Tag: golang

14 Attack Reports | 0 Vulnerabilities

Attack reports

From open-source to open threat: Tracking Chaos RAT’s evolution

Chaos RAT, an open-source remote administration tool written in Golang, has evolved since its first appearance in 2022. Recent variants have been identified in Linux and Windows attacks. The malware offers cross-platform compatibility and is being exploited by threat actors for malicious purposes. …
golang
cross-platform
2025-06-06
CVE-2024-30850
remote administration tool
CVE-2024-31839
chaos rat
Published: June 6, 2025
Downloadable IOCs: 23

Marbled Dust leverages zero-day in Output Messenger for regional espionage

A Türkiye-affiliated espionage threat actor, Marbled Dust, has been exploiting a zero-day vulnerability in Output Messenger since April 2024. The attacks target Kurdish military entities in Iraq, allowing the actor to deliver malicious files and exfiltrate data. The exploit involves a directory tra…
backdoor
espionage
zero-day
golang
data exfiltration
iraq
dns hijacking
CVE-2025-27920
CVE-2025-27921
2025-05-12
omserverservice.exe
omserverservice.vbs
omclientservice.exe
kurdistan
output messenger
2025-05-13
directory traversal
om.vbs
Published: May 13, 2025
Linked vulnerabilities : CVE-2025-27920 (CVSS 9.8), CVE-2025-27921 (CVSS 6.1)
Downloadable IOCs: 3

GhostSocks - Partner In Proxy

GhostSocks is a Golang-based SOCKS5 backconnect proxy malware first identified in October 2023. It is primarily deployed alongside the LummaC2 information stealer and offered as Malware-as-a-Service. GhostSocks uses a relay-based C2 implementation with HTTP API, allowing attackers to route traffic …
lummac2
malware-as-a-service
golang
c2 infrastructure
socks5
ghostsocks
2025-02-25
credential abuse
anti-fraud bypass
backconnect proxy
vdsina
Published: February 25, 2025
Downloadable IOCs: 17

Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighboring Nations

A new threat group dubbed Silent Lynx has been uncovered targeting entities in Kyrgyzstan and neighboring nations. The group, believed to be Kazakhstan-based, employs sophisticated multi-stage attack strategies using ISO files, C++ loaders, PowerShell scripts, and Golang implants. Their campaigns f…
apt
espionage
powershell
government
golang
telegram
central asia
2025-01-21
yorotrooper
gservice.exe
xerox_scan17510875802718752175.exe
kyrgyzstan
resocks
Published: January 21, 2025
Downloadable IOCs: 12

NotLockBit: A Deep Dive Into the New Ransomware Threat

NotLockBit is an emerging ransomware family that mimics LockBit's behavior while targeting both macOS and Windows systems. Distributed as an x86_64 golang binary, it showcases advanced capabilities including targeted file encryption, data exfiltration, and self-deletion mechanisms. The malware gath…
ransomware
encryption
golang
cross-platform
data-exfiltration
2024-12-19
notlockbit
aws-abuse
self-deletion
Published: December 19, 2024
Downloadable IOCs: 5

Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Elastic Security Labs has uncovered a new intrusion set targeting Chinese-speaking regions, dubbed REF3864. The threat group employs a custom loader called SADBRIDGE to deploy GOSAR, a Golang-based reimplementation of the QUASAR backdoor. The infection chain involves trojanized MSI installers masqu…
backdoor
keylogger
golang
quasar
2024-12-16
sadbridge
gosar
Published: December 16, 2024
Downloadable IOCs: 13

Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications

FrostyGoop, an operational technology (OT) malware, disrupted critical infrastructure in Ukraine in early 2024, affecting heating systems for over 600 apartment buildings. It is the first OT-centric malware to use Modbus TCP communications for such an impact. The malware can operate both within com…
ukraine
golang
critical infrastructure
2024-11-19
ot-malware
industrial control systems
bustleberm
modbus tcp
frostygoop
Published: November 19, 2024
Linked vulnerabilities : CVE-2024-0012 (CVSS 9.8), CVE-2023-33538, CVE-2023-50358
Downloadable IOCs: 25

New threat targeting macOS discovered

Jamf Threat Labs uncovered malware samples linked to North Korea, built using Flutter, which provides inherent obfuscation. The malware, discovered in late October, includes Go, Python, and Flutter variants. The Flutter-built application presents a minesweeper game while making network requests to …
obfuscation
python
macos
golang
dprk
2024-11-13
applescript
stage-one-payload
flutter
Published: November 13, 2024
Downloadable IOCs: 0

Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data

This report discusses malicious Golang ransomware samples that exploit Amazon S3's Transfer Acceleration feature to exfiltrate victims' data and upload it to attacker-controlled S3 buckets. The samples contained hard-coded AWS credentials linked to compromised accounts, allowing the researchers to …
ransomware
golang
aws
data-exfiltration
2024-10-17
lockbit-imitation
Published: October 17, 2024
Downloadable IOCs: 39

Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion

A new multiplatform backdoor named KTLVdoor, written in Golang with versions for Windows and Linux, has been discovered during monitoring of the Chinese-speaking threat actor Earth Lusca. This highly obfuscated malware impersonates system utilities and allows attackers to control infected systems, …
golang
2024-09-04
ktlvdoor
Published: September 4, 2024
Downloadable IOCs: 180

From the Depths: Analyzing the Cthulhu Stealer Malware for macOS

This report analyzes Cthulhu Stealer, a malware-as-a-service targeting macOS users to steal credentials and cryptocurrency wallets. It explores the malware's functionality, including prompting users for passwords, dumping keychain data, and exfiltrating stolen information. The analysis compares Cth…
cryptocurrency
stealer
macos
golang
atomic stealer
2024-08-23
maas
cthulhu stealer
Published: August 23, 2024
Downloadable IOCs: 9

Analysis of Golang Payload and Information Theft Campaign

The report details a recent cyber attack campaign attributed to the APT-C-09 (Mozambique) threat group, which has historically targeted Pakistan and surrounding nations. The campaign employed a novel Golang malware payload and Quasar RAT to gather sensitive information. The analysis covers the tech…
malware
apt
espionage
pakistan
exfiltration
golang
2024-07-30
quasar
client.exe
winver.exe
Published: July 30, 2024
Downloadable IOCs: 8

Supposed Grasshopper: operators impersonate Israeli government and private companies to deploy open-source malware

A long-running campaign was identified involving malicious actors impersonating Israeli entities and private companies. The operators delivered payloads through crafted WordPress sites, employing a mix of custom code and open-source malware like Donut and Sliver. While the motivations remain unclea…
impersonation
wordpress
sliver
golang
2024-06-28
open-source
donut
virtual disk
Published: June 28, 2024
Downloadable IOCs: 18

DISGOMOJI Malware Used to Target Indian Government

Volexity identified a cyber-espionage campaign by a suspected Pakistan-based threat actor tracked as UTA0137 targeting government entities in India. The campaign leveraged the DISGOMOJI malware, a Golang-based Linux trojan that uses Discord for command and control via emojis. Key capabilities inclu…
linux
espionage
india
discord
2024-06-18
golang
privilege escalation
disgomoji
CVE-2022-0847
Published: June 18, 2024
Linked vulnerabilities : CVE-2024-3400, CVE-2022-0847
Downloadable IOCs: 149
Click here to see more Attack Reports