Malicious Go Module github.com/xinfeisoft/crypto Targets Ubuntu and CI/CD Environments With Rekoobe Backdoor and Credential Theft

A highly sophisticated supply chain attack has been identified involving a malicious Go module, github.com/xinfeisoft/crypto, which masquerades as the legitimate golang.org/x/crypto library. This module is engineered to covertly exfiltrate sensitive credentials entered via terminal prompts, establish persistent SSH access, and deploy the advanced Rekoobe Linux backdoor. The campaign leverages namespace confusion, GitHub-hosted staging, and multi-stage payload delivery, with a clear focus on cloud and CI/CD environments. The Rekoobe backdoor is a hallmark of advanced persistent threat (APT) operations and has been previously attributed to the Chinese state-sponsored group APT31 (Zirconium). This advisory provides a comprehensive technical breakdown, threat actor profiling, exploitation evidence, victimology, and actionable mitigation strategies.

The threat actor behind this campaign demonstrates a high degree of operational security and technical sophistication, consistent with tactics, techniques, and procedures (TTPs) associated with APT31 (Zirconium). This group is known for targeting government, technology, and critical infrastructure sectors globally, with a particular emphasis on the United States, Europe, and Asia-Pacific regions. The actor utilizes supply chain compromise, dependency confusion, and credential harvesting, and maintains a dynamic infrastructure with rapid domain and payload rotation. The use of the Rekoobe backdoor, previously linked to Chinese cyber-espionage, further supports attribution to a nation-state adversary with significant resources and intent to establish long-term access in high-value environments.

The attack chain initiates with the publication of github.com/xinfeisoft/crypto, a near-identical clone of the legitimate golang.org/x/crypto module. The malicious variant introduces a backdoor within the ssh/terminal/terminal.go file, specifically targeting the ReadPassword() function. When invoked, this function intercepts and captures sensitive input such as SSH passphrases, database credentials, and API keys. These credentials are written to /usr/share/nano/.lock and subsequently exfiltrated via HTTP POST requests to attacker-controlled endpoints.

The module further retrieves a staging URL from a GitHub Raw resource, https://raw.githubusercontent[.]com/xinfeisoft/vue-element-admin/refs/heads/main/public/update.html, which dynamically points to the next-stage payload server. The stager script, upon execution, appends a persistent SSH key to /home/ubuntu/.ssh/authorized_keys, effectively granting the attacker ongoing access. It also modifies iptables policies to default ACCEPT, thereby disabling host-based firewall protections and exposing the system to further exploitation.

The stager downloads two payloads, sss.mp5 and 555.mp5, from img.spoolsv[.]cc. The first payload acts as a loader and reconnaissance utility, establishing encrypted communications with 154.84.63[.]184:443. The second payload is the Rekoobe Linux backdoor, which provides the attacker with a robust toolkit for command execution, file exfiltration, additional payload delivery, and reverse shell capabilities. Post-execution, the stager script deletes the payloads to minimize forensic evidence and hinder incident response.

The campaign employs advanced evasion techniques, including masquerading of file types, dead drop resolvers via GitHub, and rapid infrastructure rotation. The malicious module was available on the public Go module mirror until its discovery and subsequent removal by the Go security team, highlighting the critical risk posed by supply chain attacks in modern software development pipelines.

Evidence indicates active exploitation in cloud virtual machines, CI/CD runners, and administrative hosts, particularly those utilizing the default ubuntu user with elevated privileges. The attack leverages the widespread use of Go modules and the prevalence of automated dependency resolution in CI/CD workflows, increasing the likelihood of inadvertent inclusion of the malicious module. The campaign's infrastructure has been observed rotating domains and payloads, suggesting ongoing operational activity and attempts to evade detection. The Rekoobe backdoor has been observed in espionage campaigns as recently as August 2023, with confirmed links to APT31 (Zirconium) operations.

The primary targets of this campaign are organizations operating cloud-based infrastructure, CI/CD environments, and administrative hosts, especially those with automated build and deployment pipelines. The attack is global in scope, with a focus on sectors historically targeted by APT31, including government, technology, and critical infrastructure. The use of the default ubuntu user and expectation of elevated privileges indicate a tailored approach towards environments where rapid provisioning and automation are common, such as DevOps and cloud-native deployments. Victims are likely to include organizations with less stringent dependency auditing and those relying on automated Go module resolution.

Organizations are strongly advised to conduct a comprehensive audit of all Go dependencies, with particular scrutiny for modules mimicking golang.org/x/crypto. Immediate steps should include searching for the presence of /usr/share/nano/.lock, unauthorized SSH keys in /home/ubuntu/.ssh/authorized_keys, and any network connections to the listed indicators of compromise (IOCs). Network access to the domains img.spoolsv[.]cc, img.spoolsv[.]net, spoolsv[.]cc, and spoolsv[.]net, as well as IP 154.84.63[.]184, should be blocked at the firewall and proxy layers.

Security teams should monitor for execution of suspicious shell scripts, changes to iptables policies, and anomalous process activity associated with Go binaries. Any instance of the malicious module github.com/xinfeisoft/crypto must be removed immediately, and a full compromise assessment should be performed, including forensic analysis of affected hosts and credential rotation for all potentially exposed secrets.

To prevent future incidents, organizations should implement strict dependency management policies, utilize software composition analysis tools, and enforce code review processes for third-party modules. Continuous monitoring for supply chain threats and integration of threat intelligence feeds into security operations are essential for early detection and response.

• The Hacker News: Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor
• Socket.dev: Malicious Go “crypto” Module Steals Passwords and Deploys Rekoobe Backdoor
• Reddit: Malicious Go Crypto Module Steals Passwords and Deploys Rekoobe Backdoor
• MITRE ATT&CK: APT31 (Zirconium)
• NVD: Rekoobe Backdoor

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, enforce compliance, and respond to emerging threats in real time. For more information about how Rescana can help secure your organization’s digital ecosystem, or for any questions regarding this advisory, please contact us at ops@rescana.com.

• CVE Analysis Center