A threat actor has utilized over 200 GitHub repositories to deliver Windows malware through a campaign named Operation Muck and Load. This operation leverages a deceptive Go module masquerading as a DNS scanning tool, triggering a chain of infections that distribute various types of malware including spyware and trojans.
A new campaign called Operation Muck and Load has been uncovered, involving over 200 GitHub repositories used to distribute Windows malware. The network consists of 222 lure repositories spread across 190 different accounts, demonstrating a significant and organized effort to infect systems.
The primary mechanism of infection utilizes a Go module that pretends to be a DNS/subdomain scanning tool based on the legitimate dnsub open source project. This module, once executed, loads PowerShell code that initiates a series of malicious activities. Socket reports that since January 24, 2026, the threat actor has released over 1,200 versions of the Go package, with around 700 confirmed as malicious.
The infection process begins with a PowerShell command hidden within the Go module, designed to bypass script-execution policy restrictions. It retrieves a resolver payload from various public sources, which executes further downloads of different types of malware including AsyncRAT, Quasar RAT, and infostealers. This multi-faceted approach enhances the operational resilience of the malware delivery mechanism.
The threat actor employs several strategies to avoid detection, including the use of multiple platforms for hosting infected material and disguising malicious commands within excessive whitespace. By integrating these techniques, the threat actor increases the likelihood of successful infections despite security measures.
The discovery of Operation Muck and Load highlights the evolving sophistication of malware distribution techniques using legitimate platforms such as GitHub. The ability to embed malware within open source repositories poses significant risks to users who may inadvertently install these deceptive tools, emphasizing the need for increased vigilance in software supply chains.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
A threat actor has utilized over 200 GitHub repositories to deliver Windows malware through a campaign named Operation Muck and Load. This operation leverages a deceptive Go module masquerading as a DNS scanning tool, triggering a chain of infections that distribute various types of malware including spyware and trojans.