Trust Betrayed: A Malicious Go Package Is a Brute-Force Tool and a Data Thief
Experts at Socket have uncovered a malicious Go package named golang-random-ip-ssh-bruteforce, which masquerades as a tool for brute-forcing SSH credentials but in reality exfiltrates them to its author via Telegram. The module’s logic is straightforward: upon the first successful login, it immediately transmits the target’s IP address, username, and password to a hardcoded Telegram bot, then terminates execution, leaving the stolen data at the attacker’s disposal.
The package operates in an infinite loop, generating random IPv4 addresses, checking for an open TCP port 22, and, if found, launching parallel authentication attempts from a built-in dictionary of usernames and passwords. Authentication checks are deliberately weakened — the code disables server verification with ssh.InsecureIgnoreHostKey, ensuring connections proceed without safeguards. On the first successful login, the captured ip:user:pass trio is sent directly to a private Telegram chat via the Telegram Bot API. Tests confirmed that the bot token and chat ID are active, with credentials delivered to an account under the alias @io_ping through the bot @sshZXC_bot.
The embedded dictionary is limited but targeted — only two accounts, root and admin, paired with common default passwords such as root, toor, raspberry, dietpi, alpine, 123456, alongside variants like webadmin, webmaster, techsupport, and others. This selection is clearly aimed at IoT devices, single-board computers, and poorly secured Linux hosts left with factory defaults. The restricted dataset minimizes noise during brute-forcing and accelerates the discovery of weak targets, aligning with the program’s design to exit after the first successful compromise.
The module’s author is a Russian developer active in the Go ecosystem and on GitHub under the alias IllDieAnyway. His profile features an arsenal of offensive tools: fast port scanners, a phpMyAdmin brute-forcer that also sends results to Telegram, the Selica-C2 management framework, and utilities for launching DDoS attacks. Many of these projects follow the same template — once a target is compromised, stolen data is exfiltrated via Telegram. His repositories are filled with Russian-language comments and documentation, including utilities linked to the social network VKontakte. Based on this evidence, analysts conclude that the developer operates within the Russian-speaking cybercriminal community.
The danger of this package is twofold. On the one hand, installing it implicates the user in illegal activity — scanning networks and brute-forcing passwords — which can lead to ISP blocks or even criminal liability. On the other hand, the operator becomes a victim themselves: all “successful” compromises are siphoned off to the author, while their system resources are exploited to fuel someone else’s infrastructure. In effect, anyone running golang-random-ip-ssh-bruteforce is unknowingly working on behalf of a third-party attacker.
Experts recommend strict software supply chain hygiene: auditing third-party tools before use, blocking network requests to the Telegram API and similar services, and restricting outbound connections from workstations where such utilities should never run. For detection, defenders should watch for red flags such as calls to ssh.InsecureIgnoreHostKey, the presence of a wl.txt default password dictionary, and hardcoded Telegram API requests.
