{
  "campaign": {
    "name": "Operation Muck and Load",
    "slug": "operation-muck-and-load",
    "href": "/ti/campaigns/operation-muck-and-load",
    "description": "Socket.dev tracking label (explicitly not an attribution boundary) for a GitHub-centric malware-lure operation: a malicious Go module impersonating the dnsub scanner that runs a hidden PowerShell loader chain to AsyncRAT/Quasar/Remcos, plus a lure network of 222 confirmed repositories across 190 accounts (crypto/Web3 tooling, game cheats, Telegram/OTP bots, crypters, gray-market automation) delivering Vidar, trojan loaders, droppers, and XMRig/BitMiner cryptominers. Named for Muck infrastructure (muckcoding.com / muckdeveloper.com) and the loader chain. Socket assesses with high confidence this is the same repository-backdoor cluster Sophos previously reported around the ischhfd83 commit email, on behavioral grounds rather than the mutable email/domain indicators.",
    "objective": "Distribute infostealers, RATs, and cryptominers to developers and gamers via a large fake-tool/cheat/wallet lure network and a poisoned Go supply-chain package.",
    "aliases": [
      "ischhfd83",
      "ischhfd83 cluster"
    ],
    "discovered_at": "2026-07-08"
  },
  "packages": [
    {
      "ecosystem": "go",
      "name": "github.com/kaleidora/dnsub-scanning-tool",
      "href": "/ti/packages/go/github.com/kaleidora/dnsub-scanning-tool",
      "threat_types": [
        "rat",
        "c2_agent",
        "credential_stealer",
        "data_exfiltration",
        "persistence",
        "typosquat"
      ],
      "versions": [
        "1200+ pseudo-versions (700+ flagged malicious)"
      ]
    }
  ],
  "indicators": [
    {
      "kind": "email",
      "value": "ischhfd83@rambler.ru",
      "href": "/ti/ioc/email/ischhfd83@rambler.ru",
      "context": "Threat-actor git commit email; constant across the 222 lure repos and the shared pivot with Sophos's prior ischhfd83 cluster."
    },
    {
      "kind": "github_repo",
      "value": "kaleidora/dnsub-scanning-tool",
      "href": "/ti/ioc/github_repo/github_repo-1f5c4b929fcb",
      "context": "GitHub repo backing the malicious Go module; entry point of the operation."
    },
    {
      "kind": "github_repo",
      "value": "tb78/expresso",
      "href": "/ti/ioc/github_repo/github_repo-86d9bbfa8ac6",
      "context": "Hosts the resolved Quixo.7z payload as a GitHub release asset."
    },
    {
      "kind": "github_repo",
      "value": "nrevv1lad/Pubg-DESYNC-Menu",
      "href": "/ti/ioc/github_repo/github_repo-dd5c50373c3a",
      "context": "Named example lure repo: fake external PUBG cheat hosting Loader.exe in source tree, associated with Vidar infostealer. One of 222 confirmed threat-actor-workflow repos."
    },
    {
      "kind": "sha256",
      "value": "235a64e3520b1c2c27763122b303f78aee8d7c083dfd9f1eb936cd5174383609",
      "href": "/ti/ioc/sha256/235a64e3520b1c2c27763122b303f78aee8d7c083dfd9f1eb936cd5174383609",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "2f416aac027f19f563cc45e3b4b72e992aaafb63da27f968b9a76a391134dc7d",
      "href": "/ti/ioc/sha256/2f416aac027f19f563cc45e3b4b72e992aaafb63da27f968b9a76a391134dc7d",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "33497c69c21fa96bbc96f1d7f09608e462f8ab22555364977c0bd35fef27bc29",
      "href": "/ti/ioc/sha256/33497c69c21fa96bbc96f1d7f09608e462f8ab22555364977c0bd35fef27bc29",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "45126b353f1636103da356121cd00b229b635b41b99d91166e6d7d9037482242",
      "href": "/ti/ioc/sha256/45126b353f1636103da356121cd00b229b635b41b99d91166e6d7d9037482242",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "810614290bdb14d2ddf10f65f8adc988a8272764f2a9e2c378e52fad162da344",
      "href": "/ti/ioc/sha256/810614290bdb14d2ddf10f65f8adc988a8272764f2a9e2c378e52fad162da344",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "938054c6bb7dc737fce16513b2882808f199c2f892f808d439525a1650d49089",
      "href": "/ti/ioc/sha256/938054c6bb7dc737fce16513b2882808f199c2f892f808d439525a1650d49089",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "9df11356c5ac61d2aa7b5425e6322fc016b0ed5790dacb201396500b3eee03f7",
      "href": "/ti/ioc/sha256/9df11356c5ac61d2aa7b5425e6322fc016b0ed5790dacb201396500b3eee03f7",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "a2e7989742c6b6436ebb47507881946e4f662080dff71d104eb9a9554f38af7a",
      "href": "/ti/ioc/sha256/a2e7989742c6b6436ebb47507881946e4f662080dff71d104eb9a9554f38af7a",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "b27f694c974b44fe2f4a8a25680997db574fa35686c30fa4c4dc9dd4ec40005e",
      "href": "/ti/ioc/sha256/b27f694c974b44fe2f4a8a25680997db574fa35686c30fa4c4dc9dd4ec40005e",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "d7747e7a3c782009f4ceb6e9c106115876386853929563b509da5258e3968d15",
      "href": "/ti/ioc/sha256/d7747e7a3c782009f4ceb6e9c106115876386853929563b509da5258e3968d15",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "d95bba20f04687b0b821d4fc0a17137db8b9eda5fe3fb34da319abefc45fe0d1",
      "href": "/ti/ioc/sha256/d95bba20f04687b0b821d4fc0a17137db8b9eda5fe3fb34da319abefc45fe0d1",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "e73491065d86b1ad69229bb5d2019e08b947e11a2a57adf5c2d9a2b5d8f4acad",
      "href": "/ti/ioc/sha256/e73491065d86b1ad69229bb5d2019e08b947e11a2a57adf5c2d9a2b5d8f4acad",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "ec1cac2ada6726623b4bafb94c204c359ce7cdf5325909137fc0e6aef506783f",
      "href": "/ti/ioc/sha256/ec1cac2ada6726623b4bafb94c204c359ce7cdf5325909137fc0e6aef506783f",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "sha256",
      "value": "f245956c930f220f0bedf355a751a5cd738b4ec6bb6c5d584199ab3fa6c0a1c4",
      "href": "/ti/ioc/sha256/f245956c930f220f0bedf355a751a5cd738b4ec6bb6c5d584199ab3fa6c0a1c4",
      "context": "Malware sample from a threat-actor-controlled GitHub lure repo."
    },
    {
      "kind": "domain",
      "value": "muckcoding.com",
      "href": "/ti/ioc/domain/muckcoding.com",
      "context": "Initial hidden-PowerShell Invoke-WebRequest host (Api-Certificate) and dead-drop-adjacent Muck infrastructure."
    },
    {
      "kind": "domain",
      "value": "muckdeveloper.com",
      "href": "/ti/ioc/domain/muckdeveloper.com",
      "context": "Primary dead-drop payload-location source (LGTV/MicrosoftCur)."
    },
    {
      "kind": "url",
      "value": "https://muckcoding.com/LG-LW/Api-Certificate",
      "href": "/ti/ioc/url/url-370c53d0dee4",
      "context": "First-stage: fetched by hidden PowerShell, saved to C:\\Users\\Public\\Pictures\\api.db then certutil-decoded to L.ps1."
    },
    {
      "kind": "url",
      "value": "https://muckdeveloper.com/LGTV/MicrosoftCur",
      "href": "/ti/ioc/url/url-74f777de7e38",
      "context": "Primary dead-drop source read by the L.ps1 resolver."
    },
    {
      "kind": "url",
      "value": "https://pastebin.com/raw/xy32SJgf",
      "href": "/ti/ioc/url/url-b64439034747",
      "context": "Primary dead-drop source (Pastebin raw)."
    },
    {
      "kind": "url",
      "value": "https://rlim.com/MicrosoftCur/raw",
      "href": "/ti/ioc/url/url-d8c288ccfede",
      "context": "Primary dead-drop source (Rlim raw)."
    },
    {
      "kind": "url",
      "value": "https://youtu.be/GAS67zAOssc",
      "href": "/ti/ioc/url/url-a272f868265d",
      "context": "Fallback dead-drop source (YouTube)."
    },
    {
      "kind": "url",
      "value": "https://www.instagram.com/p/DG20Zt9Mj4P/",
      "href": "/ti/ioc/url/url-1a5c2138801a",
      "context": "Fallback dead-drop source (Instagram post)."
    },
    {
      "kind": "url",
      "value": "https://t.me/s/dwmic",
      "href": "/ti/ioc/url/url-da059b7d1874",
      "context": "Fallback dead-drop source (Telegram channel preview)."
    },
    {
      "kind": "url",
      "value": "https://docs.google.com/document/d/1PnogKWvfa3ZcCnmKfnb3pJYXMBmcQe5k_6bBuPUailQ/export?format=txt",
      "href": "/ti/ioc/url/url-c5c8efd2f41a",
      "context": "Fallback dead-drop source (Google Docs text export)."
    },
    {
      "kind": "url",
      "value": "https://gitcode.com/LastWer/MicrosoftCur/raw",
      "href": "/ti/ioc/url/url-9570f249da5a",
      "context": "Fallback dead-drop source (GitCode raw)."
    },
    {
      "kind": "url",
      "value": "https://github.com/tb78/expresso/releases/download/Release/Quixo.7z",
      "href": "/ti/ioc/url/url-44b413483f64",
      "context": "Resolved next-stage payload: password-protected 7z (r8NnX1b8Xn) hosted as a GitHub release asset."
    },
    {
      "kind": "sha256",
      "value": "129de16fe69763f767d8249279a2c4a1a6deafadd1a84563bd84b258ea010bff",
      "href": "/ti/ioc/sha256/129de16fe69763f767d8249279a2c4a1a6deafadd1a84563bd84b258ea010bff",
      "context": "Layer 1 encrypted PowerShell blob."
    },
    {
      "kind": "sha256",
      "value": "86819efe7319b664920ba2e1fd4b079a4e6b5eaaebeeb1adb2c1c8dc3c81ee0c",
      "href": "/ti/ioc/sha256/86819efe7319b664920ba2e1fd4b079a4e6b5eaaebeeb1adb2c1c8dc3c81ee0c",
      "context": "Layer 1 decrypted PowerShell script."
    },
    {
      "kind": "sha256",
      "value": "57e0449fb13766b0b2f7c057b1f89911e9ed23cac7e71d5d69fde47571239629",
      "href": "/ti/ioc/sha256/57e0449fb13766b0b2f7c057b1f89911e9ed23cac7e71d5d69fde47571239629",
      "context": "Layer 2 encrypted PowerShell blob."
    },
    {
      "kind": "sha256",
      "value": "e576a61e1a2ba71e764647bb2f0883c2f8fa4d591799c60d21a84230ee7a5b63",
      "href": "/ti/ioc/sha256/e576a61e1a2ba71e764647bb2f0883c2f8fa4d591799c60d21a84230ee7a5b63",
      "context": "Final visible decoded PowerShell loader logic."
    },
    {
      "kind": "sha256",
      "value": "51cada347262d7b2bcde70552fcdae221625ad75435cee8a9c3e7b67cc47a807",
      "href": "/ti/ioc/sha256/51cada347262d7b2bcde70552fcdae221625ad75435cee8a9c3e7b67cc47a807",
      "context": "Encrypted payload-location blob (dead-drop, decrypted with key UIA14fogylw8ogL82FntOFGp6)."
    },
    {
      "kind": "sha256",
      "value": "969b0bfd605aa2cddf353f3638b0dee26b1c2305600231e055fa6d7786a879fe",
      "href": "/ti/ioc/sha256/969b0bfd605aa2cddf353f3638b0dee26b1c2305600231e055fa6d7786a879fe",
      "context": "Decoded PowerShell stage associated by Socket with AsyncRAT/Quasar detections + spyware/infostealer/trojan/persistence/defense-evasion/discovery/execution activity."
    },
    {
      "kind": "sha256",
      "value": "73c807df26427d6631088a822fa54c30975afbe681a9d83eff5d19e5b075d6c2",
      "href": "/ti/ioc/sha256/73c807df26427d6631088a822fa54c30975afbe681a9d83eff5d19e5b075d6c2",
      "context": "Recovered Quixo.7z payload archive."
    },
    {
      "kind": "sha256",
      "value": "a628ad47fe93ee7413cca90aeca8f9540bfcd5ccdbeb4d9914670b3ef66247f4",
      "href": "/ti/ioc/sha256/a628ad47fe93ee7413cca90aeca8f9540bfcd5ccdbeb4d9914670b3ef66247f4",
      "context": "Related GitHub-hosted Quixo.7z sample mapping to Remcos-style RAT activity."
    },
    {
      "kind": "sha256",
      "value": "4ea1c577247b149489506b230e7aa203e1a2fa124109c6056d1986e944f520a4",
      "href": "/ti/ioc/sha256/4ea1c577247b149489506b230e7aa203e1a2fa124109c6056d1986e944f520a4",
      "context": "Recovered current\\Microsoft.exe Electron masquerade launcher."
    }
  ],
  "ttps": [
    {
      "name": "Compromise Software Dependencies and Development Tools",
      "mitre_attack_id": "T1195.001",
      "href": "/ti/ttps/T1195.001"
    },
    {
      "name": "User Execution: Malicious File",
      "mitre_attack_id": "T1204.002",
      "href": "/ti/ttps/T1204.002"
    },
    {
      "name": "Command and Scripting Interpreter: PowerShell",
      "mitre_attack_id": "T1059.001",
      "href": "/ti/ttps/T1059.001"
    },
    {
      "name": "Hide Artifacts: Hidden Window",
      "mitre_attack_id": "T1564.003",
      "href": "/ti/ttps/T1564.003"
    },
    {
      "name": "Obfuscated Files or Information",
      "mitre_attack_id": "T1027",
      "href": "/ti/ttps/T1027"
    },
    {
      "name": "Obfuscated Files or Information: Encrypted/Encoded File",
      "mitre_attack_id": "T1027.013",
      "href": "/ti/ttps/T1027.013"
    },
    {
      "name": "Deobfuscate/Decode Files or Information",
      "mitre_attack_id": "T1140",
      "href": "/ti/ttps/T1140"
    },
    {
      "name": "Ingress Tool Transfer",
      "mitre_attack_id": "T1105",
      "href": "/ti/ttps/T1105"
    },
    {
      "name": "Web Service: Dead Drop Resolver",
      "mitre_attack_id": "T1102.001",
      "href": "/ti/ttps/T1102.001"
    },
    {
      "name": "Application Layer Protocol: Web Protocols",
      "mitre_attack_id": "T1071.001",
      "href": "/ti/ttps/T1071.001"
    },
    {
      "name": "Masquerading: Match Legitimate Name or Location",
      "mitre_attack_id": "T1036.005",
      "href": "/ti/ttps/T1036.005"
    },
    {
      "name": "Disable or Modify Tools",
      "mitre_attack_id": "T1685",
      "href": "/ti/ttps/T1685"
    },
    {
      "name": "Modify Registry",
      "mitre_attack_id": "T1112",
      "href": "/ti/ttps/T1112"
    },
    {
      "name": "Abuse Elevation Control Mechanism: Bypass User Account Control",
      "mitre_attack_id": "T1548.002",
      "href": "/ti/ttps/T1548.002"
    },
    {
      "name": "Scheduled Task/Job: Scheduled Task",
      "mitre_attack_id": "T1053.005",
      "href": "/ti/ttps/T1053.005"
    },
    {
      "name": "Create or Modify System Process: Windows Service",
      "mitre_attack_id": "T1543.003",
      "href": "/ti/ttps/T1543.003"
    },
    {
      "name": "Credentials from Password Stores: Web Browsers",
      "mitre_attack_id": "T1555.003",
      "href": "/ti/ttps/T1555.003"
    },
    {
      "name": "Stage Capabilities: Upload Malware",
      "mitre_attack_id": "T1608.001",
      "href": "/ti/ttps/T1608.001"
    },
    {
      "name": "Screen Capture",
      "mitre_attack_id": "T1113",
      "href": "/ti/ttps/T1113"
    },
    {
      "name": "Process Injection",
      "mitre_attack_id": "T1055",
      "href": "/ti/ttps/T1055"
    },
    {
      "name": "Inhibit System Recovery",
      "mitre_attack_id": "T1490",
      "href": "/ti/ttps/T1490"
    },
    {
      "name": "System Information Discovery",
      "mitre_attack_id": "T1082",
      "href": "/ti/ttps/T1082"
    },
    {
      "name": "Process Discovery",
      "mitre_attack_id": "T1057",
      "href": "/ti/ttps/T1057"
    },
    {
      "name": "Query Registry",
      "mitre_attack_id": "T1012",
      "href": "/ti/ttps/T1012"
    }
  ],
  "related_campaigns": [],
  "reports": [
    {
      "title": "Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories",
      "url": "https://socket.dev/blog/malicious-go-module-exposes-github-malware-lure-network",
      "published_at": "2026-07-08"
    }
  ]
}