golang-random-ip-ssh-bruteforce. Masquerading as a legitimate SSH brute-force testing tool, the package secretly exfiltrates successful login credentials to a Russian-speaking threat actor via Telegram, effectively turning users into unwitting credential harvesters for cybercriminal operations.
The malicious package operates through a carefully engineered infinite loop that generates random IPv4 addresses and probes TCP port 22 for accessible SSH services.
ssh_bot, username @sshZXC_bot. Right: Telegram User Info confirms active destination account: user Gett, username @io_ping, which maps to chat_id 1159678884.Upon discovering an open port, the tool launches concurrent SSH authentication attempts using a hardcoded wordlist containing common default credentials.
The package deliberately disables host key verification by setting HostKeyCallback: ssh.InsecureIgnoreHostKey(), allowing connections to any SSH server regardless of identity validation.
The embedded wordlist strategically targets IoT devices and hastily configured systems, pairing usernames root and admin with weak passwords, including raspberry, dietpi, alpine, and common sequences like 123456.
This approach indicates systematic targeting of exposed SSH services on small servers, single-board computers, and network appliances where default credentials often persist.
Upon the first successful authentication, the package immediately exfiltrates the compromised credentials to a hardcoded Telegram bot endpoint: https://api.telegram.org/bot5479006055:AAHaTwYmEhu4YlQQxriW00a6CIZhCfPQQcY/sendMessage.
The stolen data, formatted as IP:username:password, is transmitted to a chat ID 1159678884 controlled by the threat actor.
The package was published on June 24, 2022, by a GitHub user IllDieAnyway (alias G3TT), whom Socket assesses with high confidence as a Russian-speaking threat actor.
This assessment is based on extensive Russian-language content across the actor’s repositories and VKontakte-specific tooling. The threat actor maintains additional offensive tools, including a C2 framework called Selica-C2, suggesting capabilities for building SSH-compromised botnets.
The operational strategy is particularly insidious: by distributing the workload across unwitting operators, the threat actor avoids direct legal exposure while collecting high-value SSH credentials.
Each successful breach provides immediate access credentials that can be leveraged for lateral movement, payload deployment, or sold on criminal marketplaces.
Socket recommends treating all offensive utilities from untrusted sources as potentially hostile, implementing strict egress controls for messaging APIs, and deploying detection rules for Telegram Bot API references and the specific ssh.InsecureIgnoreHostKey() pattern.
The malicious package remains active on both GitHub and Go Module platforms at the time of writing, despite Socket’s removal requests.
IllDieAnywayhttps://github[.]com/IllDieAnywayhttps://api[.]telegram[.]org/bot5479006055:AAHaTwYmEhu4YlQQxriW00a6CIZhCfPQQcY/sendMessage?chat_id=1159678884&parse_mode=HTML&text=<code>Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Telegram-Linked Go Module Turns into High-Speed SSH Brute-Force Tool, Steals Credentials appeared first on Cyber Security News.
Cybercriminals are openly selling verified bank accounts, fintech wallets, and cryptocurrency exchange accounts through Telegram…
A new supply chain attack campaign is quietly targeting developers through a method most would…
A solo Russian-speaking threat actor leveraged a jailbroken instance of Google Gemini to run a…
Hackers are actively abusing a flaw in shared Content Delivery Network (CDN) infrastructure to hide…
Lenovo's most powerful 16" gaming laptop is on sale today at B&H Photo. Right now…
Steelseries just dropped the price on its updated Steelseries Arctis Nova 7 Gen 2 wireless…
This website uses cookies.