{"id":288252,"date":"2026-07-11T07:00:00","date_gmt":"2026-07-11T11:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/11\/fake-go-dns-scanner-spread-malware-through-over-200-github-repos-operation-muck-and-load-has-published-700-malicious-modules-since-january\/"},"modified":"2026-07-11T08:15:07","modified_gmt":"2026-07-11T12:15:07","slug":"fake-go-dns-scanner-spread-malware-through-over-200-github-repos-operation-muck-and-load-has-published-700-malicious-modules-since-january","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/11\/fake-go-dns-scanner-spread-malware-through-over-200-github-repos-operation-muck-and-load-has-published-700-malicious-modules-since-january\/","title":{"rendered":"Fake Go DNS scanner spread malware through over 200 GitHub repos \u2014 &#8216;Operation Muck and Load&#8217; has published 700 malicious modules since January"},"content":{"rendered":"<p><a href=\"https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/fake-go-dns-scanner-published-700-malicious-versions-before-researchers-traced-it-to-222-github-repos\">Fake Go DNS scanner spread malware through over 200 GitHub repos \u2014 &#8216;Operation Muck and Load&#8217; has published 700 malicious modules since January<\/a><\/p>\n<p><a href=\"https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/fake-go-dns-scanner-published-700-malicious-versions-before-researchers-traced-it-to-222-github-repos\">https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/fake-go-dns-scanner-published-700-malicious-versions-before-researchers-traced-it-to-222-github-repos<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-11 07:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.tomshardware.com\">www.tomshardware.com<\/a><\/p>\n<p id=\"elk-aaa6fa54-7c81-11f1-b7a3-532b8f4798fe\">Supply-chain security firm Socket has published research findings describing a Go module that posed as a DNS and subdomain scanner while acting as a first-stage Windows malware loader. The firm then traced it to a network of 222 GitHub repositories across 190 accounts. The module published its first version on January 24 this year and has since accumulated more than 1,200 versions, over 700 of them malicious. Socket tracks the campaign as \u201cOperation Muck and Load\u201d and reported the module to the Go security team, which blocked it from the Go module proxy.<\/p>\n<p>Go deeper with TH Premium: AI and data centers<\/p>\n<p class=\"vanilla-image-block\" style=\"padding-top:56.25%;\">\n<p><span class=\"credit\" itemprop=\"copyrightHolder\">(Image credit: Microsoft)<\/span><\/p>\n<p id=\"elk-16206788-7c92-11f1-b073-7f0d094b5072\">Go derives a pseudo-version from the commit timestamp and hash for any commit that lacks a semantic version tag. Socket attributes the sprawl to the threat actor&#8217;s own GitHub Actions workflow, saying its timed commits could each be resolved as a version, inflating a scanner utility&#8217;s release history into the hundreds.<\/p>\n<p id=\"elk-16206788-7c92-11f1-b073-7f0d094b5072-1\">Across the confirmed repositories, Socket found the same workflow: it sets the Git email to ischhfd83@rambler.ru, sets the visible commit username to the current repository owner, and then force-pushes a rewritten log file every minute. That split generated owner-attributed activity across disposable accounts while leaving one reusable fingerprint. Socket counted a repository only when both the email and the workflow appeared together, resulting in 222 repositories as the confirmed minimum.<\/p>\n<p><span class=\"inline-flex items-center gap-1.5 text-sm font-article-heading capitalize leading-5 text-white whitespace-nowrap\"><span class=\"jwp-carousel-title-mobile\"\/><span class=\"jwp-carousel-title-desktop\">Latest Videos From<\/span><span class=\"jwp-carousel-brand inline-flex items-center\" aria-hidden=\"true\"><img decoding=\"async\" src=\"https:\/\/www.tomshardware.com\/media\/img\/brand_logo.svg\" alt=\"\" class=\"block h-[18px] w-auto shrink-0 brightness-0 invert\" aria-hidden=\"true\"\/><\/span><\/span><img decoding=\"async\" src=\"https:\/\/www.tomshardware.com\/media\/img\/brand_logo.svg\" alt=\"\" class=\"max-h-12 w-auto\" aria-hidden=\"true\"\/><\/p>\n<p>The module&#8217;s main.go launches a hidden PowerShell command that downloads content from muckcoding.com, decodes it with certutil, and runs the result with execution-policy bypass. Socket describes the decoded script as a multi-layer loader using Base64 encoding and XOR decryption, with a Turkish-language comment in one layer that translates to &#8220;run directly, no other step is needed.&#8221;<\/p>\n<p>Rather than hardcoding a payload URL, the resolver retrieves text from public platforms, searches it for the marker string &#8220;LastW,&#8221; then&#8230;<\/p>\n<p><a href=\"https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/fake-go-dns-scanner-published-700-malicious-versions-before-researchers-traced-it-to-222-github-repos\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fake Go DNS scanner spread malware through over 200 GitHub repos \u2014 &#8216;Operation Muck and&#8230;<\/p>\n","protected":false},"author":1,"featured_media":288253,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cdn.mos.cms.futurecdn.net\/2Z9rxwcvZrC34RGiyKN9Tj-1920-80.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[20,32,57,34],"class_list":["post-288252","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-artificial-intelligence","tag-malware","tag-security","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/288252"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=288252"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/288252\/revisions"}],"predecessor-version":[{"id":288254,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/288252\/revisions\/288254"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/288253"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=288252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=288252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=288252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}