{"id":102,"date":"2026-02-27T17:09:39","date_gmt":"2026-02-27T17:09:39","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=102"},"modified":"2026-02-27T17:09:39","modified_gmt":"2026-02-27T17:09:39","slug":"malicious-go-crypto-module-steals-passwords-deploys-rekoobe-backdoor","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=102","title":{"rendered":"Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Feb 27, 2026<\/span><\/span>Malware \/ Linux Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers have disclosed details of a malicious Go module that’s designed to harvest passwords, create persistent access via SSH, and deliver a Linux backdoor named Rekoobe.<\/p>\n

The Go module, github[.]com\/xinfeisoft\/crypto, impersonates the legitimate \u00abgolang.org\/x\/crypto\u00bb codebase, but injects malicious code that’s responsible for exfiltrating secrets entered via terminal password prompts to a remote endpoint, fetches a shell script in response, and executes it.<\/p>\n

\u00abThis activity fits namespace confusion and impersonation of the legitimate golang.org\/x\/crypto subrepository (and its GitHub mirror github.com\/golang\/crypto),\u00bb Socket security researcher Kirill Boychenko said<\/a>. \u00abThe legitimate project identifies go.googlesource.com\/crypto as canonical and treats GitHub as a mirror, a distinction the threat actor abuses to make github.com\/xinfeisoft\/crypto look routine in dependency graphs.\u00bb<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Specifically, the backdoor has been placed within the \u00abssh\/terminal\/terminal.go\u00bb file, so that every time a victim application invokes ReadPassword() \u2013 a function supposedly meant to read input like passwords from a terminal \u2013 it causes that information to capture interactive secrets.<\/p>\n

The main responsibility of the downloaded script is to function as a Linux stager, appending a threat actor’s SSH key to the \u00ab\/home\/ubuntu\/.ssh\/authorized_keys\u00bb file, set iptables default policies to ACCEPT in an attempt to loosen firewall restrictions, and retrieve additional payloads from an external server while disguising them with the .mp5 extension.<\/p>\n

Of the two payloads, one is a helper that tests internet connectivity and attempts to communicate with an IP address (\u00ab154.84.63[.]184\u00bb) over TCP port 443. The program likely functions as a recon or loader, Socket noted.<\/p>\n

\"\"<\/a><\/div>\n

The second downloaded payload has been assessed to be Rekoobe, a known Linux trojan that has been detected in the wild since at least 2015<\/a>. The backdoor<\/a> is capable<\/a> of receiving commands from an attacker-controlled server to download more payloads, steal files, and execute a reverse shell. As recently as August 2023, Rekoobe has been put to use by Chinese nation-state groups like APT31.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

While the package still remains listed<\/a> on pkg.go.dev, the Go security team has taken steps to block the package as malicious.<\/p>\n

\u00abThis campaign will likely repeat because the pattern is low-effort and high-impact: a lookalike module that hooks a high-value boundary (ReadPassword), uses GitHub Raw as a rotating pointer, then pivots into curl | sh staging and Linux payload delivery,\u00bb Boychenko said.<\/p>\n

\u00abDefenders should anticipate similar supply chain attacks targeting other ‘credential edge’ libraries (SSH helpers, CLI auth prompts, database connectors) and more indirection through hosting surfaces to rotate infrastructure without republishing code.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Feb 27, 2026Malware \/ Linux Security Cybersecurity researchers have disclosed details of a malicious Go module that’s designed to harvest passwords, create persistent access via SSH, and deliver a…<\/p>\n","protected":false},"author":1,"featured_media":103,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[179,143,297,33,294,296,298,295],"class_list":["post-102","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-backdoor","tag-crypto","tag-deploys","tag-malicious","tag-module","tag-passwords","tag-rekoobe","tag-steals"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=102"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/102\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/103"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}