Malicious Go Crypto Module Exploits Namespace Confusion to Deploy Rekoobe Backdoor

Timeline

1. 27.02.2026 17:33 1 articles · 3h ago

   Malicious Go Crypto Module Exploits Namespace Confusion to Deploy Rekoobe Backdoor

   A malicious Go module named github[.]com/xinfeisoft/crypto impersonates the legitimate "golang.org/x/crypto" codebase to steal passwords and deploy the Rekoobe Linux backdoor. The module exploits namespace confusion to inject malicious code that exfiltrates secrets entered via terminal password prompts and executes a shell script that creates persistent access via SSH and loosens firewall restrictions. The campaign targets high-value boundaries like ReadPassword() and uses GitHub Raw as a rotating pointer for infrastructure rotation. The Rekoobe backdoor, known since 2015, is capable of receiving commands to download more payloads, steal files, and execute a reverse shell. It has been used by Chinese nation-state groups like APT31.

   Show sources

   • Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor — thehackernews.com — 27.02.2026 17:33

   Open in new tab

Information Snippets

• The malicious Go module github[.]com/xinfeisoft/crypto impersonates the legitimate "golang.org/x/crypto" codebase.

  First reported: 27.02.2026 17:33
  1 source, 1 article
  Show sources

  • Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor — thehackernews.com — 27.02.2026 17:33

• The module injects malicious code that exfiltrates secrets entered via terminal password prompts to a remote endpoint.

  First reported: 27.02.2026 17:33
  1 source, 1 article
  Show sources

  • Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor — thehackernews.com — 27.02.2026 17:33

• The module fetches and executes a shell script that creates persistent access via SSH and loosens firewall restrictions.

  First reported: 27.02.2026 17:33
  1 source, 1 article
  Show sources

  • Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor — thehackernews.com — 27.02.2026 17:33

• The script appends a threat actor's SSH key to the "/home/ubuntu/.ssh/authorized_keys" file and retrieves additional payloads.

  First reported: 27.02.2026 17:33
  1 source, 1 article
  Show sources

  • Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor — thehackernews.com — 27.02.2026 17:33

• One payload tests internet connectivity and communicates with an IP address ("154.84.63[.]184") over TCP port 443.

  First reported: 27.02.2026 17:33
  1 source, 1 article
  Show sources

  • Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor — thehackernews.com — 27.02.2026 17:33

• The second payload is the Rekoobe Linux trojan, capable of receiving commands to download more payloads, steal files, and execute a reverse shell.

  First reported: 27.02.2026 17:33
  1 source, 1 article
  Show sources

  • Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor — thehackernews.com — 27.02.2026 17:33

• The package remains listed on pkg.go.dev but has been blocked by the Go security team.

  First reported: 27.02.2026 17:33
  1 source, 1 article
  Show sources

  • Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor — thehackernews.com — 27.02.2026 17:33

• The campaign exploits namespace confusion and uses GitHub Raw as a rotating pointer for infrastructure rotation.

  First reported: 27.02.2026 17:33
  1 source, 1 article
  Show sources

  • Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor — thehackernews.com — 27.02.2026 17:33