www.securityweek.com 7/10/2026, 8:08:34 AM · external

Hackers flood GitHub with fake DNS tools to drop Windows spyware

Hackers flood GitHub with fake DNS tools to drop Windows spyware
CyberSIXT Evidence Panel
Primary Source socket.dev

OPERATION Muck and Load involves a threat actor creating 222 malicious GitHub repositories that deliver Windows malware. The Go module, disguised as a DNS scanning tool, initiates an infection chain that downloads various types of malware, including spyware and cryptominers, from multiple public sources to evade detection. The campaign has seen over 1,200 versions published, with approximately 700 classified as malicious.

The actor uses multiple public platforms to enhance operational resilience and employs obfuscation techniques to bypass script execution policies. Notably, these repositories not only serve as lures but also host confirmed malware files, impacting both novice and skilled developers.

View Primary Source Via www.securityweek.com

Article by CyberSIXT