CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Malicious Go Module Masquerading as SSH Brute-Force Tool Exfiltrates Credentials via Telegram Bot

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

A malicious Go module named "golang-random-ip-ssh-bruteforce" masquerades as a brute-force tool for SSH. It steals credentials from exposed SSH services and exfiltrates them via a Telegram bot. The module was published on June 24, 2022, and remains available on pkg.go[.]dev. It is linked to a GitHub account, IllDieAnyway (G3TT), which is no longer accessible. The threat actor is assessed to be of Russian origin. The module scans random IPv4 addresses for SSH services and attempts brute-force attacks using a hard-coded wordlist. Successful credentials are sent to a Telegram bot controlled by the attacker.

Timeline

  1. 24.08.2025 16:38 πŸ“° 1 articles

    Malicious Go Module Masquerading as SSH Brute-Force Tool Exfiltrates Credentials via Telegram Bot

    A malicious Go module named "golang-random-ip-ssh-bruteforce" was discovered. It masquerades as a brute-force tool for SSH but steals credentials from exposed SSH services. The module was published on June 24, 2022, and remains available on pkg.go[.]dev. It is linked to a GitHub account, IllDieAnyway (G3TT), which is no longer accessible. The threat actor is assessed to be of Russian origin. The module scans random IPv4 addresses for SSH services and attempts brute-force attacks using a hard-coded wordlist. Successful credentials are sent to a Telegram bot controlled by the attacker.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

TOR-based Cryptojacking Campaign Targets Misconfigured Docker APIs

A new variant of a TOR-based cryptojacking campaign targets misconfigured Docker APIs to propagate malware. The attack chain involves exploiting exposed Docker instances to deploy XMRig miners and reconnaissance tools. The malware also scans for additional ports and attempts to propagate via Telnet and Chromium remote debugging ports. The campaign may be setting up a complex botnet. The attack leverages Base64-encoded payloads and TOR domains for anonymity. It includes a dropper written in Go that parses user login information and uses Masscan for further propagation. The malware's source code includes an emoji, suggesting it may have been crafted using a large language model (LLM). The attackers mount the host root to the fresh container, allowing them to manipulate the host system and escape the container. The attackers modify the SSH configuration of the host system to elevate privileges and provide backdoor access. The attackers create a cron job that executes every minute to block access to the Docker API’s port 2375, denying other attackers future access to the exposed instance. The threat actors deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The malware installs curl and tor, launches a Tor daemon, and waits for confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The malware appends an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem to enable persistent SSH access. The malware writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using available firewall utilities. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it, and runs it as a dropper. The Go binary parses the host’s utmp file to identify logged-in users. The malware attempts to infect other exposed Docker APIs and removes competitor containers after gaining access. The malware includes inactive logic for exploiting Telnet (port 23) using default router credentials and for interacting with Chrome’s remote debugging interface (port 9222). The malware's behavior suggests it is an initial version of a complex botnet with capabilities for lateral movement, persistence, and potential future expansion for credential theft and browser hijacking. The campaign highlights the importance of securing Docker APIs and segmenting networks to prevent such attacks.

Open in new tab