GobRAT
GobRAT is a Go-based Linux backdoor and router-focused RAT used to compromise edge devices and turn them into operational relay or anonymization infrastructure. Reporting describes it as a "swiss-army knife" backdoor with standard RAT functionality plus support for relaying attacks from compromised hosts, including DDoS activity, vulnerability exploitation campaigns, proxying/anonymization, reverse shell access, file operations, and system fingerprinting. It has been observed compiled for multiple architectures including x86-64, ARM, and MIPS, and primarily targets Linux routers and NAS devices, with Asus and Qnap specifically mentioned.
The malware has been documented by JPCERT/CC and later analyzed by Sekoia, which tracked infrastructure using GobRAT alongside the Bulbature implant to convert compromised edge devices into Operational Relay Boxes (ORBs). Sekoia assessed this infrastructure with high confidence to be operated by Chinese operators, citing code traces, language, and infrastructure usage. Separate reporting also notes weak infrastructure overlap between GobRAT-related infrastructure and activity clusters such as ViciousTrap, and states GobRAT anonymization nodes are assessed to be used by Chinese state-sponsored threat groups. Cisco Talos further noted that IPs hosting a Bulbature-related TLS certificate were associated with malware including GobRAT, SuperShell, and Cobalt Strike, all in China/Hong Kong-hosted infrastructure.
GobRAT is used to gather intelligence from networks associated with compromised edge devices while also providing attackers operational anonymity by launching attacks from victim systems instead of attacker-owned infrastructure. Sekoia reported a large ORB ecosystem involving GobRAT and Bulbature, with 63 servers identified, nearly 75,000 compromised hosts observed in July 2023 across 139 countries, and infections concentrated on edge devices globally, especially in the United States, Hong Kong, and Sweden. The operation used staging servers hosting Bash scripts and malware, persistence scripts, automated credential brute forcing, exploit campaigns against remote administration services, and web-based administration interfaces for managing compromised hosts, launching DDoS, brute-force, and exploitation campaigns, and creating on-demand proxy tunnels.
Detection content explicitly mentions YARA coverage for GobRAT, including a rule that identifies the backdoor by analyzing local addresses, MAC addresses, TCP communications, and telnet tasks. No standalone GobRAT hashes or domains are directly provided in the source content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
GobRAT, which has been already documented by the JP-CERT, is a swiss-army knife backdoor written in Go which has standard RAT functionalities and is also used to relay specific attacks from the compromised devices such as DDoS or vulnerability exploitation campaigns. It seems to be used to gather intelligence from the networks associated with the compromised edge devices.
GobRAT, which has been already documented by the JP-CERT, is a swiss-army knife backdoor written in Go which has standard RAT functionalities and is also used to relay specific attacks from the compromised devices such as DDoS or vulnerability exploitation campaigns. It seems to be used to gather intelligence from the networks associated with the compromised edge devices.
GobRAT, which has been already documented by the JP-CERT, is a swiss-army knife backdoor written in Go which has standard RAT functionalities and is also used to relay specific attacks from the compromised devices such as DDoS or vulnerability exploitation campaigns. It seems to be used to gather intelligence from the networks associated with the compromised edge devices.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GobRAT, which has been already documented by the JP-CERT, is a swiss-army knife backdoor written in Go which has standard RAT functionalities and is also used to relay specific attacks from the compromised devices such as DDoS or vulnerability exploitation campaigns. It seems to be used to gather intelligence from the networks associated with the compromised edge devices.
GobRAT, which has been already documented by the JP-CERT, is a swiss-army knife backdoor written in Go which has standard RAT functionalities and is also used to relay specific attacks from the compromised devices such as DDoS or vulnerability exploitation campaigns. It seems to be used to gather intelligence from the networks associated with the compromised edge devices.
IOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote Access Trojan (RAT) associated with China-nexus infrastructure, referenced in context of shared C2 infrastructure.
Referenced as malware associated with China-nexus threat actors on IPs hosting the same certificate observed in Bulbature-related infrastructure.
GobRAT is a remote access trojan (RAT) and anonymization tool that infects hosts, allowing threat actors to use compromised systems as operational nodes for launching attacks, thereby masking their true infrastructure. It is assessed to be used exclusively by Chinese state-sponsored threat groups.
GobRAT is referenced only as infrastructure with weak overlap used in attribution analysis; the content does not describe its functionality further.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.