Threat Advisory

Malicious Go Module Spreads Malware Across GitHub Repositories

Threat: Malware Campaign
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

A malicious software supply chain campaign has been identified involving a compromised Go module and a large network of GitHub repositories designed to distribute Windows-based malware. The campaign uses deceptive open-source projects and fake utility repositories to attract users into downloading malicious components. The activity involves hundreds of GitHub repositories that imitate legitimate software projects, creating a trusted appearance while acting as delivery points for malware such as remote access trojans (RATs), infostealers, and other malicious payloads.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

A malicious software supply chain campaign has been identified involving a compromised Go module and a large network of GitHub repositories designed to distribute Windows-based malware. The campaign uses deceptive open-source projects and fake utility repositories to attract users into downloading malicious components. The activity involves hundreds of GitHub repositories that imitate legitimate software projects, creating a trusted appearance while acting as delivery points for malware such as remote access trojans (RATs), infostealers, and other malicious payloads.[emaillocker id="1283"]

The attack begins with a malicious Go module disguised as a DNS and subdomain scanning tool based on a legitimate open-source project. The module executes hidden PowerShell commands that retrieve additional components from publicly available hosting locations and dead-drop services. These components act as downloaders and launchers, fetching encrypted archives containing malware payloads, extracting them, and executing them on targeted Windows systems. The threat actors used automated commit activity and multiple repository accounts to increase the credibility and visibility of malicious projects while distributing payloads including RATs, spyware, infostealers, trojan downloaders, and cryptominers.

This campaign highlights the growing risk of open-source software abuse, where threat actors exploit developer trust and repository ecosystems to deliver malware through seemingly legitimate projects. Organizations and developers should verify third-party dependencies, review open-source packages before adoption, monitor suspicious repository activity, and implement software supply chain security controls to reduce exposure to malicious modules and compromised development resources.

 

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Resource Development T1608.001 Stage Capabilities Upload Malware
Initial Access T1195.001 Supply Chain Compromise Compromise Software Dependencies and Development Tools
Execution T1204.002 User Execution Malicious File
T1059.001 Command and Scripting Interpreter PowerShell
T1053.005 Scheduled Task/Job Scheduled Task
Persistence T1543.003 Create or Modify System Process Windows Service
Privilege Escalation T1548.002 Abuse Elevation Control Mechanism Bypass User Account Control
Stealth T1564.003 Hide Artifacts Hidden Window
T1027.013 Obfuscated Files or Information Encrypted/Encoded File
T1140 Deobfuscate/Decode Files or Information -
T1055.001 Process Injection Dynamic-link Library Injection
T1036.005 Masquerading Match Legitimate Resource Name or Location
Defense Impairment T1685.003 Disable or Modify Tools Modify or Spoof Tool UI
T1112 Modify Registry -
Credential Access T1555.003 Credentials from Password Stores Credentials from Web Browsers
Discovery T1082 System Information Discovery -
T1057 Process Discovery -
T1012 Query Registry -
Collection T1113 Screen Capture -
Command and Control T1105 Ingress Tool Transfer -
T1102.001 Web Service Dead Drop Resolver
T1071.001 Application Layer Protocol Web Protocols
Impact T1490 Inhibit System Recovery -

 

MBC MAPPING:

Objective Behaviour ID Behaviour
Anti-Behavioral Analysis B0003 Dynamic Analysis Evasion
Anti-Static Analysis E1027 Obfuscated Files or Information
Command and Control B0030 C2 Communication
Defense Evasion B0029 Polymorphic Code
Discovery E1083 File and Directory Discovery
Execution E1204 User Execution
Exfiltration E1020 Automated Exfiltration
Persistence F0012 Registry Run Keys / Startup Folder
Cryptography Micro-objective C0031 Decrypt Data

 

REFERENCES:

The following reports contain further technical details:

https://socket.dev/blog/malicious-go-module-exposes-github-malware-lure-network

[/emaillocker]
crossmenu