MalwareUsed by 1 actor

OSSTUN

OSSTUN is a command-and-control (C2) framework observed by Google Threat Intelligence Group as being developed by the China-linked state-sponsored threat actor RedGolf, also known as APT41. The reporting places OSSTUN at AIM3 Level 2 (Adopting), indicating AI-assisted development rather than autonomous malware behavior. Google reported that APT41 leveraged Gemini for code assistance while enhancing the OSSTUN C2 framework, including use of obfuscation libraries to increase malware sophistication. Separate reporting in the provided content also states that APT41 used Gemini for assistance with code obfuscation and development of C++ and Golang code for multiple tools, including OSSTUN. No specific infection vector, victimology, industries, platforms, or indicators of compromise are provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT41

China's APT41 leveraged Gemini for code assistance, enhancing its OSSTUN C2 framework and utilizing obfuscation libraries to increase malware sophistication.

via bleeping computerbleepingcomputer.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Stealth

1 technique

T1027Obfuscated Files or InformationEvidence2

"request specific VBScript obfuscation and evasion techniques"; "obfuscated version"; "expert VB Script obfuscator"

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

recorded future blogNews

Dec 1, 2025

AI Malware: Hype vs. Reality

C2 framework developed by APT41 (RedGolf) with LLM awareness, using Gemini in its development process.

bleeping computerNews

Nov 5, 2025

Google warns of new AI-powered malware families deployed in the wild

Command-and-control (C2) framework referenced as being enhanced with Gemini-assisted code and additional obfuscation libraries to increase sophistication.

the hacker newsNews

Nov 5, 2025

Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly

Command-and-control (C2) framework referenced as being developed/improved with assistance from Gemini prompts (per the report).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.