GitHub Hunt: An Android RAT Published 2 Hours Ago, a Go Backdoor Impersonating Google, and a Fake Anthropic Token

# GitHub Hunt: An Android RAT Published 2 Hours Ago, a Go Backdoor Impersonating Google, and a Fake Anthropic Token

We hunt GitHub every week. Today's sweep found a production-grade Android RAT uploaded hours ago, a Go supply chain attack deploying a Linux backdoor, and someone impersonating Anthropic to push a Solana scam token. All three are now indexed in our STIX feed.

FasonRat — Full Android RAT, Live Now

**Repo**: `fahimahamedwork/FasonRat`

**Created**: March 6, 2026 (today)

**Size**: 28MB

**Language**: Java (Android) + Node.js (C2 server)

This is not a proof of concept. This is a complete, deployable Android Remote Access Trojan with a web-based command and control panel, an APK builder, and support for 500 concurrent infected devices.

What It Does

The Android payload requests every dangerous permission on the device:

- **Camera**: Silent photo capture (front and back)

- **Microphone**: Silent audio recording

- **SMS**: Read and send messages

- **GPS**: Continuous location polling

- **Files**: Full storage access with 50MB exfiltration limit

- **Call logs**: Complete history

- **Contacts**: Full address book

- **Clipboard**: Continuous monitoring

- **Notifications**: Intercept all notifications

- **Apps**: List all installed applications

- **WiFi**: Network enumeration

- **Boot persistence**: Starts automatically on device restart

- **Battery bypass**: Requests exemption from battery optimization

The C2 Server

The command and control panel runs on Node.js with Express and Socket.IO. Default port: **22533**. It features a web dashboard for managing infected devices, real-time communication via WebSocket, and a built-in APK builder that generates custom payloads with configurable C2 URLs.

The protocol uses hex-prefixed message keys:

> 0xCA (camera), 0xMI (microphone), 0xSM (SMS), 0xLO (location), 0xFI (files), 0xCL (calls), 0xCO (contacts), 0xWI (wifi), 0xNO (notifications), 0xCB (clipboard)

The Author

`fahimahamedwork` — GitHub account created November 2024. Zero followers. Five repositories. The others include "SocialDownloader" (Kotlin, created March 3) and "instaimg." The pattern is social media tools alongside a RAT. The social downloader may serve as a lure — "download Instagram videos with this app" that also installs a backdoor.

Zero stars. Zero forks. We caught it fresh.

Go Crypto Impersonation — Rekoobe Backdoor via Fake Google Library

Socket's Threat Research Team uncovered a supply chain attack targeting the Go ecosystem. A malicious module at `github.com/xinfeisoft/crypto` impersonates Google's widely trusted `golang.org/x/crypto` library.

The attack intercepts the `ReadPassword` method in `ssh/terminal/terminal.go` — silently capturing SSH passwords as users enter them. Credentials are stored locally, then exfiltrated to an attacker-controlled server. The module also fetches and executes a stager script from GitHub that:

- Modifies system configurations

- Establishes persistence

- Weakens security settings

- Downloads the **Rekoobe** Linux backdoor

Rekoobe is a known implant associated with Chinese threat actors. It provides persistent remote access to compromised Linux systems.

This is the exact attack the security industry has been warning about with AI-assisted development. A developer types "go get crypto" and autocomplete or a typo sends them to the wrong package. The code compiles. The tests pass. The backdoor is already running.

Fake Anthropic Token — Brand Impersonation for Crypto Scam

**Repo**: `anthropics-claude/clabs`

Description: "Claude Labs (CLABS) - Community token for AI agents & automation on Solana"

This is not Anthropic. This is not affiliated with Claude. This is a scam token using Anthropic's brand to lure buyers into a worthless Solana token.

The repo name `anthropics-claude` is designed to look official. It appears in GitHub search results alongside legitimate Anthropic repositories. Anyone searching for "Claude" or "Anthropic" on GitHub might land here and assume it's real.

We're flagging it because brand impersonation for crypto scams is a persistent supply chain trust problem, and because Anthropic is our partner. This one's personal.

What We Indexed

All three findings are now in the DugganUSA STIX feed:

| IOC | Type | Severity |

|-----|------|----------|

| `fahimahamedwork/FasonRat` | GitHub repo | HIGH |

| Port 22533 | C2 default port | HIGH |

| `fahimahamedwork` | Threat actor | MEDIUM |

| 0xCA, 0xMI, 0xSM, 0xLO, 0xFI | C2 protocol signatures | HIGH |

| `github.com/xinfeisoft/crypto` | Malicious Go module | CRITICAL |

| `anthropics-claude/clabs` | Brand impersonation | MEDIUM |

10 IOCs indexed. Available to all 275+ STIX consumers in 46 countries.

How We Hunt

GitHub's search API. Every week. We query for repositories created in the last 48-72 hours containing keywords associated with offensive tooling: RAT, stealer, backdoor, grabber, C2, reverse shell, keylogger. We filter by actual content — not just names — and inspect the code for real capability.

Most results are student projects and CTF tools. Some are legitimate security research. A few are live offensive infrastructure being staged in plain sight.

FasonRat is the third category. 28MB of production Android RAT with a web panel, APK builder, and boot persistence — uploaded to a public GitHub repository by an account with no followers and a suspiciously timed "social media downloader" companion app.

The hunt takes 20 minutes. The indexing takes 30 seconds. 275 organizations get the IOCs automatically.

**DugganUSA STIX Feed**: Free. 981,000+ IOCs. 46 countries. Updated every 30 minutes.

**https://analytics.dugganusa.com**

*DugganUSA LLC — we hunt so you don't have to.*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →