GOREshell
GoReShell is a Go-based backdoor/reverse shell malware cluster that includes the open-source reverse_ssh backdoor and custom variants such as GOREVERSE/Goreverse. It is described as a Windows backdoor in multiple reports, with additional reporting indicating variants were also deployed on Linux systems. The malware repurposes functionality from the open-source reverse_ssh tool to establish reverse SSH connections to attacker-controlled endpoints; some reporting also describes GOREVERSE as functioning as a reverse proxy server for post-exploitation access. Observed tradecraft includes use of SSH keys and WebSocket-based C2 communication, and samples have been noted as obfuscated with Garble and packed with UPX. The malware has been deployed in targeted intrusions and exploitation campaigns linked to China-nexus activity, including PurpleHaze and UNC5174, with overlaps to APT15 in some reporting. It has been observed in attacks against a South Asian government entity, a leading European media organization, and in broader campaigns affecting manufacturing, government, finance, telecommunications, and research sectors. Delivery and use contexts directly mentioned in the content include exploitation of Ivanti CSA vulnerabilities CVE-2024-8963 and CVE-2024-8190, SAP NetWeaver exploitation by UNC5174, and exploitation of GeoServer CVE-2024-36401 to deliver GOREVERSE. In those GeoServer cases, GOREVERSE was delivered via a script from hxxp://181[.]214[.]58[.]14:61231/remote.sh and connected to 181[.]214[.]58[.]14 on port 18201. The malware has also been associated with ORB (Operational Relay Box) infrastructure operated from China and with persistence/access-brokering activity alongside tools such as Snowlight, VShell, Neo-reGeorg, and suo5.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"...drop a Go-based reverse shell dubbed GoReShell..." and "...deliver GOREVERSE, a variant of GoReShell."
"...they deployed publicly available backdoors that belong to the GOREVERSE family, which Mandiant has linked to UNC5174."
UNC5174 exploited vulnerable NetWeaver systems to deploy the Snowlight downloader, the VShell remote access trojan, and the SSH backdoor Goreverse.
UNC5174 exploited vulnerable NetWeaver systems to deploy the Snowlight downloader, the VShell remote access trojan, and the SSH backdoor Goreverse.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...employing an operational relay box (ORB) network and a Windows backdoor dubbed GoReShell. The implant, written in the Go programming language, repurposes an open-source tool called reverse_ssh to set up reverse SSH connections...
"...drop a Go-based reverse shell dubbed GoReShell..." and "...deliver GOREVERSE, a variant of GoReShell."
...employing an operational relay box (ORB) network and a Windows backdoor dubbed GoReShell.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
GOREVERSE is a backdoor malware that allows remote access and control of compromised systems. It was distributed via exploitation of the GeoServer vulnerability.
GOREVERSE is a reverse shell tool used by attackers to maintain persistent remote access to compromised systems.
GOREVERSE is a backdoor malware, a variant of GoReShell, used to maintain persistence and enable remote access on compromised systems. It is deployed after initial exploitation and lateral movement.
A family of publicly available backdoors used post-compromise; in this reporting it was deployed after initial access and is linked by Mandiant to UNC5174.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.