{"id":242283,"date":"2026-07-11T07:00:00","date_gmt":"2026-07-11T11:00:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/11\/fake-go-dns-scanner-spread-malware-through-over-200-github-repos-operation-muck-and-load-has-published-700-malicious-modules-since-january\/"},"modified":"2026-07-11T07:35:07","modified_gmt":"2026-07-11T11:35:07","slug":"fake-go-dns-scanner-spread-malware-through-over-200-github-repos-operation-muck-and-load-has-published-700-malicious-modules-since-january","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/11\/fake-go-dns-scanner-spread-malware-through-over-200-github-repos-operation-muck-and-load-has-published-700-malicious-modules-since-january\/","title":{"rendered":"Fake Go DNS scanner spread malware through over 200 GitHub repos \u2014 &#8216;Operation Muck and Load&#8217; has published 700 malicious modules since January"},"content":{"rendered":"<p><a href=\"https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/fake-go-dns-scanner-published-700-malicious-versions-before-researchers-traced-it-to-222-github-repos\">Fake Go DNS scanner spread malware through over 200 GitHub repos \u2014 &#8216;Operation Muck and Load&#8217; has published 700 malicious modules since January<\/a><\/p>\n<p><a href=\"https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/fake-go-dns-scanner-published-700-malicious-versions-before-researchers-traced-it-to-222-github-repos\">https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/fake-go-dns-scanner-published-700-malicious-versions-before-researchers-traced-it-to-222-github-repos<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-11 07:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.tomshardware.com\">www.tomshardware.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>Supply-chain security firm Socket has published research findings describing a Go module that posed as a DNS and subdomain scanner while acting as a first-stage Windows malware loader. The firm then traced it to a network of 222 GitHub repositories across 190 accounts. The module published its first version on January 24 this year and has since accumulated more than 1,200 versions, over 700 of them malicious. Socket tracks the campaign as \u201cOperation Muck and Load\u201d and reported the module to the Go security team, which blocked it from the Go module proxy.Go deeper with TH Premium: AI and data centers <\/p>\n<p>(Image credit: Microsoft)Go derives a pseudo-version from the commit timestamp and hash for any commit that lacks a semantic version tag. Socket attributes the sprawl to the threat actor&#8217;s own GitHub Actions workflow, saying its timed commits could each be resolved as a version, inflating a scanner utility&#8217;s release history into the hundreds.Across the confirmed repositories, Socket found the same workflow: it sets the Git email to ischhfd83@rambler.ru, sets the visible commit username to the current repository owner, and then force-pushes a rewritten log file every minute. That split generated owner-attributed activity across disposable accounts while leaving one reusable fingerprint. Socket counted a repository only when both the email and the workflow appeared together, resulting in 222 repositories as the confirmed minimum.Latest Videos FromThe module&#8217;s main.go launches a hidden PowerShell command that downloads content from muckcoding.com, decodes it with certutil, and runs the result with execution-policy bypass. Socket describes the decoded script as a multi-layer loader using Base64 encoding and XOR decryption, with a Turkish-language comment in one layer that translates to &#8220;run directly, no other step is needed.&#8221;Rather than hardcoding a payload URL, the resolver retrieves text from public platforms, searches it for the marker string &#8220;LastW,&#8221; then decrypts the trailing blob with a hardcoded key to recover the actual download location. Primary dead drops include Pastebin and a paste service called Rlim, with fallbacks across YouTube, Instagram, Telegram, Google Docs, and GitCode. If defenders remove one paste or block the final archive URL, the actor can update the resolver content without touching the first-stage loader.<\/p>\n<p>            You may like<\/p>\n<p>    The resolved URL points to a password-protected 7-Zip archive hosted as a GitHub release asset. The loader extracts it into a directory named to resemble a legitimate Microsoft Photos install and launches Microsoft.exe from that path with a hidden window. Decoded payload stages map to AsyncRAT, Quasar, and Remcos-style RAT detections alongside infostealer behavior.Socket confirmed at least 14 unique malware files across the analyzed set, including Trojan loaders and downloaders, Vidar infostealer, dropper and spyware payloads, and XMRig-related Monero cryptominers. One Loader.exe appeared byte-identically across four separate repositories.Get Tom&#8217;s Hardware&#8217;s best news and in-depth reviews, straight to your inbox.Lure themes span MetaMask and Trust Wallet integrations, seed-phrase utilities, Binance and PayPal automation, Telegram and Discord bots, and game cheats for PUBG, Valorant, and Escape from Tarkov. One PUBG repository, nrevv1lad\/Pubg-DESYNC-Menu, presented itself as an external cheat with an installation guide while hosting a Vidar-linked Loader.exe in its source tree.Socket assesses with high confidence that Operation Muck and Load belongs to the same cluster that Sophos documented in June last year. Sophos researchers Matt Wixey and Andrew O&#8217;Donnell traced 141 GitHub repositories, 133 of them backdoored, to the same ischhfd83@rambler.ru address. Sophos also identified &#8220;Muck&#8221; as one of the actor&#8217;s aliases, a label now embedded in the muckcoding.com and muckdeveloper.com domains.Neither GitHub nor the Go team has commented beyond the proxy block. <\/p>\n<p>Follow Tom&#8217;s Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, &#038; reviews in your feeds.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fake Go DNS scanner spread malware through over 200 GitHub repos \u2014 &#8216;Operation Muck and&#8230;<\/p>\n","protected":false},"author":1,"featured_media":242284,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cdn.mos.cms.futurecdn.net\/2Z9rxwcvZrC34RGiyKN9Tj-1920-80.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,36,32,34],"class_list":["post-242283","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-infostealer","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242283"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=242283"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242283\/revisions"}],"predecessor-version":[{"id":242285,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242283\/revisions\/242285"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/242284"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=242283"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=242283"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=242283"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}