gs-netcat
gs-netcat is a remote shell and persistence tool that is part of the Global Socket toolset and uses the Global Socket Relay Network (GSRN) for communication. It is described as the GSRN version of netcat and can communicate using a configured password even when deployed inside internal networks. Across the provided reporting, it is used to provide persistent remote access or reverse shell capability on compromised systems.
High-confidence observed use cases include deployment on compromised Linux servers, routers, NAS devices, and Windows systems. In Sygnia’s reporting on Operation Highland, the China-nexus threat group Velvet Ant deployed a modified gs-netcat reverse shell on exposed servers, renamed the binary to "auditdb," hid it in /usr/sbin/, and disguised the process as "[khubd]." In that campaign, persistence on Linux hosts was maintained via systemd unit files on newer systems and SysVinit scripts on older systems. ASEC also reported gs-netcat being installed through a trojanized VPN installer used by the Larva-24010 threat actor targeting Korean VPN users; in that case it provided remote shell access over GSRN and persistence was achieved through scheduled tasks. BI.ZONE separately reported attackers installing gs-netcat on compromised public-facing servers for persistence after web application compromise.
gs-netcat also appears as a component used by other malware ecosystems. QiAnXin XLab reported that the AryStinger botnet can establish persistent remote management channels by downloading and deploying gs-netcat, with the Standard NAS-targeting version doing so through a function named main_installGSocket, while the RTL819X router-focused version instead deploys Dropbear. The reporting associates gs-netcat with post-compromise persistence, remote administration, and access retention rather than initial infection. Infection vectors mentioned in the source material include compromise of internet-facing servers, exploitation of vulnerable routers and NAS devices, trojanized software installers, and public-facing web application compromise.
Associated threat actors or campaigns directly mentioned with gs-netcat in the content are Velvet Ant, AryStinger operators, Larva-24010, and unidentified actors compromising Russian organizations’ public-facing web applications. Targeted environments mentioned include exposed Linux servers, outdated RTL819X-based routers, NAS devices, Korean VPN users’ Windows systems, and public-facing servers in Russian organizations. Specific indicators directly tied to gs-netcat usage in the content include the renamed binary "auditdb" and the path /usr/sbin/ used by Velvet Ant.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
On exposed servers, the group deployed a modified GS-Netcat reverse shell. They renamed the binary “auditdb” and hid it in /usr/sbin/.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Persistence
4 techniques
Persistence
Retain access after reboot... Use any of the start-up scripts, such as /etc/rc.local ... Alternatively and if you do not have root privileges then just append the following line to the user's ~/.profile file.
For persistence, the malware abused systemd unit files on newer hosts and SysVinit scripts on older ones.
Privilege Escalation
3 techniques
Privilege Escalation
Retain access after reboot... Use any of the start-up scripts, such as /etc/rc.local ... Alternatively and if you do not have root privileges then just append the following line to the user's ~/.profile file.
Stealth
1 technique
Stealth
Command and Control
4 techniques
Command and Control
AryStinger supports multiple task types, including internal/external network scanning, traffic tunnel forwarding/proxying... TUNNEL (Tunnel Penetration) Provides tunnel functionality, used to proxy or forward network traffic.
Uses the Global Socket Relay Network to connect TCP pipes... Once connected the library then negotiates a secure TLS connection(End-2-End).
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modified reverse shell used on exposed servers for covert access and persistence, disguised with deceptive filenames and process names to evade detection.
gs-netcat is deployed by the AryStinger Standard variant to create a persistent remote management channel on infected NAS devices.
gs-netcat is a remote shell tool that leverages the Global Socket Relay Network for communication, allowing attackers to access infected systems even behind NAT or firewalls. It is installed for persistent remote access and command execution.
A netcat-like tool used to maintain persistent remote access to compromised servers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.