The Cryptography Trojan: Malicious Go Module Impersonates Foundational Library to Steal Passwords and Deploy Root Backdoors

Socket’s Threat Research Team recently uncovered a dangerous new supply chain attack: a malicious Go programming module named github[.]com/xinfeisoft/crypto. This module was explicitly built to imitate the legitimate golang.org/x/crypto codebase while secretly hiding a backdoor within the ssh/terminal/terminal.go file.

In the world of software development, trust is everything. The attackers knew exactly what they were doing when they chose to impersonate this specific package. As the report explains, “That choice was strategic: golang.org/x/crypto is one of the Go ecosystem’s foundational cryptography codebases, maintained by the Go project and widely relied on for primitives and packages such as bcrypt, argon2, chacha20, and ssh, which makes it a high-trust impersonation target in dependency graphs.”

By mimicking a foundational piece of software, the attackers ensured their malicious code would look completely routine and harmless to developers reviewing their application’s underlying dependencies.

The trap springs the exact moment a user interacts with the compromised application. The attackers specifically targeted the programming function responsible for handling user passwords.

The report notes, “When a victim application prompts for a password via ReadPassword, the modified function captures the secret, writes it locally, then reaches out to threat actor-controlled infrastructure for follow-on instructions.”

After silently capturing the password, the malware reaches out to a GitHub-hosted “update” resource, sends the stolen password to the attackers, and retrieves a malicious shell script. This script is then executed, giving the hackers the ability to run unauthorized commands directly on the host machine.

Once the initial script is running, the attackers move to permanently cement their control over the infected Linux system.

The report details this invasive next phase: “The downloaded script acts as a Linux stager. It appends a threat actor SSH key to /home/ubuntu/.ssh/authorized_keys, sets iptables default policies to ACCEPT, and downloads additional payloads from img[.]spoolsv[.]cc while disguising them with the .mp5 extension, a media-like label that can help binaries blend in during quick review.”.

Researchers analyzed these cleverly disguised payloads, specifically identifying two files named sss.mp5 and 555.mp5. The first file, sss.mp5, acts as an initial scout that tests network connectivity and communicates with the attacker’s server over standard internet ports to blend in with normal traffic.

The second file, 555.mp5, was confirmed to be the notorious Rekoobe Linux backdoor. Rekoobe is a highly versatile and dangerous piece of malware that has been utilized in various espionage operations, including campaigns attributed to the advanced hacking group APT31.

By hiding these dangerous executables behind fake media file extensions, the attackers can easily slip past simplistic security tools that only check a file’s name instead of deeply inspecting its actual contents.