A large-scale cyber threat has emerged involving over 200 GitHub repositories designed to distribute Windows malware, according to insights from supply chain security firm, Socket. This operation, known as ‘Operation Muck and Load’, comprises 222 deceptive repositories managed by 190 separate accounts. These repositories feature a Go module that initiates the malware infection process.
Details of the Malware Distribution
The Go module, Socket reveals, deploys PowerShell scripts to retrieve a resolver from public dead drops, which then executes various types of Windows malware. These include spyware, trojan downloaders, infostealers, and cryptominers. The module masquerades as a DNS/subdomain scanning tool, leveraging the legitimate dnsub open-source project to deceive users.
Since January 24, 2026, the threat actor has published over 1,200 versions of this package, with 700 identified as malicious. This proliferation isn’t due to standard release practices, but rather the threat actor’s use of GitHub Actions workflows that generate timestamp commits, allowing these malicious versions to appear as Go pseudo-versions.
Mechanics of the Attack
The module executes a PowerShell command concealed by excessive whitespace before executing any scanning logic. This script circumvents script-execution policies by fetching and running a payload from public dead-drop locations. The payload acts as a resolver, downloader, extractor, and launcher, decrypting metadata, retrieving a password-protected archive, and executing its contents.
To enhance operational resilience, the threat actor avoids a single hardcoded URL, opting instead for multiple public platforms to host mirrored encrypted resolver content. These platforms include Pastebin, Rlim, Muck-themed infrastructure, and fallback sites like YouTube, Instagram, Telegram, Google Docs, and GitCode.
Payloads and Associated Risks
The final execution chain payloads encompass various remote access trojans (RATs) such as AsyncRAT, Quasar RAT, and a Remcos-style RAT, along with infostealers and spyware. Although most repositories serve as lures, some directly embed malware into source trees or through GitHub release assets.
Socket has identified at least 14 unique malware files within the threat actor’s workflow, featuring trojan loaders, Vidar infostealer, and XMRig/BitMiner-related Monero cryptominers. This operation shares characteristics with previous activities linked to the ‘ischhfd83’ email address, which included Muck-themed domains.
In conclusion, Operation Muck and Load represents a significant threat to cybersecurity, highlighting the growing sophistication of supply chain attacks. As these threats evolve, vigilance and robust cybersecurity measures remain critical in safeguarding digital infrastructure.
