A critical component of this attack is the "f0eee999" executable, which functions as a secondary malware loader and backdoor. It allows the threat actor to establish persistence on infected machines, operate silently in the background, and wait for further commands from a command-and-control (C2) server. The backdoor ensures that the attacker maintains remote access to compromised systems, making it a severe security threat. This discovery follows a prior supply chain attack disclosed by Researcher, which targeted the Go ecosystem with another malicious package designed to grant attackers remote access.

The repeated use of identical filenames, obfuscation techniques involving array-based string manipulation, and delayed execution strategies indicate a highly organized adversary intent on long-term persistence. Furthermore, the discovery of multiple malicious packages, along with fallback domains, points to an infrastructure designed for resilience, allowing the threat actor to quickly adapt when a domain or repository is blacklisted. This campaign underscores the growing threats to software supply chains, highlighting the need for heightened vigilance and proactive security measures within the developer community.

Impact

• Sensitive Data Theft
• Security Bypass
• Code Execution
• Privilege Escalation

Indicators of Compromise

IP

• 185.100.157.127

MD5

• b20b2688378e5abeebfad027f3d5088f

• 2cdb1f58b06fcfe8f6a96722b386d955

SHA-256

• b0d20a3dcb937da1ddb01684f6040bdbb920ac19446364e949ee8ba5b50a29e4

• f70bc9a8e39eb36547717197efe88173c23c1b9c206d253f0e24a8aaadf0f915

SHA1

• 5c43bbe30b69e4349df1f54f35f7c96e71633236

• 93fd5bfb701aaeff324cd70091dad54b57f38767

URL

• http://185.100.157[.]127/storage/de373d0df/f0eee999

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Uninstall any of the identified malicious packages (hypert and layout variations) from your systems and projects.
• Verify your dependencies using go list -m all to detect any unauthorized or suspicious packages.
• Conduct a thorough review of your Go modules and dependencies for any signs of unauthorized changes or suspicious activity.
• Use tools like go mod verify and go mod tidy to check for unexpected modifications in your package dependencies.
• Inspect network logs for any connections to alturastreet[.]icu or other unknown remote servers.
• Block the domain alturastreet[.]icu and any associated IPs at the firewall and endpoint security levels.
• Search for the presence of the f0eee999 executable on infected systems.
• Look for unexpected scheduled tasks, startup entries, or other persistence mechanisms that might indicate a backdoor.
• Keep Go development environments, dependency management tools, and security software up to date.
• Apply the latest security patches to prevent exploitation of vulnerabilities.
• Use package integrity verification tools like go.sum to detect tampered dependencies.
• Prefer official and well-maintained repositories, and cross-check package authenticity before installation.
• Educate developers about typosquatting risks and the importance of verifying package sources before use.
• Implement strict policies to prevent the use of unverified third-party libraries in production environments.
• If an infection is detected, isolate affected systems and perform forensic analysis to assess the impact.
• Report any findings to security teams and relevant authorities to aid in further investigations.
• Restrict permissions to prevent unauthorized modifications to code repositories and dependency files.
• Enforce multi-factor authentication (MFA) for developer accounts and repository access.
• Set up automated monitoring for suspicious activity in code repositories and build pipelines.
• Subscribe to cybersecurity threat intelligence feeds to stay updated on emerging threats in the software supply chain.