Unmasking the Malicious Go Module: How a Rekoobe Backdoor Aims to Steal Your Passwords

Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor

February 27, 2026
By Ravie Lakshmanan — The Hacker News

Cybersecurity researchers have uncovered a new supply chain attack involving a malicious Go programming language module designed to steal passwords, establish persistent SSH access, and deploy a sophisticated Linux backdoor known as Rekoobe.

Impersonation of a Legitimate Go Library

The malicious package, hosted at github.com/xinfeisoft/crypto, masquerades as the well-known and widely used official Go cryptography library golang.org/x/crypto. By taking advantage of namespace confusion and the common practice of relying on GitHub mirrors for Go modules, threat actors have crafted a near-identical repository that appears routine in dependency graphs but is in fact embedded with malicious code.

According to Kirill Boychenko, a cybersecurity researcher at Socket Security, "The legitimate project’s canonical source is go.googlesource.com/crypto, while GitHub is treated as just a mirror. This subtle distinction is abused to mislead developers and automated systems, making the malicious module look legitimate."

How the Malware Operates

The inserted backdoor resides specifically within the ssh/terminal/terminal.go file of the fake module. It targets the ReadPassword() function, a critical piece of code designed to securely read password input from users via terminal prompts. Instead of performing its intended function, this malicious code captures any secrets input by a victim and exfiltrates them to a remote server controlled by the attacker.

Once the password data is harvested, the module fetches and executes a shell script. This script functions as a Linux stager, carrying out several malicious tasks:

• Adds the attacker’s SSH key to the victim’s /home/ubuntu/.ssh/authorized_keys file, granting persistent and stealthy SSH access.
• Adjusts iptables firewall rules to set default policies to ACCEPT, thereby weakening firewall protections and facilitating incoming connections.
• Downloads additional payloads disguised with the .mp5 extension from an external server to avoid detection.

Additional Payloads and Rekoobe Backdoor Deployment

Two main payloads are retrieved during this stage:

1. Connectivity Helper: A helper executable which verifies internet connectivity and attempts to communicate with an IP address (154.84.63[.]184) on TCP port 443. This program likely serves as reconnaissance or loader to prepare the system for additional malware.

2. Rekoobe Backdoor: The second and primary payload is identified as Rekoobe, a known sophisticated Linux Trojan active since at least 2015. Rekoobe allows attackers to issue commands remotely, download further malicious payloads, steal confidential files, and execute reverse shell sessions to maintain control over compromised systems.

Importantly, recent intelligence reports indicate that Chinese state-sponsored group APT31 has employed Rekoobe as recently as August 2023, highlighting the malware’s prominence in advanced persistent threat (APT) campaigns.

Ongoing Risks and Defensive Recommendations

Despite its malicious nature, the compromised Go module remains listed on the official Go package registry at pkg.go.dev. In response, the Go security team has taken steps to block the package to prevent further abuse.

Boychenko emphasized the ease and impact of this attack method: "This campaign will likely repeat because it requires low effort but has high impact: a lookalike module hooks a high-value boundary function (ReadPassword), uses rotating GitHub raw URLs to fetch scripts, then uses curl | sh staging to deploy Linux payloads."

He warns defenders to remain vigilant against similar supply chain attacks targeting other credential-sensitive Go libraries such as SSH helpers, CLI authentication prompts, and database connectors. Additionally, attackers may increase the complexity of their infrastructure by rotating hosting surfaces to avoid detection without republishing malicious code.

What Users and Developers Should Do

• Audit Dependencies: Developers should carefully review dependencies, especially those that handle sensitive authentication functions, to ensure their provenance and authenticity.
• Monitor Package Registries: Stay informed about security advisories related to open source packages and promptly update or remove compromised modules.
• Harden SSH and Firewall Rules: System administrators should routinely check for unauthorized SSH keys in authorized_keys files and enforce strict firewall policies.
• Utilize Endpoint Detection: Deploying advanced threat detection tools can help identify anomalous network traffic and suspicious processes indicative of backdoor activity.

The Hacker News remains committed to delivering timely cybersecurity updates and expert analysis. Follow us on Google News, Twitter, and LinkedIn for more exclusive coverage.

Tags: Backdoor, Cybersecurity, Go Programming, Linux Security, Malware, Open Source, SSH, Supply Chain Attack, Threat Intelligence