- Researchers found a fake Go module that steals SSH credentials instead of providing legitimate brute-force functionality.
- The malicious module sends stolen logins to a Telegram bot once a successful SSH login occurs.
- The tool’s wordlist targets common usernames and weak passwords on random IPv4 SSH servers.
- The campaign is linked to the now-inaccessible IllDieAnyway GitHub account, but the module remains available online.
- The exfiltration method uses encrypted Telegram traffic, helping attackers avoid basic egress monitoring.
Cybersecurity researchers reported finding a Go programming module that pretends to be a brute-force tool for SSH logins but is designed to secretly collect and transmit stolen credentials to the module’s creator. The tool, named “golang-random-ip-ssh-bruteforce,” first appeared on June 24, 2022, and remains available on the software repository pkg.go[.]dev.
According to researchers at Socket, the module scans random public IPv4 addresses on TCP port 22 to find SSH servers, then tries logging in using a small list of common usernames and passwords. When a login attempt succeeds, the tool immediately exfiltrates the server’s IP address, username, and password to a hard-coded Telegram bot managed by the attacker. “On the first successful login, the package sends the target IP address, username, and password to a hard-coded Telegram bot controlled by the threat actor,” researcher Kirill Boychenko stated.
The username list only includes “root” and “admin,” while the passwords are common weak choices such as “admin,” “12345678,” “password,” and similar. The module disables host key verification by using the “ssh.InsecureIgnoreHostKey” callback, allowing it to accept connections from any SSH server even if its identity is unknown. The tool operates in an infinite loop, repeatedly generating new IP addresses and attempting concurrent logins with the preset credentials.
Messages with stolen credentials are sent through Telegram’s API to an account labeled “@io_ping” (Gett), using a recipient bot called “@sshZXC_bot” (ssh_bot). Researchers say the activity traces back to the IllDieAnyway (G3TT) GitHub account, which also hosted Hacking tools like an IP port scanner and a PHP command-and-control botnet called Selica-C2. While the GitHub account is now offline, historical snapshots and a YouTube channel remain accessible, showing the creator sharing hacking-related content in Russian.
Socket noted that the tool uses the scanning operators’ own internet addresses, distributing risk away from the original threat actor. The Telegram channel uses regular HTTPS traffic, which can make these exfiltrations appear like normal web use and avoid detection by standard network filters.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- BRICS Leaders Accused of Swiss Bank Billions, Wealth Inequality
- US Treasury mulls digital ID checks for DeFi, sparking privacy fears
- Shiba Inu Price Surge Imminent: 528% Rally Predicted by Analysts
- Ethereum Gaming Network Xai Sues Elon Musk’s xAI for Trademark Infringement
- Ether Nears Record Highs as Investors Weigh ETF and Staking Paths
