Researchers have uncovered a large-scale malware distribution campaign that abused GitHub’s reputation as a trusted software platform to lure developers into downloading malicious code. Tracked as Operation Muck and Load, the activity relied on a network of 222 GitHub repositories spread across 190 accounts, many of which were artificially maintained to appear legitimate through automated commits and fake development activity.
According to Socket, the campaign centered on a malicious Go module masquerading as a DNS and subdomain scanning utility. While presented as a legitimate developer tool, the package instead launched a multi-stage Windows malware infection chain that ultimately deployed remote access trojans, infostealers, spyware, and cryptocurrency miners.
Fake development activity built trust at scale
Rather than relying on a single malicious repository, the operators created what researchers describe as a GitHub-based lure network. The repositories covered popular topics including cryptocurrency wallets, Web3 tooling, Telegram and Discord bots, exchange automation, game cheats, password utilities, and offensive security tools, all designed to attract users likely to download and execute untrusted software.
One of the campaign’s more unusual characteristics was its use of automated GitHub Actions workflows to manufacture the appearance of active development. Socket found the repositories repeatedly generated synthetic commits, rewrote timestamps, and force-pushed updates every minute, making dormant projects appear actively maintained.
Researchers identified more than 1,200 published versions of the malicious Go module, over 700 of which contained malicious functionality. Socket believes the unusually high version count resulted from the automated commit-farming workflow rather than legitimate software development.
Multi-stage loader hides the final payload
The malicious Go module, published as github.com/kaleidora/dnsub-scanning-tool, impersonated the legitimate open source dnsub project while embedding hidden Windows-specific loader code before any scanning functionality executed.
Once launched, the package executed a hidden PowerShell command that downloaded an encoded file, decoded it using the Windows certutil utility, and executed a second PowerShell stage with execution policy bypass enabled. That second stage functioned as a resolver rather than a downloader, retrieving encrypted payload-location data from multiple public services before decrypting the actual malware location.
Instead of embedding a single payload URL, the campaign distributed encrypted resolver data across numerous public platforms, including Pastebin, Telegram, YouTube, Instagram, Google Docs, GitCode, and attacker-controlled infrastructure. This dead-drop approach allows operators to rotate payload locations without modifying the original loader, increasing resilience against takedowns and blocking efforts.
The resolver ultimately downloaded a password-protected .7z archive hosted through GitHub Releases, extracted it into a directory designed to resemble a legitimate Microsoft Photos installation, and launched a disguised executable from that location.
Multiple malware families delivered
Socket observed several malware families delivered through the campaign, including AsyncRAT, Quasar RAT, Remcos-style remote access malware, Vidar infostealers, spyware, trojan downloaders, and XMRig-based Monero cryptominers. Dynamic analysis also revealed functionality consistent with credential theft, browser data collection, scheduled task persistence, service creation, process injection, screenshot capture, and command-and-control communications.
The researchers also identified at least 14 confirmed malware samples hosted directly inside threat actor-controlled GitHub repositories. Some payloads were committed into repository source trees, while others were distributed through GitHub Release assets or disguised using filename manipulation techniques intended to mislead users.
Infrastructure matters more than individual malware
Socket assessed that the campaign’s greatest strength was not any individual malware family, but the infrastructure supporting it. By separating the GitHub lure repositories, PowerShell loaders, public dead-drop services, encrypted resolver data, and final payload delivery, the operators created a modular ecosystem that can continue functioning even if individual repositories, domains, or hosting providers are removed.
The researchers also found substantial overlap with repository-backdoor activity previously documented by Sophos involving the threat actor-linked email address associated with the broader ischhfd83 activity cluster. While individual domains, repositories, and accounts can be replaced, Socket noted that the combination of automated repository generation, staged PowerShell loading, public dead-drop infrastructure, and protected archive delivery forms a distinctive operational pattern that defenders can monitor for future campaigns.
Following its investigation, Socket reported the malicious Go module to the Go security team, which blocked it from the Go module proxy, and notified GitHub about the associated repository infrastructure. The researchers cautioned, however, that removing individual repositories or packages is unlikely to eliminate the underlying tradecraft, as the campaign is built around disposable infrastructure that can be regenerated at scale.












