Malicious Go Module Impersonates crypto Library to Deploy Rekoobe Backdoor

A Supply Chain Attack Hiding in Plain Sight

A malicious Go module named github.com/xinfeisoft/crypto has been discovered impersonating the widely-used golang.org/x/crypto library. The module intercepts SSH password input, exfiltrates credentials to attacker infrastructure, and deploys the Rekoobe backdoor — a Linux trojan historically linked to the Chinese state-sponsored group APT31.

The Go security team has since blocked the package on pkg.go.dev, but the attack highlights a growing trend: supply chain compromises targeting developer toolchains rather than production systems directly.

How the Attack Works

Phase 1: Credential Theft via ReadPassword() Hook

The backdoor is embedded in ssh/terminal/terminal.go, specifically in the ReadPassword() function. Any application importing this module that prompts for SSH passwords will silently send captured credentials to an attacker-controlled endpoint.

Phase 2: Shell Script Delivery

After exfiltrating credentials, the module fetches and executes a shell script:

• Appends threat actor SSH keys to /home/ubuntu/.ssh/authorized_keys
• Modifies iptables default policies to ACCEPT (disabling firewall)
• Downloads additional payloads disguised with .mp5 extensions

Phase 3: Rekoobe Backdoor

The final payload is Rekoobe, a Linux backdoor active since 2015, linked to APT31. It provides remote command execution, file exfiltration, reverse shell capability, and additional malware staging.

Detection & Hunting

MITRE ATT&CK Mapping

IOCs

Mitigation

1. Audit Go dependencies: go list -m all | grep xinfeisoft
2. Pin module checksums with go.sum verification
3. Monitor ~/.ssh/authorized_keys changes with FIM
4. Alert on iptables policy changes to ACCEPT
5. Hunt for connections to 154.84.63.184:443

Need help assessing your exposure? Apply to our Beta Tester Program for a comprehensive penetration test.