A Go package disguised as an SSH brute forcer has been caught stealing credentials and sending them straight to a Telegram bot controlled by a Russian-speaking threat actor.
Socket’s Threat Research Team found the package, called golang-random-ip-ssh-bruteforce, still live on GitHub and the Go Module registry. It claims to be a “fast” SSH brute forcer. In reality, it hands over the first successful login to its author. IP, username, and password are exfiltrated to a hardcoded Telegram bot. The operator never sees their own win.
How It Works
The code runs an endless loop. It generates random IPv4 addresses, checks for open SSH services on port 22, and launches login attempts from a short, static wordlist. On the first success, it skips host key verification, transmits the stolen credentials via Telegram, signals completion, and exits.
The exfiltration endpoint is not hidden. A live bot token, username @sshZXC_bot, and destination chat @io_pingconfirm that the credentials flow directly to the threat actor. Telegram acknowledges each delivery with an “ok.”
The embedded wordlist is small but telling. It pairs root and admin with weak or default passwords: toor, raspberry, dietpi, alpine, 123456, webadmin, webmaster. Many of these point to IoT devices, single-board computers, or hastily deployed servers still running defaults. Breadth over depth. One hit is enough.
Strategy in Plain Sight
The play is simple. Publish a free offensive utility, attract operators, then funnel their gains into a single collection point. The risk and resource cost are pushed onto others, while the author captures fresh SSH credentials without lifting a finger. Telegram traffic rides over HTTPS, blending into ordinary web requests.
The actor behind this goes by IllDieAnyway on GitHub, also known as G3TT. Their profile hosts a suite of offensive tools: fast port scanners, a phpMyAdmin brute forcer with Telegram callback, a DDoS crawler, and a C2 framework called Selica. Several repositories advertise Telegram integration. The operational pattern is consistent.
Artifacts across these projects point to a Russian-speaking operator. Full documentation and interfaces are in Russian. Some tools target VKontakte, Russia’s dominant social platform. While language alone does not prove geography, the evidence supports a high-confidence assessment.
Risks for Operators
Anyone running this package is not just helping a stranger; they are exposing themselves. Brute forcing SSH can lead to legal and contractual consequences. Providers often blacklist activity of this nature. Each stolen credential is enough to open a session, deploy malware, or stage ransomware. The fact that the exfiltration is hardcoded means all rewards flow in one direction.
This case highlights how offensive utilities can betray the very operators who run them. The advice is straightforward:
- Treat untrusted offensive tools as hostile until proven otherwise.
- Review code before execution.
- Control egress traffic, especially to messaging APIs.
- Watch for suspicious patterns such as calls to the Telegram Bot API or use of ssh.InsecureIgnoreHostKey.
Supply chain security now means more than preventing malicious code from entering production. It also means protecting those who experiment with tools that promise shortcuts but deliver compromise.
Quiet Credential Harvesting
Randolph Barr, Chief Information Security Officer at Cequence Security says the real danger of this malicious Go module isn’t the brute-forcing itself, it’s the quiet credential harvesting.
“Anyone who downloads and runs it, whether a sysadmin, researcher, or developer, is effectively handing over valid SSH logins to an attacker. Those stolen credentials get funneled into a central Telegram bot and added to a growing library attackers can resell, trade, or reuse later to target enterprises, cloud environments, or even financial systems.”
Barr says that makes the most likely threat credential harvesting for future use. “Instead of immediately exploiting every server, the attacker is building a pool of access points that can fuel ransomware staging, cryptojacking, or targeted intrusions down the line. What makes this especially concerning is that it’s not just pentest tools at risk.”
Bad actors have used the same approach in npm, PyPI, RubyGems, Maven, NuGet, and now pkg.go.dev, slipping backdoors into packages that developers and enterprises pull in automatically as dependencies, he adds. “If even one malicious dependency makes it into the chain, it can leak secrets, plant backdoors, or spread malware downstream to partners and customers.”
For security teams, Barr says the takeaways are:
- Treat any package from GitHub, pkg.go.dev, npm, or PyPI as untrusted until vetted.
- Enforce supply chain scanning, SBOM validation, and code provenance checks.
- Harden SSH by disabling root logins, requiring keys instead of passwords, and monitoring for abnormal outbound traffic (like calls to Telegram APIs).
- Assume adversaries are patient, they’re building credential libraries today to use against us tomorrow.
Unwilling Participants
The malicious package is designed to distribute the workload of compromising SSH servers to whomever installs the package, comments Thomas Richards, Infrastructure Security Practice Director at Black Duck.
“While the systems within an organization are not targeted, the organization unwillingly becomes part of a malicious threat actor. This puts the organization at risk of being identified as being compromised and malicious as it attempts to log into SSH servers on the internet. If placed on malicious activity blacklists, an organization could face reputation issues and blocked access to other systems that deny activity from blacklisted IP addresses. Security teams should do a package sweep in their Go development environments and verify the package is not installed and ensure uncompromised trust in software.”
Curiosity Converted to Compromise
Jason Soroko, Senior Fellow at Sectigo, says the real danger is that a tool posing as researchware silently converts curiosity into compromise by stealing working SSH credentials the moment it lands a hit and sending them to the malefactor. “Because it disables host key checks and tries weak root and admin passwords, a single success can grant privileged access on an internet facing host, enable lateral movement, and create persistent footholds that look like normal admin activity.”
Soroko says security teams should treat unvetted offensive tools as hostile, read and build Go modules from source only after review, pin and vendor dependencies, and run any testing in isolated sandboxes with egress restrictions and no real secrets. “Enforce key based SSH and disable password logins, rotate any credentials exposed during testing, monitor for bursts of SSH attempts and for outbound connections to Telegram and similar messaging APIs, and add detections for programs that set InsecureIgnoreHostKey. Treat this as a software supply chain exposure and use signed releases, SBOMs, least privilege, and strict egress controls to reduce blast radius.”
Supply Chains in the Crosshairs
Shane Barney, Chief Information Security Officer at Keeper Security, says this incident reinforces the reality that today’s software supply chain is a prime target for attackers. “By hiding malicious functionality inside what looks like a legitimate tool, adversaries are able to exploit both the systems being scanned and the people running the code. This highlights the importance of scrutinizing every dependency, even those that appear benign, before it becomes part of your environment.”
The broader takeaway for security leaders is that vigilance can’t stop at the network edge – it must extend into the tools and dependencies we use every day. “Treating all code as potentially hostile until verified, enforcing least-privilege access and embracing a zero-trust mindset are critical steps to reducing exposure and building resilience,” Barney ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.