EXECUTIVE SUMMARY:
A malicious software supply chain campaign has been identified involving a compromised Go module and a large network of GitHub repositories designed to distribute Windows-based malware. The campaign uses deceptive open-source projects and fake utility repositories to attract users into downloading malicious components. The activity involves hundreds of GitHub repositories that imitate legitimate software projects, creating a trusted appearance while acting as delivery points for malware such as remote access trojans (RATs), infostealers, and other malicious payloads.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A malicious software supply chain campaign has been identified involving a compromised Go module and a large network of GitHub repositories designed to distribute Windows-based malware. The campaign uses deceptive open-source projects and fake utility repositories to attract users into downloading malicious components. The activity involves hundreds of GitHub repositories that imitate legitimate software projects, creating a trusted appearance while acting as delivery points for malware such as remote access trojans (RATs), infostealers, and other malicious payloads.[emaillocker id="1283"]
The attack begins with a malicious Go module disguised as a DNS and subdomain scanning tool based on a legitimate open-source project. The module executes hidden PowerShell commands that retrieve additional components from publicly available hosting locations and dead-drop services. These components act as downloaders and launchers, fetching encrypted archives containing malware payloads, extracting them, and executing them on targeted Windows systems. The threat actors used automated commit activity and multiple repository accounts to increase the credibility and visibility of malicious projects while distributing payloads including RATs, spyware, infostealers, trojan downloaders, and cryptominers.
This campaign highlights the growing risk of open-source software abuse, where threat actors exploit developer trust and repository ecosystems to deliver malware through seemingly legitimate projects. Organizations and developers should verify third-party dependencies, review open-source packages before adoption, monitor suspicious repository activity, and implement software supply chain security controls to reduce exposure to malicious modules and compromised development resources.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Resource Development | T1608.001 | Stage Capabilities | Upload Malware |
| Initial Access | T1195.001 | Supply Chain Compromise | Compromise Software Dependencies and Development Tools |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| T1053.005 | Scheduled Task/Job | Scheduled Task | |
| Persistence | T1543.003 | Create or Modify System Process | Windows Service |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism | Bypass User Account Control |
| Stealth | T1564.003 | Hide Artifacts | Hidden Window |
| T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File | |
| T1140 | Deobfuscate/Decode Files or Information | - | |
| T1055.001 | Process Injection | Dynamic-link Library Injection | |
| T1036.005 | Masquerading | Match Legitimate Resource Name or Location | |
| Defense Impairment | T1685.003 | Disable or Modify Tools | Modify or Spoof Tool UI |
| T1112 | Modify Registry | - | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1082 | System Information Discovery | - |
| T1057 | Process Discovery | - | |
| T1012 | Query Registry | - | |
| Collection | T1113 | Screen Capture | - |
| Command and Control | T1105 | Ingress Tool Transfer | - |
| T1102.001 | Web Service | Dead Drop Resolver | |
| T1071.001 | Application Layer Protocol | Web Protocols | |
| Impact | T1490 | Inhibit System Recovery | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Anti-Behavioral Analysis | B0003 | Dynamic Analysis Evasion |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | B0029 | Polymorphic Code |
| Discovery | E1083 | File and Directory Discovery |
| Execution | E1204 | User Execution |
| Exfiltration | E1020 | Automated Exfiltration |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Cryptography Micro-objective | C0031 | Decrypt Data |
REFERENCES:
The following reports contain further technical details:
https://socket.dev/blog/malicious-go-module-exposes-github-malware-lure-network
[/emaillocker]