Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor

A malicious Go module has been discovered that impersonates legitimate cryptographic libraries to steal passwords and deploy a Linux backdoor named Rekoobe. The campaign, detailed by Socket security researcher Kirill Boychenko, represents a sophisticated supply chain attack targeting developers who rely on Go modules for cryptographic functionality.

The Impersonation Strategy

The malicious module, hosted at github[.]com/xinfeisoft/crypto, deliberately mimics the legitimate "golang.org/x/crypto" codebase. This impersonation exploits a common pattern where developers trust GitHub mirrors of official Go packages without verifying their authenticity. The threat actor leverages namespace confusion by creating a package that appears routine in dependency graphs while containing malicious code.

How the Password Theft Works

The backdoor is embedded within the "ssh/terminal/terminal.go" file, specifically targeting the ReadPassword() function. This function is designed to securely read passwords and other sensitive input from terminal prompts. However, the malicious version intercepts this data and exfiltrates it to a remote endpoint controlled by attackers.

Every time a victim application calls ReadPassword(), the malicious code captures whatever the user types - whether it's a password, API key, or other sensitive credential. This represents a critical breach of trust, as developers expect terminal input functions to be secure by design.

The Multi-Stage Attack Chain

Once passwords are harvested, the module downloads and executes a shell script that serves as a Linux stager. This script performs several malicious actions:

• Appends the attacker's SSH key to "/home/ubuntu/.ssh/authorized_keys" to establish persistent remote access
• Modifies iptables default policies to ACCEPT, effectively disabling firewall protections
• Downloads additional payloads disguised with ".mp5" extensions to avoid detection

The first payload acts as a reconnaissance tool, testing internet connectivity and attempting to communicate with the IP address "154.84.63[.]184" over TCP port 443. This likely serves as a loader or initial staging mechanism for further compromise.

The Rekoobe Backdoor

The second payload is identified as Rekoobe, a Linux trojan that has been active in the wild since at least 2015. This backdoor provides attackers with comprehensive control over compromised systems:

• Receives commands from attacker-controlled servers
• Downloads additional malicious payloads
• Steals files from the infected system
• Executes reverse shells for remote command execution

Rekoobe has been notably used by Chinese nation-state groups like APT31 as recently as August 2023, indicating that this malware continues to be a preferred tool for advanced persistent threat actors.

Supply Chain Attack Implications

This campaign demonstrates the effectiveness of supply chain attacks that target widely-used libraries. By compromising a single module that handles credential input, attackers can potentially compromise thousands of applications that depend on it.

The Go security team has taken action to block the package as malicious, but the module remains listed on pkg.go.dev, highlighting the challenges of removing malicious packages from public repositories.

Defense Recommendations

Boychenko warns that this attack pattern is likely to repeat due to its "low-effort and high-impact" nature. The strategy involves:

• Creating lookalike modules that hook high-value boundaries like credential input
• Using GitHub Raw as a rotating pointer for infrastructure
• Pivoting into curl | sh staging and Linux payload delivery

Defenders should anticipate similar attacks targeting other "credential edge" libraries, including SSH helpers, CLI authentication prompts, and database connectors. The use of multiple hosting surfaces to rotate infrastructure without republishing code makes these attacks particularly resilient.

Broader Context

This attack comes amid a wave of sophisticated cybersecurity threats. Recent incidents include Dell RecoverPoint for VMs being exploited since mid-2024 through a zero-day vulnerability (CVE-2026-22769), ClickFix campaigns abusing compromised sites to deploy MIMICRAT malware, and the Cline CLI 2.3.0 supply chain attack that installed OpenClaw on developer systems.

The persistence of older malware like Rekoobe, combined with new attack techniques, demonstrates that threat actors continue to find success with established tools while evolving their delivery mechanisms. Organizations must maintain vigilance not only against new threats but also against the creative repurposing of existing malware in novel attack campaigns.

For developers and security teams, this incident underscores the critical importance of verifying the authenticity of third-party dependencies, monitoring for unusual network activity, and implementing defense-in-depth strategies that don't rely solely on package repository security.