Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Golang-random-ip-ssh-bruteforce SSH credential-theft module

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The golang-random-ip-ssh-bruteforce Go module is being identified as a malicious SSH credential-theft tool that scans random IPv4 addresses for exposed SSH services on TCP port 22 and steals successful logins. It uses a built-in username-password list, disables host key verification, and sends captured credentials to a Telegram bot. The activity matters because it turns unwitting operators’ infrastructure into a distributed brute-force platform while quietly exfiltrating access data.

Related Happenings

Telemetry.js credential stealer targeting Linux and macOS with public GitHub exfiltration

Malware Activity
First: 06.09.2025 17:11 Last: 06.09.2025 17:11 Sources 1

About this happening: The **telemetry.js** credential stealer is targeting **Linux and macOS** systems and trying to harvest **GitHub tokens**, **npm tokens**, **SSH keys**, **.env files**, and **crypt...

Open Happening

Timeline

  2. 24.08.2025 03:00 1 articles · 9mo ago

    Researchers disclose SSH credential theft behavior

    Technical Analysis Update

    Researchers disclosed that golang-random-ip-ssh-bruteforce scans random IPv4 addresses for exposed SSH services on TCP port 22, brute-forces logins with an embedded username-password list, disables host key verification with ssh.InsecureIgnoreHostKey, and exfiltrates successful credentials to the threat actor-controlled Telegram bot @sshZXC_bot and the handle @io_ping.

    Show sources
    Open in new tab