Malware-bearing PUBG-themed GitHub repository | Image: Socket
| Actor / group | Unnamed actor tracked as “Operation Muck and Load”; overlaps with the ischhfd83 cluster |
| Activity type | Software supply-chain lures and Windows malware staging |
| Targets / victims | Developers and users chasing crypto, wallet, bot, and game-cheat tools |
| Scale | 222 repositories across 190 accounts; 14+ malware files; a Go module with 700+ malicious versions |
| Law-enforcement status | No arrests; reported to GitHub and Go; module blocked from the Go proxy |
| Source | Socket threat research; prior Sophos X-Ops reporting |
TL;DR
A malicious Go module posing as a DNS scanner exposed a much larger GitHub lure network. Socket traced 222 repositories across 190 accounts, tracked as Operation Muck and Load. The network stages remote access trojans, infostealers, and cryptominers on Windows.
What happened
Socket’s entry point was a Go module that impersonated a subdomain scanner. Instead of scanning, it ran a hidden PowerShell loader. That loader pulled encrypted instructions from public “dead drop” pages on sites like Pastebin, Telegram, and YouTube. It then fetched a password-protected archive. The archive unpacked into a fake Microsoft Photos folder and launched a disguised executable.
Downstream, analysts tied the payloads to AsyncRAT, Quasar, Remcos, and the Vidar infostealer. The module also showed version sprawl. Socket found more than 1,200 versions, and over 700 were malicious. Socket notes the campaign name is “a tracking label, not an attribution boundary.”
Why the dead drops matter
The loader did not hardcode one payload URL. Instead, it mirrored encrypted resolver data across many public platforms. So if defenders block one paste or domain, the loader simply tries another. That design gives the operation real resilience against takedowns.
Who is behind it
No one has been charged. Socket links the cluster to earlier activity tied to the “ischhfd83” persona. It makes that call with high confidence, based on repeated tradecraft rather than one indicator. Sophos researchers Matt Wixey and Andrew O’Donnell documented the same persona in June 2025. Their report found over 140 backdoored repositories tied to the same email. Notably, the operation often preys on game cheaters and novice criminals, a case of cybercriminals turning on their own.
Impact and scale
The scale is the real story. This GitHub lure network gave the actor 222 credible-looking projects. Automated GitHub Actions workflows faked fresh commits, sometimes every minute. That made dead repositories look active and maintained. Socket describes the confirmed set as “the confirmed lure-network core, not the full universe.” Lure themes clustered around crypto wallets, Web3 SDKs, exchange bots, and game cheats. At least 14 malware files appeared across the repositories, including loaders, Vidar, droppers, and Monero miners.
How to stay protected
Takedowns help, yet the tradecraft will move. GitHub removed reported repositories, and the Go team blocked the module from its proxy. Still, the malicious Go module was only the entry point, and the actor can spin up new accounts fast. For the full indicators, read Socket’s Operation Muck and Load analysis.
- Treat obscure packages that impersonate known tools with caution.
- Check for abnormal version counts and hidden PowerShell in package code.
- Be wary of projects that ask you to run installers or setup scripts.
- Run untrusted repositories only in isolated environments.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.