216.73.216.170

Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories

· Published 09/07/2026 10:24

Export JSON

Essential information

Published
09/07/2026 10:24
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
asyncrat commit farming dead drop resolver github lure network go module operation muck and load powershell loader quasar remcos vidar xmrig
Related entities
30 indicators, 7 observables, 18 techniques (mitre), 5 malware

Description

A malicious Go module posing as a DNS/subdomain scanner exposed a sophisticated Windows malware staging operation utilizing commit-farming workflows, public dead drops, and protected archives to deploy RAT and infostealer malware. The operation, tracked as 'Muck and Load', leverages a GitHub-based infrastructure comprising 222 confirmed repositories across 190 accounts designed to appear active and legitimate through automated GitHub Actions workflows. The attack chain begins with a deceptive Go module that downloads encoded PowerShell content, which then queries multiple public platforms including Pastebin, Telegram, YouTube, and Instagram as dead drops for encrypted payload locations. The loader retrieves password-protected archives containing , , , and infostealer payloads, executing them from masqueraded Microsoft-themed directories. At least 14 malware files were confirmed across the repository network.

External references