Operation Muck and Load: The Hidden Malware Factory That Turned GitHub Into a Global Attack Platform + Video

Listen to this Post

Featured ImageIntroduction: When Trusted Code Repositories Become Digital Trapdoors

GitHub has become one of the most important foundations of modern software development. Millions of developers rely on it every day to share code, collaborate on projects, and accelerate innovation. But the same openness that makes GitHub powerful can also become a weapon in the hands of cybercriminals.

A recent investigation uncovered a sophisticated malware campaign that abused GitHub repositories, fake open-source projects, and automated development workflows to create an illusion of legitimacy. The operation, tracked as Muck and Load, revealed how attackers built a large network of malicious repositories designed to appear active, trustworthy, and maintained by real developers.

The campaign started from a single suspicious Go module pretending to be a DNS and subdomain scanning tool. Instead of providing security functionality, the project acted as a malware delivery mechanism. Further investigation uncovered 222 confirmed malicious GitHub repositories connected to 190 accounts, exposing a coordinated operation involving trojan loaders, information stealers, spyware, and cryptocurrency miners.

This campaign represents a growing cybersecurity problem: attackers are no longer only breaking into systems. They are manipulating the software supply chain itself, turning trusted developer ecosystems into distribution channels for malware.

The Fake Security Tool That Opened the Investigation
A Normal-Looking Go Module With a Hidden Purpose

Socket’s security researchers began their investigation after discovering a suspicious Go package named:

github[.]com/kaleidora/dnsub-scanning-tool

The project appeared to be a legitimate DNS and subdomain enumeration utility. Its documentation described features commonly found in cybersecurity reconnaissance tools, making it attractive to developers and security professionals.

However, the actual behavior of the software was completely different.

Instead of performing network discovery tasks, the module secretly executed a hidden PowerShell command before any scanning functionality started. The tool was not designed to help defenders. It was designed to compromise them.

The discovery exposed a much larger ecosystem of fake projects created to trick users into downloading and running malicious code.

Muck and Load: A Malware Operation Built Around Fake Activity

Manufacturing Trust Through Artificial Development

The attackers behind the campaign created hundreds of GitHub repositories with carefully designed appearances.

The repositories contained:

Professional-looking README files

Frequent version releases

Automated commits

Fake developer activity

Popular technology keywords

Attractive project names

The goal was simple: make malicious software look like a real open-source project.

A major discovery was the unusual number of published versions for the original Go module. The project had more than 1,200 releases, with over 700 identified as malicious, despite being created only a few months earlier.

This was not normal software development.

The attackers used GitHub Actions automation to repeatedly generate artificial commits, modify timestamps, and create the illusion of continuous maintenance.

The fake activity acted as social engineering. Developers often trust projects that appear active and recently updated. The attackers exploited that behavior.

The Hidden PowerShell Loader Inside the Go Package
The First Stage of the Malware Infection Chain

The malicious Go module contained a hidden execution process inside its main() function.

Before performing any legitimate-looking operation, it launched PowerShell and downloaded another script from attacker-controlled infrastructure:

muckcoding[.]com

The downloaded file was saved as:

api.db

Then the malware used:

certutil

to decode the content and transform it into:

L.ps1

Finally, the script executed silently with:

-ExecutionPolicy Bypass

and a hidden window.

This technique allowed the malware to avoid common PowerShell restrictions while minimizing visibility.

The combination of:

Hidden execution

External script retrieval

Script decoding

Policy bypass

clearly indicated malicious intent.

Deep Analysis: Understanding the Malware Execution Chain

PowerShell Investigation Commands

Security researchers can analyze suspicious PowerShell activity using commands like:

Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational

This helps identify suspicious script executions and command activity.

Searching for Hidden PowerShell Abuse

A basic investigation command:

Get-Process powershell | Select-Object Id,Path,StartTime

can reveal unexpected PowerShell instances.

Suspicious command lines can be searched with:

Get-CimInstance Win32_Process | 
Where-Object {$_.CommandLine -match "ExecutionPolicy Bypass"}

Detecting Suspicious GitHub Repository Activity

Security teams investigating repository abuse can analyze commit history:

git log --pretty=format:"%h %an %ae %ad" --date=iso

This helps identify unusual patterns such as:

Repeated automated commits

Changing usernames

Same email fingerprints

Checking Malware Hashes

Threat investigators should verify downloaded files:

sha256sum suspicious_file.exe

Example:

sha256sum Quixo.7z

Hash comparison helps determine whether files match known malware samples.

Detecting Persistence Mechanisms

Attackers commonly create scheduled tasks:

schtasks /query /fo LIST

Security analysts can search for unexpected persistence entries.

Multi-Layer PowerShell Malware Loader

Encryption, Dead Drops, and Hidden Payload Retrieval

The file L.ps1 was not a simple script.

It contained multiple layers of protection using:

Base64 encoding

XOR encryption

Encrypted payload locations

Public platform dead drops

The script avoided storing the final malware URL directly.

Instead, it searched public websites for encrypted information.

The dead-drop locations included:

Pastebin

Telegram

Instagram

YouTube

Google Docs

GitCode

Other attacker-controlled services

The malware searched downloaded content for a marker:

LastW

After finding the marker, it extracted encrypted data and decrypted it using a hardcoded key.

This approach makes infrastructure takedowns more difficult because attackers can replace individual links without rebuilding the malware.

The Quixo Payload Delivery System

Disguising Malware as Legitimate Software

The decrypted location pointed to a GitHub release containing:

Quixo.7z

The archive was password protected and extracted using a hidden copy of 7-Zip placed at:

C:ProgramDatazipathh7zrr.exe

The malware then dropped files into:

C:ProgramDataWindows.Microsoft.Photos

The directory name was carefully chosen to imitate a legitimate Microsoft application.

Inside the folder was:

Microsoft.exe

However, the executable was not a Microsoft product.

The digital signature belonged to:

Exodus Movement, Inc.

This suggests attackers abused or repackaged a signed Electron-based component to create additional trust.

GitHub Actions Became the Attacker’s Fingerprint

The Hidden Identity Behind Hundreds of Accounts

The most important discovery was not a malware sample.

It was a pattern.

Across the 222 confirmed repositories, researchers found the same GitHub Actions workflow behavior:

Automated commits every minute

Force pushes

Timestamp file modifications

Artificial development history

Same attacker-linked email address

The visible GitHub usernames changed between repositories, but the underlying email remained consistent.

This became the strongest connection between seemingly unrelated accounts.

Attackers attempted to hide behind hundreds of identities, but their automation habits revealed them.

Social Engineering Through Popular Developer Interests

Why These Fake Projects Were Successful

The attackers did not randomly choose repository themes.

They targeted communities where users are more likely to download and execute unknown software.

Popular lures included:

Cryptocurrency tools

Wallet utilities

Telegram bots

Game automation software

Game cheats

Web3 applications

Security tools

Offensive hacking utilities

These categories attract users willing to test experimental software, making them ideal malware distribution channels.

Malware Payloads Found Across the Campaign

From Information Theft to Remote Control

The campaign distributed multiple types of malicious payloads:

Vidar information stealer

AsyncRAT

Quasar RAT

Remcos-style remote access tools

XMRig cryptocurrency miners

Spyware components

Trojan loaders

The malware capabilities included:

Browser credential theft

Screenshot collection

Remote command execution

Defender modification

UAC manipulation

Persistence creation

Cryptocurrency mining

Some repositories directly hosted malware binaries.

One PUBG-themed repository contained a loader associated with Vidar.

A Warzone-themed project distributed malware through GitHub release files.

A single malicious executable appeared identically across several repositories, showing automated reuse.

What Undercode Say:

The Software Supply Chain Is Becoming the New Battlefield

The Muck and Load campaign demonstrates a major evolution in cybercrime.

Attackers are no longer depending only on phishing emails or infected websites.

They are targeting the places developers already trust.

GitHub has become part of the modern software supply chain, which means attackers understand that reputation is as valuable as code.

The most dangerous part of this campaign was not the malware itself.

The malware was expected.

The real innovation was the psychological manipulation.

Attackers created fake histories, fake communities, fake contributors, and fake maintenance records.

They understood how developers evaluate software.

A repository with hundreds of commits feels safer than a new account with one file.

A project with detailed documentation feels professional.

Frequent releases create confidence.

The attackers weaponized those assumptions.

The use of GitHub Actions was especially interesting because automation became the attacker’s signature.

The same technology developers use to improve productivity became a tool for creating fake credibility.

This shows a larger cybersecurity trend.

Future attacks will increasingly focus on trust infrastructure rather than only technical vulnerabilities.

Organizations will need to evaluate not just whether code works, but whether the project itself is authentic.

Repository age alone cannot prove safety.

Commit history alone cannot prove legitimacy.

Stars, downloads, and forks can also be manipulated.

Security teams must analyze behavior patterns.

They need to examine:

Who created the project?

How were commits generated?

Are releases realistic?

Does the code match the description?

Are dependencies trustworthy?

The Muck and Load operation also highlights the danger of blindly executing developer tools.

A DNS scanner, wallet utility, or automation script can become an entry point into an entire organization.

Developers often have privileged access.

A compromised developer workstation can lead to:

Source code theft

Credential exposure

Cloud compromise

Internal network attacks

The campaign proves that open-source security is not only about vulnerabilities.

It is also about authenticity.

The future of cybersecurity will require stronger software identity systems, better repository verification, and more intelligent supply chain monitoring.

Attackers are building fake software companies at scale.

Defenders must build better ways to identify what is real.

Prediction

(+1) The cybersecurity industry will increase investment in software supply chain monitoring, AI-based repository analysis, and developer-focused security tools as GitHub abuse becomes more common.

(+1) Automated threat detection will become better at identifying fake development patterns, including synthetic commits, suspicious release behavior, and coordinated repository networks.

(-1) Open-source ecosystems will continue facing abuse because attackers can easily create convincing fake projects faster than humans can manually review them.

(-1) Developers who rely only on popularity metrics such as stars, forks, and recent updates will remain vulnerable to sophisticated social engineering campaigns.

✅ The investigation of the Muck and Load campaign identified hundreds of malicious GitHub repositories using fake development activity and malware delivery techniques.

✅ The malware chain involving PowerShell loaders, encoded scripts, and staged payload retrieval matches common modern malware distribution methods.

✅ The connection between repositories was based on repeated infrastructure patterns, automation behavior, and attacker-linked indicators rather than a single indicator alone.

▶️ Related Video (76% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube