Listen to this Post

Introduction
In a shocking revelation for the cybersecurity community, researchers have uncovered a malicious Go module disguised as an SSH brute-force tool. While it pretends to serve hackers and penetration testers with random IP scanning and SSH password cracking, its real purpose is far more sinister: secretly exfiltrating stolen credentials to its creator through Telegram. This incident highlights the growing risk of open-source software supply chain attacks, where attackers hide backdoors in seemingly useful tools to exploit unsuspecting users.
the Discovery
Cybersecurity experts have identified a deceptive package named “golang-random-ip-ssh-bruteforce”, which poses as a brute-force tool for SSH but is embedded with malicious code.
The malicious code was first published on June 24, 2022 and linked to a now-removed GitHub account called IllDieAnyway (G3TT). Despite the account removal, the module still exists on pkg.go[.]dev.
Once the tool achieves a successful SSH login, it immediately transmits the target’s IP, username, and password to a hard-coded Telegram bot (@sshZXC_bot) controlled by the attacker.
These stolen credentials are then forwarded to another Telegram account named @io_ping (Gett).
To operate, the tool scans random IPv4 addresses for open TCP port 22 (SSH) services, then attempts brute-force attacks with a short list of usernames and weak passwords like root, admin, 12345678, qwerty, letmein, Passw\@rd, and others.
The malware disables host key verification, ensuring it can connect to any SSH server without identity validation, increasing the attack’s stealth.
Its operation runs on an infinite loop to generate IPs and continuously attempt logins with high concurrency, ensuring rapid spread and credential theft.
The malicious developer offloads scanning and brute-force attempts onto unsuspecting users who download the package, while only they benefit from the stolen login details.
An archived snapshot of IllDieAnyway’s GitHub shows a history of malicious projects including IP port scanners, Telegram hacking tutorials, an SMS bomber for Russian platforms, and a PHP-based botnet (Selica-C2).
Their YouTube channel remains online, showcasing hacking tutorials like creating Telegram bots for cyberattacks, further suggesting a Russian origin of the threat actor.
Because the Telegram Bot API operates over HTTPS, the stolen data blends into normal web traffic, bypassing basic security monitoring tools.
This discovery not only reveals the malicious intent of the attacker but also highlights how open-source ecosystems can be manipulated to serve as attack vectors against unsuspecting developers and organizations.
What Undercode Say:
The rise of malicious open-source modules like this Go package is not an isolated event—it reflects a growing cybercrime strategy targeting trust in developer communities. By disguising malware as “useful hacking tools,” attackers are effectively weaponizing curiosity and opportunism among developers and penetration testers.
Exploiting Open-Source Trust: Many developers assume packages from GitHub or Go’s package repository are safe. Attackers are abusing this trust, injecting backdoors and hidden data theft mechanisms into tools that look legitimate.
Low-Skill Hacker Trap: Tools like these attract beginner hackers who want to test brute-force techniques. Ironically, while they believe they’re hacking others, they are being hacked themselves, unknowingly handing over credentials to a single attacker.
Supply Chain Risk: This incident underscores the software supply chain problem. Just as npm, PyPI, and RubyGems have faced similar malicious packages, the Go ecosystem is now vulnerable. Enterprises relying on open-source without deep inspection risk importing invisible backdoors into their environments.
Telegram as a Cybercrime Hub: The use of Telegram for command-and-control (C2) is no coincidence. Telegram bots provide anonymity, encrypted communications, and global accessibility. This makes them attractive for attackers seeking to bypass traditional detection.
Simplistic Yet Effective: Even though the password list looks unsophisticated, many servers still use weak credentials like “admin/12345678.” The simplicity ensures a wide pool of victims, proving that brute force remains an effective attack vector.
Technical Trick – Disabling Host Key Verification: By forcing SSH clients to ignore host key verification, the attacker bypasses one of the most important security measures in SSH communication. This makes it harder for admins to spot anomalies.
Social Engineering via Tools: By presenting the tool as a “powerful brute-forcer,” the attacker manipulates users into distributing the attack workload, essentially creating a crowdsourced botnet that works in their favor.
Geopolitical Angle: The Russian origin hints at broader cybercriminal ecosystems in the region. Many Russian-speaking hacker groups specialize in Telegram-based fraud, SMS bombing, and credential theft, making this operation fit an existing pattern.
Future Implications: If this tactic continues, we may see more malware hidden in penetration testing or “ethical hacking” tools. Cybercriminals will keep using the double-edged sword of curiosity to exploit would-be hackers.
case represents a new flavor of supply chain attack, mixing malware, social engineering, and cybercriminal ecosystems into a potent weapon.
✅ Fact Checker Results
The malicious Go module does exist and has been verified by multiple cybersecurity researchers.
Telegram is indeed being used as the exfiltration channel for stolen SSH credentials.
The linked GitHub account IllDieAnyway (G3TT) was active but is now removed, confirming authenticity.
🔮 Prediction
Cybercriminals will increasingly disguise malware inside open-source “hacking tools”, luring in novice hackers and IT enthusiasts. We can expect future attacks to leverage platforms like Telegram, Discord, and even AI-based tools for exfiltration. Security researchers will need to ramp up supply chain security monitoring, while developers must adopt zero-trust principles when integrating third-party code. Ultimately, the line between “tool” and “threat” will blur even further in the coming years.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




