
Go derives a pseudo-version from the commit timestamp and hash for any commit that lacks a semantic version tag. Socket attributes the sprawl to the threat actor's own GitHub Actions workflow, saying its timed commits could each be resolved as a version, inflating a scanner utility's release history into the hundreds.
Across the confirmed repositories, Socket found the same workflow: it sets the Git email to ischhfd83@rambler.ru, sets the visible commit username to the current repository owner, and then force-pushes a rewritten log file every minute. That split generated owner-attributed activity across disposable accounts while leaving one reusable fingerprint. Socket counted a repository only when both the email and the workflow appeared together, resulting in 222 repositories as the confirmed minimum.
The module's main.go launches a hidden PowerShell command that downloads content from muckcoding.com, decodes it with certutil, and runs the result with execution-policy bypass. Socket describes the decoded script as a multi-layer loader using Base64 encoding and XOR decryption, with a Turkish-language comment in one layer that translates to "run directly, no other step is needed."
Rather than hardcoding a payload URL, the resolver retrieves text from public platforms, searches it for the marker string "LastW," then decrypts the trailing blob with a hardcoded key to recover the actual download location. Primary dead drops include Pastebin and a paste service called Rlim, with fallbacks across YouTube, Instagram, Telegram, Google Docs, and GitCode. If defenders remove one paste or block the final archive URL, the actor can update the resolver content without touching the first-stage loader.
Hades malware campaign tricks AI scanners with fake nuclear weapon prompts
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/fake-go-dns-scanner-published-700-malicious-versions-before-researchers-traced-it-to-222-github-repos#main
- https://www.tomshardware.com/subscription
- This 3D-printed electric motorbike folds into your luggage — creator warns it is 'super fast… way too fast'
- How Open Models Are Driving AI Research
- Intel invests $5.7 billion in Ireland fab — aims to boost output of Xeon 6, next-gen Xeon products built on Intel 3 process
- Intel invests $5.7 billion in Ireland fab — aims to boost output of Xeon 6, next-gen Xeon products built on Intel 3 process
- NVIDIA Nemotron Achieves Benchmark-Leading Performance With LangChain Deep Agents Harness
Informational only. No financial advice. Do your own research.