Is an SSH brute-force Go module stealing your credentials?

Cybersecurity researchers have identified a malicious Go module, dubbed “golang-random-ip-ssh-bruteforce,” which masquerades as a brute-force tool for SSH but is designed to covertly exfiltrate credentials to its creator. According to Socket researcher Kirill Boychenko, upon the first successful login, the module transmits the target IP address, username, and password to a hard-coded Telegram bot controlled by the threat actor. Although the associated GitHub account, IllDieAnyway (G3TT), is no longer accessible, the module remains available on pkg.go[.]dev, having been published on June 24, 2022. The Go module scans random IPv4 addresses for exposed SSH services on TCP port 22 and attempts to brute-force these services using a simple username-password list, while also disabling host key verification to accept connections from any server.

The malicious code operates in an infinite loop, generating IPv4 addresses and executing concurrent SSH logins from the embedded wordlist, which includes common usernames like “root” and “admin” paired with weak passwords such as “password,” “12345678,” and “letmein.” Successful credentials are sent to a Telegram bot named “@sshZXC_bot” via the API, which acknowledges receipt of the information. An Internet Archive snapshot of the now-removed GitHub account reveals a portfolio that includes an IP port scanner and a PHP-based command-and-control botnet. The threat actor is believed to be of Russian origin, and the module effectively offloads scanning and password guessing to unsuspecting operators, thereby spreading risk across multiple IPs while funneling successful logins to a single Telegram bot.