github.com/kaleidora/dnsub-scanning-tool
discovered 2026-07-08Malicious Go module published as a DNS/subdomain scanning tool that impersonates the legitimate open-source dnsub project (github.com/yunxu1/dnsub) under a different GitHub namespace. main.go is obfuscated with excessive horizontal whitespace and launches a hidden PowerShell loader that fetches, certutil-decodes, and runs a multi-layer PowerShell downloader (L.ps1) leading to a GitHub-hosted Quixo.7z payload and an Electron/Squirrel masquerade launcher (AsyncRAT/Quasar/Remcos). Accrued 1,200+ pseudo-versions (700+ reported malicious) via a GitHub Actions timestamp-commit workflow. Blocked from the Go module proxy after Socket's report. Socket notes the public source may not reliably execute through a normal go build/install path without modification.
Threat types
Malicious versions
- 1200+ pseudo-versions (700+ flagged malicious)
Campaigns
Indicators
- domain muckcoding.comcommunicates-with
- domain muckdeveloper.comcommunicates-with
- url https://muckcoding.com/LG-LW/Api-Certificatecommunicates-with
- url https://muckdeveloper.com/LGTV/MicrosoftCurcommunicates-with
- url https://pastebin.com/raw/xy32SJgfcommunicates-with
- url https://rlim.com/MicrosoftCur/rawcommunicates-with
- url https://youtu.be/GAS67zAOssccommunicates-with
- url https://www.instagram.com/p/DG20Zt9Mj4P/communicates-with
- url https://t.me/s/dwmiccommunicates-with
- url https://docs.google.com/document/d/1PnogKWvfa3ZcCnmKfnb3pJYXMBmcQe5k_6bBuPUailQ/export?format=txtcommunicates-with
- url https://gitcode.com/LastWer/MicrosoftCur/rawcommunicates-with
- url https://github.com/tb78/expresso/releases/download/Release/Quixo.7zcommunicates-with
- sha256 129de16fe69763f767d8249279a2c4a1a6deafadd1a84563bd84b258ea010bffdrops
- sha256 86819efe7319b664920ba2e1fd4b079a4e6b5eaaebeeb1adb2c1c8dc3c81ee0cdrops
- sha256 57e0449fb13766b0b2f7c057b1f89911e9ed23cac7e71d5d69fde47571239629drops
- sha256 e576a61e1a2ba71e764647bb2f0883c2f8fa4d591799c60d21a84230ee7a5b63drops
- sha256 51cada347262d7b2bcde70552fcdae221625ad75435cee8a9c3e7b67cc47a807drops
- sha256 969b0bfd605aa2cddf353f3638b0dee26b1c2305600231e055fa6d7786a879fedrops
- sha256 73c807df26427d6631088a822fa54c30975afbe681a9d83eff5d19e5b075d6c2drops
- sha256 a628ad47fe93ee7413cca90aeca8f9540bfcd5ccdbeb4d9914670b3ef66247f4drops
- sha256 4ea1c577247b149489506b230e7aa203e1a2fa124109c6056d1986e944f520a4drops
Techniques
- ttp T1195.001 Compromise Software Dependencies and Development Toolsuses
- ttp T1204.002 User Execution: Malicious Fileuses
- ttp T1059.001 Command and Scripting Interpreter: PowerShelluses
- ttp T1564.003 Hide Artifacts: Hidden Windowuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1027.013 Obfuscated Files or Information: Encrypted/Encoded Fileuses
- ttp T1140 Deobfuscate/Decode Files or Informationuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1102.001 Web Service: Dead Drop Resolveruses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1036.005 Masquerading: Match Legitimate Name or Locationuses
- ttp T1685 Disable or Modify Toolsuses
- ttp T1112 Modify Registryuses
- ttp T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Controluses
- ttp T1053.005 Scheduled Task/Job: Scheduled Taskuses
- ttp T1543.003 Create or Modify System Process: Windows Serviceuses
- ttp T1555.003 Credentials from Password Stores: Web Browsersuses
- ttp T1608.001 Stage Capabilities: Upload Malwareuses
- ttp T1113 Screen Captureuses
- ttp T1055 Process Injectionuses
- ttp T1490 Inhibit System Recoveryuses
- ttp T1082 System Information Discoveryuses
- ttp T1057 Process Discoveryuses
- ttp T1012 Query Registryuses