Cybersecurity researchers have identified a deceptive Go module that poses as an SSH brute-force tool but covertly transmits captured credentials to its creator. This module, named golang-random-ip-ssh-bruteforce, was published on June 24, 2022, and remains accessible on pkg.go.dev.
Upon achieving a successful SSH login, the module sends the target’s IP address, username, and password to a hard-coded Telegram bot controlled by the threat actor. This functionality was uncovered by Socket researcher Kirill Boychenko.
The module operates by scanning random IPv4 addresses for exposed SSH services on TCP port 22. It then attempts to brute-force these services using an embedded list of usernames and passwords. Notably, the module disables host key verification by setting ssh.InsecureIgnoreHostKey as a HostKeyCallback, allowing the SSH client to accept connections from any server without verifying its identity.
The embedded wordlist is relatively simple, including usernames such as root and admin, paired with weak passwords like root, test, password, admin, 12345678, 1234, qwerty, webadmin, webmaster, techsupport, letmein, and Passw@rd.
The module runs in an infinite loop, generating random IPv4 addresses and attempting concurrent SSH logins using the wordlist. Upon a successful login, the credentials are transmitted to a Telegram bot named @sshZXC_bot via the API, which then acknowledges receipt. The messages are sent through the bot to an account with the handle @io_ping (Gett).
The GitHub account associated with this module, IllDieAnyway (G3TT), is currently inaccessible. However, an Internet Archive snapshot reveals that the account’s software portfolio included an IP port scanner, an Instagram profile info and media parser, and a PHP-based command-and-control (C2) botnet called Selica-C2.
The associated YouTube channel, which remains accessible, hosts various short-form videos on topics such as How to hack a Telegram bot and what is claimed to be the most powerful SMS bomber for the Russian Federation, capable of sending spam SMS texts and messages to VK users using a Telegram bot. This suggests that the threat actor may be of Russian origin.
According to Boychenko, the package offloads scanning and password guessing to unwitting operators, spreads risk across their IPs, and funnels the successes to a single threat actor-controlled Telegram bot. By disabling host key verification, driving high concurrency, and exiting after the first valid login to prioritize quick capture, the module effectively evades detection. Additionally, because the Telegram Bot API uses HTTPS, the traffic resembles normal web requests, allowing it to slip past coarse egress controls.
