Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories
Essential information
- Published
- 09/07/2026 10:24
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- asyncrat commit farming dead drop resolver github lure network go module operation muck and load powershell loader quasar remcos vidar xmrig
- Related entities
- 30 indicators, 7 observables, 18 techniques (mitre), 5 malware
Description
A malicious Go module posing as a DNS/subdomain scanner exposed a sophisticated Windows malware staging operation utilizing commit-farming workflows, public dead drops, and protected archives to deploy RAT and infostealer malware. The operation, tracked as 'Muck and Load', leverages a GitHub-based infrastructure comprising 222 confirmed repositories across 190 accounts designed to appear active and legitimate through automated GitHub Actions workflows. The attack chain begins with a deceptive Go module that downloads encoded PowerShell content, which then queries multiple public platforms including Pastebin, Telegram, YouTube, and Instagram as dead drops for encrypted payload locations. The loader retrieves password-protected archives containing AsyncRAT, Quasar, Remcos, and Vidar infostealer payloads, executing them from masqueraded Microsoft-themed directories. At least 14 malware files were confirmed across the repository network.