
hashec1cac2ada6726623b4bafb94c204c359ce7cdf5325909137fc0e6aef506783f | — | |
hash2f416aac027f19f563cc45e3b4b72e992aaafb63da27f968b9a76a391134dc7d | — | |
hash458e4c64738e8f46e997eea7cb32a296 | — | |
hash1a9bbae96ab7a852312b802fd3694211f3bbc43f | — | |
hash9df11356c5ac61d2aa7b5425e6322fc016b0ed5790dacb201396500b3eee03f7 | — | |
hash129de16fe69763f767d8249279a2c4a1a6deafadd1a84563bd84b258ea010bff | — | |
hash86819efe7319b664920ba2e1fd4b079a4e6b5eaaebeeb1adb2c1c8dc3c81ee0c | — | |
hash57e0449fb13766b0b2f7c057b1f89911e9ed23cac7e71d5d69fde47571239629 | — | |
hashe576a61e1a2ba71e764647bb2f0883c2f8fa4d591799c60d21a84230ee7a5b63 | — | |
hash51cada347262d7b2bcde70552fcdae221625ad75435cee8a9c3e7b67cc47a807 | — | |
hash969b0bfd605aa2cddf353f3638b0dee26b1c2305600231e055fa6d7786a879fe | — | |
hash73c807df26427d6631088a822fa54c30975afbe681a9d83eff5d19e5b075d6c2 | — | |
hasha628ad47fe93ee7413cca90aeca8f9540bfcd5ccdbeb4d9914670b3ef66247f4 | — | |
hash4ea1c577247b149489506b230e7aa203e1a2fa124109c6056d1986e944f520a4 | — | |
hash235a64e3520b1c2c27763122b303f78aee8d7c083dfd9f1eb936cd5174383609 | — | |
hash33497c69c21fa96bbc96f1d7f09608e462f8ab22555364977c0bd35fef27bc29 | — | |
hash45126b353f1636103da356121cd00b229b635b41b99d91166e6d7d9037482242 | — | |
hash810614290bdb14d2ddf10f65f8adc988a8272764f2a9e2c378e52fad162da344 | — | |
hash938054c6bb7dc737fce16513b2882808f199c2f892f808d439525a1650d49089 | — | |
hasha2e7989742c6b6436ebb47507881946e4f662080dff71d104eb9a9554f38af7a | — | |
hashd7747e7a3c782009f4ceb6e9c106115876386853929563b509da5258e3968d15 | — | |
hashd95bba20f04687b0b821d4fc0a17137db8b9eda5fe3fb34da319abefc45fe0d1 | — | |
hashe73491065d86b1ad69229bb5d2019e08b947e11a2a57adf5c2d9a2b5d8f4acad | — | |
hashf245956c930f220f0bedf355a751a5cd738b4ec6bb6c5d584199ab3fa6c0a1c4 | — | |
hash0aaea95ad6ef4a9baf02ae05289af617 | — | |
hash64eb7ad3aaf9b6639ccc5c0b30b6e59f | — | |
hashcba1927cf6959dc99ecbd0c553e4db6f | — | |
hashebf10abb661350779d24d849f828eb0b | — | |
hash1eb377e01e1e649b3290efb0160f25cb5d13bd21 | — | |
hash25d585a291235936eca70402fbb567017aad860a | — | |
hash2d1887930758b98b1a09f2f656079599f88a6bf6 | — | |
hash7f2d59cfdf2b0550d22ac54d0b1fa5ac8f8b5f57 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://muckcoding.com/LG-LW/Api-Certificate | — | |
urlhttps://rlim.com/MicrosoftCur/raw | — | |
urlhttps://muckdeveloper.com/LGTV/MicrosoftCur | — | |
urlhttp://muckcoding.com/LG-LW/Api-Certificate | — |
Threat ID: 6a4f86cf68715ace433d713c
Added to database: 07/09/2026, 11:32:31 UTC
Last enriched: 07/09/2026, 11:47:50 UTC
Last updated: 07/09/2026, 16:22:44 UTC
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.