Malicious Go Module Backdoors Systems with Rekoobe, Steals Credentials
Security researchers at Socket’s Threat Research Team uncovered a supply-chain attack targeting the Go ecosystem, where a malicious module impersonated the widely trusted golang.org/x/crypto library. Hosted on GitHub as github.com/xinfeisoft/crypto, the backdoored module was designed to steal credentials and deploy the Rekoobe Linux backdoor on compromised systems.
The attack exploited the ReadPassword method in the legitimate ssh/terminal/terminal.go file, silently intercepting passwords as users entered them. Captured credentials were stored locally before being exfiltrated to a remote server controlled by the threat actor. The module also fetched and executed a script from GitHub, which acted as a Linux stager modifying system configurations to establish persistence, weaken security, and download additional payloads.
Among the downloaded files, sss.mp5 and 555.mp5 (disguised as media files) were identified as Rekoobe backdoors. The first payload functioned as a reconnaissance tool, while the second, linked to the APT31 (Zirconium) threat group, established command-and-control (C2) communication over TCP port 443, mimicking legitimate HTTPS traffic. Persistence was further ensured by adding an SSH key to authorized_keys and altering iptables rules to allow unrestricted network traffic.
The attack chain highlights the risks of unvetted dependencies, particularly in cryptographic libraries handling sensitive operations. Organizations using Go modules were advised to audit dependencies, monitor CI pipelines for suspicious changes, and enforce security controls like multi-factor authentication (MFA) to mitigate supply-chain threats.
Source: https://cyberpress.org/go-crypto-steals-credentials-deploys-rekoobe/
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
Software Sources cybersecurity rating report: https://www.rankiteo.com/company/software-sources
"id": "GITSOF1772540739",
"linkid": "github, software-sources",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology, Software Development',
'type': 'Organizations using Go modules'}],
'attack_vector': 'Malicious Third-Party Module',
'data_breach': {'data_exfiltration': 'Yes (to remote server controlled by '
'threat actor)',
'personally_identifiable_information': 'Credentials',
'sensitivity_of_data': 'High (Credentials, SSH Keys)',
'type_of_data_compromised': 'Credentials, System '
'Configuration Data'},
'description': 'Security researchers at Socket’s Threat Research Team '
'uncovered a supply-chain attack targeting the Go ecosystem, '
'where a malicious module impersonated the widely trusted '
'*golang.org/x/crypto* library. The backdoored module was '
'designed to steal credentials and deploy the Rekoobe Linux '
'backdoor on compromised systems. The attack exploited the '
'*ReadPassword* method in the legitimate '
'*ssh/terminal/terminal.go* file, silently intercepting '
'passwords as users entered them. Captured credentials were '
'stored locally before being exfiltrated to a remote server '
'controlled by the threat actor. The module also fetched and '
'executed a script from GitHub, which acted as a Linux stager '
'modifying system configurations to establish persistence, '
'weaken security, and download additional payloads. Among the '
'downloaded files, *sss.mp5* and *555.mp5* (disguised as media '
'files) were identified as Rekoobe backdoors. The first '
'payload functioned as a reconnaissance tool, while the '
'second, linked to the APT31 (Zirconium) threat group, '
'established command-and-control (C2) communication over TCP '
'port 443, mimicking legitimate HTTPS traffic. Persistence was '
'further ensured by adding an SSH key to *authorized_keys* and '
'altering *iptables* rules to allow unrestricted network '
'traffic.',
'impact': {'data_compromised': 'Credentials, System Configuration Data',
'identity_theft_risk': 'High',
'operational_impact': 'Unauthorized access, Persistent backdoor',
'systems_affected': 'Linux systems using the malicious Go module'},
'initial_access_broker': {'backdoors_established': 'Rekoobe Linux backdoor '
'(*sss.mp5*, *555.mp5*)',
'entry_point': 'Malicious Go module '
'(*github.com/xinfeisoft/crypto*)'},
'lessons_learned': 'Risks of unvetted dependencies in cryptographic '
'libraries, importance of auditing third-party modules and '
'monitoring CI pipelines for suspicious changes.',
'motivation': 'Credential Theft, Espionage',
'post_incident_analysis': {'corrective_actions': 'Audit dependencies, enforce '
'MFA, monitor CI pipelines, '
'implement enhanced '
'monitoring',
'root_causes': 'Supply-chain compromise via '
'malicious Go module impersonation, '
'lack of dependency vetting'},
'recommendations': 'Audit dependencies, monitor CI pipelines for suspicious '
'changes, enforce security controls like MFA, and '
'implement enhanced monitoring.',
'references': [{'source': 'Socket’s Threat Research Team'}],
'response': {'enhanced_monitoring': 'Recommended',
'remediation_measures': 'Audit dependencies, monitor CI '
'pipelines for suspicious changes, '
'enforce MFA',
'third_party_assistance': 'Socket’s Threat Research Team'},
'threat_actor': 'APT31 (Zirconium)',
'title': 'Malicious Go Module Backdoors Systems with Rekoobe, Steals '
'Credentials',
'type': 'Supply-Chain Attack',
'vulnerability_exploited': 'Impersonation of legitimate Go module '
'(*golang.org/x/crypto*)'}