Key Takeaways
- Operation Muck and Load is a large‑scale supply‑chain campaign that weaponized over 200 GitHub repositories to distribute Windows malware.
- The malicious payload is delivered through a Go module posing as a legitimate DNS/sub‑domain scanner (based on the open‑source dnsub project).
- Since January 24 2026 the threat actor has published more than 1,200 versions of the module, roughly 700 of which contain malicious code.
- Infection begins with a hidden PowerShell command that evades execution‑policy restrictions, fetches a resolver script from public “dead‑drop” sites, and then downloads and runs payloads such as AsyncRAT, Quasar RAT, Remcos‑style RAT, infostealers, and cryptominers.
- The actor uses multiple public platforms—Pastebin, Rlim, Muck‑themed infrastructure, YouTube, Instagram, Telegram, Google Docs, and GitCode—to host mirrored encrypted resolver material, ensuring operational resilience.
- At least 14 unique malware files have been confirmed across the actor’s repositories, including trojan loaders, Vidar infostealer, dropper/spyware payloads, and XMRig/BitMiner‑based Monero miners.
- The campaign overlaps with prior activity linked to the email address “ischhfd83” and Muck‑themed domains, indicating a persistent threat actor focused on open‑source supply‑chain abuse.
- Related threats highlighted in the same advisory include North Korean targeting of open‑source developers, China‑linked APT “Leash” backdoors, the Atomic Arch AUR supply‑chain attack, and the emerging “Mistic” RAT.
Overview of Operation Muck and Load
Operation Muck and Load represents a coordinated effort by a single threat actor to abuse GitHub’s ecosystem as a malware distribution channel. The campaign leverages 222 lure repositories spread across 190 distinct accounts, each containing a seemingly innocuous Go module. By masquerading as a utility for DNS or sub‑domain scanning, the module entices developers to import it into their projects, thereby triggering an infection chain that ultimately deploys a variety of Windows‑based malware. Socket, the supply‑chain protection provider that uncovered the operation, emphasizes that the scale—over 200 repositories and more than 1,200 package versions—demonstrates a deliberate, automated approach rather than sporadic malicious commits.
The Malicious Go Module’s Disguise
At the heart of the campaign is a Go module that pretends to be a fork or extension of the legitimate dnsub open‑source project, a tool designed for DNS enumeration and sub‑domain discovery. This facade serves two purposes: it reduces suspicion among developers who recognize dnsub as a trusted utility, and it provides a plausible explanation for the module’s network activity. The module’s source code includes the expected scanning functions, but embedded within it is a concealed PowerShell command that executes before any legitimate scanning logic runs. This dual‑use design allows the malicious payload to blend seamlessly with benign functionality, making detection by casual code review or automated scanning tools far more difficult.
Release Volume and Automated Generation
Since the campaign’s inception on January 24 2026, the threat actor has published over 1,200 iterations of the Go module, with approximately 700 identified as malicious. Socket attributes this astonishing release cadence to the actor’s own GitHub Actions workflow, which repeatedly generates timestamp‑based commits that are interpreted by the Go proxy as pseudo‑versions. This technique enables the actor to push new versions continuously without raising flags associated with manual release engineering. The automation ensures a steady stream of “updates” that keep the malicious module visible in dependency‑resolution caches, increasing the likelihood that unsuspecting projects will pull a compromised version.
PowerShell Trigger and Evasion Techniques
The infection chain begins with a PowerShell command strategically hidden within the Go module using excessive horizontal whitespace—spacing that renders the command invisible in many editors and diff viewers. This command runs automatically before the module’s advertised scanning logic, thereby bypassing any user‑initiated checks. Importantly, the PowerShell snippet is crafted to evade Windows script‑execution policy restrictions; it employs techniques such as invoking PowerShell via -EncodedCommand or leveraging IE (Invoke‑Expression) with obfuscated strings, allowing execution even on systems where default policies block unsigned scripts. Once executed, the script contacts a series of publicly accessible “dead‑drop” locations to retrieve the next stage of the payload.
Resolver Retrieval from Public Dead Drops
The PowerShell script’s first task is to fetch a resolver component from a set of pre‑defined dead‑drop URLs hosted on various public platforms. These locations include Pastebin, the lesser‑known Rlim service, Muck‑themed infrastructure operated by the actor, and fallback links on mainstream services such as YouTube, Instagram, Telegram, Google Docs, and GitCode. By distributing the resolver across multiple, unrelated sites, the actor achieves operational resilience: takedown of any single host does not break the infection chain, as the script can simply attempt the next URL in its list. The resolver itself is encrypted and packaged within a password‑protected archive, requiring the script to locate embedded metadata, decrypt a URL, download the archive, extract its contents, and finally launch the embedded payload.
Resolver Functionality and Payload Deployment
Once decrypted and executed, the resolver acts as a multi‑stage downloader, extractor, and launcher. It first locates encrypted metadata that points to the actual malware payload’s location, then decrypts a URL leading to a password‑protected archive (commonly a ZIP or RAR file protected with a strong password embedded in the script). After downloading the archive, the resolver extracts its contents to a temporary directory and executes the contained binaries. This modular approach allows the actor to swap out payloads without altering the initial infection vector, maintaining flexibility and reducing the chance that a single detection will neutralize the entire campaign.
Types of Malware Delivered
The final payloads distributed through Operation Muck and Load span a variety of threat categories, reflecting the actor’s goal of maximizing impact and profit. Socket identified the following families among the deployed malware: AsyncRAT and Quasar RAT, both remote‑access tools granting full control over infected hosts; a Remcos‑style RAT offering similar capabilities with additional stealth features; multiple infostealers designed to harvest credentials, browser data, and cryptocurrency wallets; and cryptominers such as XMRig and BitMiner that hijack CPU resources to mine Monero. This blend of espionage, financial theft, and resource abuse illustrates the actor’s willingness to monetize compromised systems through several parallel avenues.
Additional Malware Distribution via Repositories
Beyond the Go module’s automated infection chain, Socket discovered that several of the 222 lure repositories also hosted malware directly within their source trees or as GitHub release assets. In these cases, malicious code was either committed alongside legitimate project files or attached as pre‑compiled binaries in the “Releases” section, offering an alternative infection route for developers who clone or download the repository manually. Across the analyzed set, at least 14 unique confirmed malware files were uncovered, including trojan loaders and downloaders, the Vidar infostealer, dropper/spyware hybrids, and the aforementioned XMRig/BitMiner cryptominers. This dual strategy—combining automated dependency poisoning with direct repository contamination—increases the attack surface and complicates mitigation efforts.
Attribution, Related Activity, and Broader Threat Landscape
Operation Muck and Load shows clear overlap with earlier intrusions tied to the email address “ischhfd83” and a set of Muck‑themed domains previously observed in threat‑intelligence feeds. The recurrence of similar naming conventions, infrastructure choices, and tactics suggests a persistent actor refining its supply‑chain abuse techniques over time. The advisory also notes related campaigns that underscore the growing danger to open‑source ecosystems: North Korean groups targeting developers via poisoned dependencies, China‑linked APTs deploying new “Leash” backdoors, the Atomic Arch supply‑chain incident that compromised 1,500 AUR packages, and the emergence of the “Mistic” RAT, which facilitates ransomware deployment. Together, these examples highlight a trend where adversaries increasingly rely on legitimate code‑hosting platforms to bypass traditional defenses, necessitating heightened vigilance, dependency‑verification tools, and strict provenance checks for any third‑party code.

