Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories

    Date: 07/14/2026

    Severity: Medium

    Summary

    Our investigation began with a malicious Go module masquerading as a DNS/subdomain scanner. The module exposed a Windows malware chain using hidden PowerShell and dead-drop resolution. Pivoting revealed a larger GitHub lure network of 222 repositories across 190 accounts. We track this campaign as "Operation Muck and Load" based on its infrastructure and behavior. "Muck" stems from Muck-themed domains, while "Load" describes the multi-stage execution chain. The name serves as a tracking label for a recurring operational pattern that is hard to disguise. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    muckcoding.com

    muckdeveloper.com

    https://muckcoding.com/LG-LW/Api-Certificate

    https://muckdeveloper.com/LGTV/MicrosoftCur

    https://pastebin.com/raw/xy32SJgf

    https://rlim.com/MicrosoftCur/raw

    https://youtu.be/GAS67zAOssc

    https://www.instagram.com/p/DG20Zt9Mj4P/

    https://t.me/s/dwmic

    https://docs.google.com/document/d/1PnogKWvfa3ZcCnmKfnb3pJYXMBmcQe5k_6bBuPUailQ/export?format=txt

    https://gitcode.com/LastWer/MicrosoftCur/raw

    https://github.com/tb78/expresso/releases/download/Release/Quixo.7z

    Hash 

    129de16fe69763f767d8249279a2c4a1a6deafadd1a84563bd84b258ea010bff

    86819efe7319b664920ba2e1fd4b079a4e6b5eaaebeeb1adb2c1c8dc3c81ee0c

    57e0449fb13766b0b2f7c057b1f89911e9ed23cac7e71d5d69fde47571239629

    e576a61e1a2ba71e764647bb2f0883c2f8fa4d591799c60d21a84230ee7a5b63

    51cada347262d7b2bcde70552fcdae221625ad75435cee8a9c3e7b67cc47a807

    969b0bfd605aa2cddf353f3638b0dee26b1c2305600231e055fa6d7786a879fe

    73c807df26427d6631088a822fa54c30975afbe681a9d83eff5d19e5b075d6c2

    a628ad47fe93ee7413cca90aeca8f9540bfcd5ccdbeb4d9914670b3ef66247f4

    4ea1c577247b149489506b230e7aa203e1a2fa124109c6056d1986e944f520a4

    235a64e3520b1c2c27763122b303f78aee8d7c083dfd9f1eb936cd5174383609

    2f416aac027f19f563cc45e3b4b72e992aaafb63da27f968b9a76a391134dc7d

    33497c69c21fa96bbc96f1d7f09608e462f8ab22555364977c0bd35fef27bc29

    45126b353f1636103da356121cd00b229b635b41b99d91166e6d7d9037482242

    810614290bdb14d2ddf10f65f8adc988a8272764f2a9e2c378e52fad162da344

    938054c6bb7dc737fce16513b2882808f199c2f892f808d439525a1650d49089

    9df11356c5ac61d2aa7b5425e6322fc016b0ed5790dacb201396500b3eee03f7

    a2e7989742c6b6436ebb47507881946e4f662080dff71d104eb9a9554f38af7a

    b27f694c974b44fe2f4a8a25680997db574fa35686c30fa4c4dc9dd4ec40005e

    d7747e7a3c782009f4ceb6e9c106115876386853929563b509da5258e3968d15

    d95bba20f04687b0b821d4fc0a17137db8b9eda5fe3fb34da319abefc45fe0d1

    e73491065d86b1ad69229bb5d2019e08b947e11a2a57adf5c2d9a2b5d8f4acad

    ec1cac2ada6726623b4bafb94c204c359ce7cdf5325909137fc0e6aef506783f

    f245956c930f220f0bedf355a751a5cd738b4ec6bb6c5d584199ab3fa6c0a1c4

    Email Address 

    ischhfd83@rambler.ru

    Malicious Go Module

    github.com/kaleidora/dnsub-scanning-tool

    Staging Paths, Directories, and Payload Paths

    C:\Users\Public\Pictures\api.db

    C:\Users\Public\Pictures\L.ps1

    C:\Users\Public\Documents\umun\

    C:\ProgramData\zipathh\7zrr.exe

    C:\ProgramData\Windows.Microsoft.Photos\current\Microsoft.exe

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "muckdeveloper.com" or url like "muckdeveloper.com" or siteurl like "muckdeveloper.com" or domainname like "https://muckdeveloper.com/LGTV/MicrosoftCur" or url like "https://muckdeveloper.com/LGTV/MicrosoftCur" or siteurl like "https://muckdeveloper.com/LGTV/MicrosoftCur" or domainname like "https://gitcode.com/LastWer/MicrosoftCur/raw" or url like "https://gitcode.com/LastWer/MicrosoftCur/raw" or siteurl like "https://gitcode.com/LastWer/MicrosoftCur/raw" or domainname like "muckcoding.com" or url like "muckcoding.com" or siteurl like "muckcoding.com" or domainname like "https://www.instagram.com/p/DG20Zt9Mj4P/" or url like "https://www.instagram.com/p/DG20Zt9Mj4P/" or siteurl like "https://www.instagram.com/p/DG20Zt9Mj4P/" or domainname like "https://github.com/tb78/expresso/releases/download/Release/Quixo.7z" or url like "https://github.com/tb78/expresso/releases/download/Release/Quixo.7z" or siteurl like "https://github.com/tb78/expresso/releases/download/Release/Quixo.7z" or domainname like "https://t.me/s/dwmic" or url like "https://t.me/s/dwmic" or siteurl like "https://t.me/s/dwmic" or domainname like "https://docs.google.com/document/d/1PnogKWvfa3ZcCnmKfnb3pJYXMBmcQe5k_6bBuPUailQ/export?format=txt" or url like "https://docs.google.com/document/d/1PnogKWvfa3ZcCnmKfnb3pJYXMBmcQe5k_6bBuPUailQ/export?format=txt" or siteurl like "https://docs.google.com/document/d/1PnogKWvfa3ZcCnmKfnb3pJYXMBmcQe5k_6bBuPUailQ/export?format=txt" or domainname like "https://rlim.com/MicrosoftCur/raw" or url like "https://rlim.com/MicrosoftCur/raw" or siteurl like "https://rlim.com/MicrosoftCur/raw" or domainname like "https://youtu.be/GAS67zAOssc" or url like "https://youtu.be/GAS67zAOssc" or siteurl like "https://youtu.be/GAS67zAOssc" or domainname like "https://pastebin.com/raw/xy32SJgf" or url like "https://pastebin.com/raw/xy32SJgf" or siteurl like "https://pastebin.com/raw/xy32SJgf" or domainname like "https://muckcoding.com/LG-LW/Api-Certificate" or url like "https://muckcoding.com/LG-LW/Api-Certificate" or siteurl like "https://muckcoding.com/LG-LW/Api-Certificate"

    Detection Query 2 :

    sha256hash IN ("d7747e7a3c782009f4ceb6e9c106115876386853929563b509da5258e3968d15","235a64e3520b1c2c27763122b303f78aee8d7c083dfd9f1eb936cd5174383609","9df11356c5ac61d2aa7b5425e6322fc016b0ed5790dacb201396500b3eee03f7","b27f694c974b44fe2f4a8a25680997db574fa35686c30fa4c4dc9dd4ec40005e","f245956c930f220f0bedf355a751a5cd738b4ec6bb6c5d584199ab3fa6c0a1c4","33497c69c21fa96bbc96f1d7f09608e462f8ab22555364977c0bd35fef27bc29","810614290bdb14d2ddf10f65f8adc988a8272764f2a9e2c378e52fad162da344","ec1cac2ada6726623b4bafb94c204c359ce7cdf5325909137fc0e6aef506783f","969b0bfd605aa2cddf353f3638b0dee26b1c2305600231e055fa6d7786a879fe","938054c6bb7dc737fce16513b2882808f199c2f892f808d439525a1650d49089","d95bba20f04687b0b821d4fc0a17137db8b9eda5fe3fb34da319abefc45fe0d1","2f416aac027f19f563cc45e3b4b72e992aaafb63da27f968b9a76a391134dc7d","45126b353f1636103da356121cd00b229b635b41b99d91166e6d7d9037482242","4ea1c577247b149489506b230e7aa203e1a2fa124109c6056d1986e944f520a4","a2e7989742c6b6436ebb47507881946e4f662080dff71d104eb9a9554f38af7a","e73491065d86b1ad69229bb5d2019e08b947e11a2a57adf5c2d9a2b5d8f4acad","129de16fe69763f767d8249279a2c4a1a6deafadd1a84563bd84b258ea010bff","86819efe7319b664920ba2e1fd4b079a4e6b5eaaebeeb1adb2c1c8dc3c81ee0c","57e0449fb13766b0b2f7c057b1f89911e9ed23cac7e71d5d69fde47571239629","e576a61e1a2ba71e764647bb2f0883c2f8fa4d591799c60d21a84230ee7a5b63","51cada347262d7b2bcde70552fcdae221625ad75435cee8a9c3e7b67cc47a807","73c807df26427d6631088a822fa54c30975afbe681a9d83eff5d19e5b075d6c2","a628ad47fe93ee7413cca90aeca8f9540bfcd5ccdbeb4d9914670b3ef66247f4")

    Detection Query 3 :

    sender like "ischhfd83@rambler.ru" or recipient like "ischhfd83@rambler.ru" or from like "ischhfd83@rambler.ru"

    Detection Query 4 :

    datasourcename = "Windows Security" and eventtype = "4663" and objectname IN ("C:\Users\Public\Pictures\api.db","C:\Users\Public\Pictures\L.ps1","C:\Users\Public\Documents\umun","C:\ProgramData\zipathh\7zrr.exe","C:\ProgramData\Windows.Microsoft.Photos\current\Microsoft.exe")

    Detection Query 5 :

    technologygroup = "EDR" and objectname IN ("C:\Users\Public\Pictures\api.db","C:\Users\Public\Pictures\L.ps1","C:\Users\Public\Documents\umun","C:\ProgramData\zipathh\7zrr.exe","C:\ProgramData\Windows.Microsoft.Photos\current\Microsoft.exe")

    Reference:    

    https://socket.dev/blog/malicious-go-module-exposes-github-malware-lure-network


    Tags

    MalwarePowerShell AttackGitHub

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags