malware go

github.com/kaleidora/dnsub-scanning-tool

discovered 2026-07-08

Malicious Go module published as a DNS/subdomain scanning tool that impersonates the legitimate open-source dnsub project (github.com/yunxu1/dnsub) under a different GitHub namespace. main.go is obfuscated with excessive horizontal whitespace and launches a hidden PowerShell loader that fetches, certutil-decodes, and runs a multi-layer PowerShell downloader (L.ps1) leading to a GitHub-hosted Quixo.7z payload and an Electron/Squirrel masquerade launcher (AsyncRAT/Quasar/Remcos). Accrued 1,200+ pseudo-versions (700+ reported malicious) via a GitHub Actions timestamp-commit workflow. Blocked from the Go module proxy after Socket's report. Socket notes the public source may not reliably execute through a normal go build/install path without modification.

Threat types

rat c2_agent credential_stealer data_exfiltration persistence typosquat

Malicious versions

  • 1200+ pseudo-versions (700+ flagged malicious)

Campaigns

Indicators

Techniques

Read the full analysis →