Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

The Muck and Load Operation: Uncovering a Sophisticated GitHub-Based Malware Campaign



Operation Muck and Load: A Sophisticated GitHub-Based Malware Campaign Reveals Evolving Tactics by Hackers

  • The Socket security team discovered a massive GitHub-based malware campaign called Operation Muck and Load.
  • The campaign used fake Go packages to deliver malicious software to unsuspecting users.
  • A single malicious Go module was initially identified, but further investigation revealed it was part of a larger network of 222 confirmed GitHub repositories.
  • The payload set included trojan loaders, infostealers, dropper and spyware payloads, and Monero cryptominers.
  • The malware impersonated legitimate open-source projects to avoid detection.
  • The threat actor used a single GitHub Actions workflow signature across all affected repositories.
  • The repositories were designed to look active and plausible long enough for targets to clone, build, or follow setup instructions.
  • The malware modified Microsoft Defender and UAC settings, established persistence through scheduled tasks and services, and accessed browser profile data.



  • The cybersecurity landscape has witnessed numerous sophisticated attacks in recent times, with hackers employing increasingly complex tactics to infiltrate systems and steal sensitive information. In a recent discovery, researchers from the Socket security team have uncovered a massive GitHub-based malware campaign known as Operation Muck and Load, which utilized fake Go packages to deliver malicious software to unsuspecting users.

    According to the research report, a single malicious Go module was initially identified, which appeared to be a legitimate DNS and subdomain scanning utility. However, further investigation revealed that this module was just a small part of a much larger network of 222 confirmed GitHub repositories across 190 accounts. These repositories were built to make malicious or deceptive software projects look active, recently maintained, and worth running.

    The payload set found across these repositories included trojan loaders, Vidir infostealer, dropper and spyware payloads, and Monero cryptominers tied to XMRig. Some of the repositories directly distributed malware, while others impersonated legitimate open-source subdomain enumeration projects. The malicious Go module launched a hidden PowerShell command that downloaded content from muckcoding[.]com, saved it as api.db, decoded it using certutil, wrote the result as L.ps1, and executed it with execution-policy bypass and a hidden window.

    The loader's execution mode further reinforced malicious intent. It launched PowerShell with a hidden window and then invoked the decoded script with -ExecutionPolicy Bypass. This flag does not exploit PowerShell by itself but is commonly used by malware to avoid local script-execution policy restrictions. In this case, it was paired with hidden execution and a freshly decoded script from an external source, making the intent clear: the Go module was acting as a first-stage Windows loader.

    The infrastructure pivot came from a single GitHub Actions workflow signature. Across all 222 confirmed repositories, the same workflow combined a threat actor-linked email address, ischhfd83@rambler[.]ru, with force-push automation, a schedule running every minute, and synthetic commit activity that repeatedly rewrote a timestamp or log file and pushed the result.

    The repositories did not all need to host payloads to be useful to the operation. Their function was to look active and plausible long enough for a target to clone, build, or follow setup instructions. The lure themes were chosen to attract users already inclined to run untrusted code: cryptocurrency and Web3 tooling, wallet integrations, seed-phrase protection utilities, Telegram bots, game auto-farm tools, game cheats, crypters, and offensive automation.

    Some repositories did host payloads directly. One Exodus-themed repository used a right-to-left-override character in a filename to disguise a Windows .scr executable as something else. One PUBG-themed repository hosted Loader.exe in the source tree, associated with Vidir infostealer. One Warzone-themed repository delivered its payload as a GitHub release asset rather than a source file.

    The downstream payload activity mapped to AsyncRAT, Quasar, and Remcos-style remote access tools alongside infostealer-like behavior. The payload chain modified Microsoft Defender and UAC settings, established persistence through scheduled tasks and services, accessed browser profile data, prepared screenshot collection, and communicated with Telegram or other public web services.

    The researchers pointed out that the email address, Muck-themed domains, and specific dead-drop URLs were all replaceable. However, the operational pattern was harder to change. The threat actor repackaged or renamed a signed Electron-style application component while relying on surrounding scripts for the malicious behavior.

    In conclusion, Operation Muck and Load highlights the evolving nature of cyber threats, where hackers are becoming increasingly sophisticated in their tactics to evade detection. As security measures continue to improve, it is essential for organizations and individuals to remain vigilant and adapt their defenses accordingly.


    Operation Muck and Load: A Sophisticated GitHub-Based Malware Campaign Reveals Evolving Tactics by Hackers




    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-Muck-and-Load-Operation-Uncovering-a-Sophisticated-GitHub-Based-Malware-Campaign-ehn.shtml

  • https://securityaffairs.com/195101/security/222-github-repositories-linked-to-fake-go-package-malware-operation.html


  • Published: Fri Jul 10 07:48:37 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us