Socket.dev tracking label (explicitly not an attribution boundary) for a GitHub-centric malware-lure operation: a malicious Go module impersonating the dnsub scanner that runs a hidden PowerShell loader chain to AsyncRAT/Quasar/Remcos, plus a lure network of 222 confirmed repositories across 190 accounts (crypto/Web3 tooling, game cheats, Telegram/OTP bots, crypters, gray-market automation) delivering Vidar, trojan loaders, droppers, and XMRig/BitMiner cryptominers. Named for Muck infrastructure (muckcoding.com / muckdeveloper.com) and the loader chain. Socket assesses with high confidence this is the same repository-backdoor cluster Sophos previously reported around the ischhfd83 commit email, on behavioral grounds rather than the mutable email/domain indicators.
Objective
Distribute infostealers, RATs, and cryptominers to developers and gamers via a large fake-tool/cheat/wallet lure network and a poisoned Go supply-chain package.
Packages
Indicators
- email [email protected]indicates
- github_repo kaleidora/dnsub-scanning-toolindicates
- github_repo tb78/expressoindicates
- github_repo nrevv1lad/Pubg-DESYNC-Menuindicates
- sha256 235a64e3520b1c2c27763122b303f78aee8d7c083dfd9f1eb936cd5174383609indicates
- sha256 2f416aac027f19f563cc45e3b4b72e992aaafb63da27f968b9a76a391134dc7dindicates
- sha256 33497c69c21fa96bbc96f1d7f09608e462f8ab22555364977c0bd35fef27bc29indicates
- sha256 45126b353f1636103da356121cd00b229b635b41b99d91166e6d7d9037482242indicates
- sha256 810614290bdb14d2ddf10f65f8adc988a8272764f2a9e2c378e52fad162da344indicates
- sha256 938054c6bb7dc737fce16513b2882808f199c2f892f808d439525a1650d49089indicates
- sha256 9df11356c5ac61d2aa7b5425e6322fc016b0ed5790dacb201396500b3eee03f7indicates
- sha256 a2e7989742c6b6436ebb47507881946e4f662080dff71d104eb9a9554f38af7aindicates
- sha256 b27f694c974b44fe2f4a8a25680997db574fa35686c30fa4c4dc9dd4ec40005eindicates
- sha256 d7747e7a3c782009f4ceb6e9c106115876386853929563b509da5258e3968d15indicates
- sha256 d95bba20f04687b0b821d4fc0a17137db8b9eda5fe3fb34da319abefc45fe0d1indicates
- sha256 e73491065d86b1ad69229bb5d2019e08b947e11a2a57adf5c2d9a2b5d8f4acadindicates
- sha256 ec1cac2ada6726623b4bafb94c204c359ce7cdf5325909137fc0e6aef506783findicates
- sha256 f245956c930f220f0bedf355a751a5cd738b4ec6bb6c5d584199ab3fa6c0a1c4indicates
- domain muckcoding.comcommunicates-with
- domain muckdeveloper.comcommunicates-with
- url https://muckcoding.com/LG-LW/Api-Certificatecommunicates-with
- url https://muckdeveloper.com/LGTV/MicrosoftCurcommunicates-with
- url https://pastebin.com/raw/xy32SJgfcommunicates-with
- url https://rlim.com/MicrosoftCur/rawcommunicates-with
- url https://youtu.be/GAS67zAOssccommunicates-with
- url https://www.instagram.com/p/DG20Zt9Mj4P/communicates-with
- url https://t.me/s/dwmiccommunicates-with
- url https://docs.google.com/document/d/1PnogKWvfa3ZcCnmKfnb3pJYXMBmcQe5k_6bBuPUailQ/export?format=txtcommunicates-with
- url https://gitcode.com/LastWer/MicrosoftCur/rawcommunicates-with
- url https://github.com/tb78/expresso/releases/download/Release/Quixo.7zcommunicates-with
- sha256 129de16fe69763f767d8249279a2c4a1a6deafadd1a84563bd84b258ea010bffdrops
- sha256 86819efe7319b664920ba2e1fd4b079a4e6b5eaaebeeb1adb2c1c8dc3c81ee0cdrops
- sha256 57e0449fb13766b0b2f7c057b1f89911e9ed23cac7e71d5d69fde47571239629drops
- sha256 e576a61e1a2ba71e764647bb2f0883c2f8fa4d591799c60d21a84230ee7a5b63drops
- sha256 51cada347262d7b2bcde70552fcdae221625ad75435cee8a9c3e7b67cc47a807drops
- sha256 969b0bfd605aa2cddf353f3638b0dee26b1c2305600231e055fa6d7786a879fedrops
- sha256 73c807df26427d6631088a822fa54c30975afbe681a9d83eff5d19e5b075d6c2drops
- sha256 a628ad47fe93ee7413cca90aeca8f9540bfcd5ccdbeb4d9914670b3ef66247f4drops
- sha256 4ea1c577247b149489506b230e7aa203e1a2fa124109c6056d1986e944f520a4drops
Techniques
- ttp T1195.001 Compromise Software Dependencies and Development Toolsuses
- ttp T1204.002 User Execution: Malicious Fileuses
- ttp T1059.001 Command and Scripting Interpreter: PowerShelluses
- ttp T1564.003 Hide Artifacts: Hidden Windowuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1027.013 Obfuscated Files or Information: Encrypted/Encoded Fileuses
- ttp T1140 Deobfuscate/Decode Files or Informationuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1102.001 Web Service: Dead Drop Resolveruses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1036.005 Masquerading: Match Legitimate Name or Locationuses
- ttp T1685 Disable or Modify Toolsuses
- ttp T1112 Modify Registryuses
- ttp T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Controluses
- ttp T1053.005 Scheduled Task/Job: Scheduled Taskuses
- ttp T1543.003 Create or Modify System Process: Windows Serviceuses
- ttp T1555.003 Credentials from Password Stores: Web Browsersuses
- ttp T1608.001 Stage Capabilities: Upload Malwareuses
- ttp T1113 Screen Captureuses
- ttp T1055 Process Injectionuses
- ttp T1490 Inhibit System Recoveryuses
- ttp T1082 System Information Discoveryuses
- ttp T1057 Process Discoveryuses
- ttp T1012 Query Registryuses