Operation Muck and Load

discovered 2026-07-08

Socket.dev tracking label (explicitly not an attribution boundary) for a GitHub-centric malware-lure operation: a malicious Go module impersonating the dnsub scanner that runs a hidden PowerShell loader chain to AsyncRAT/Quasar/Remcos, plus a lure network of 222 confirmed repositories across 190 accounts (crypto/Web3 tooling, game cheats, Telegram/OTP bots, crypters, gray-market automation) delivering Vidar, trojan loaders, droppers, and XMRig/BitMiner cryptominers. Named for Muck infrastructure (muckcoding.com / muckdeveloper.com) and the loader chain. Socket assesses with high confidence this is the same repository-backdoor cluster Sophos previously reported around the ischhfd83 commit email, on behavioral grounds rather than the mutable email/domain indicators.

Objective

Distribute infostealers, RATs, and cryptominers to developers and gamers via a large fake-tool/cheat/wallet lure network and a poisoned Go supply-chain package.

Packages

Indicators

Techniques

Read the full analysis →