Fake Go DNS scanner spread malware through over 200 GitHub repos — ‘Operation Muck and Load’ has published 700 malicious modules since January

Fake Go DNS scanner spread malware through over 200 GitHub repos — ‘Operation Muck and Load’ has published 700 malicious modules since January

Fake Go DNS scanner spread malware through over 200 GitHub repos — ‘Operation Muck and Load’ has published 700 malicious modules since January

https://www.tomshardware.com/tech-industry/cyber-security/fake-go-dns-scanner-published-700-malicious-versions-before-researchers-traced-it-to-222-github-repos

Publish Date: 2026-07-11 07:00:00

Source Domain: www.tomshardware.com

Supply-chain security firm Socket has published research findings describing a Go module that posed as a DNS and subdomain scanner while acting as a first-stage Windows malware loader. The firm then traced it to a network of 222 GitHub repositories across 190 accounts. The module published its first version on January 24 this year and has since accumulated more than 1,200 versions, over 700 of them malicious. Socket tracks the campaign as “Operation Muck and Load” and reported the module to the Go security team, which blocked it from the Go module proxy.

Go deeper with TH Premium: AI and data centers

(Image credit: Microsoft)

Go derives a pseudo-version from the commit timestamp and hash for any commit that lacks a semantic version tag. Socket attributes the sprawl to the threat actor’s own GitHub Actions workflow, saying its timed commits could each be resolved as a version, inflating a scanner utility’s release history into the hundreds.

Across the confirmed repositories, Socket found the same workflow: it sets the Git email to [email protected], sets the visible commit username to the current repository owner, and then force-pushes a rewritten log file every minute. That split generated owner-attributed activity across disposable accounts while leaving one reusable fingerprint. Socket counted a repository only when both the email and the workflow appeared together, resulting in 222 repositories as the confirmed minimum.

Latest Videos From

The module’s main.go launches a hidden PowerShell command that downloads content from muckcoding.com, decodes it with certutil, and runs the result with execution-policy bypass. Socket describes the decoded script as a multi-layer loader using Base64 encoding and XOR decryption, with a Turkish-language comment in one layer that translates to “run directly, no other step is needed.”

Rather than hardcoding a payload URL, the resolver retrieves text from public platforms, searches it for the marker string “LastW,” then…

Source