GO Simple Tunnel

GOST (GO Simple Tunnel) is a network tunneling and proxy utility used to forward traffic across networks and enable pivoting, reverse proxying, and command-and-control tunneling. Reporting in the provided content shows it being used by multiple threat actors and operations as a post-compromise access and lateral movement enabler rather than as a bespoke malware family. In a Blackpoint SOC investigation of an MSP intrusion, the threat actor deployed GOST in downstream customer environments after abusing NinjaOne access; it was installed as malicious Windows services via sc.exe create, masquerading as legitimate components and pointing to a fake svchost.exe under C:\Windows\System32*\svchost.exe. Those services established a local SOCKS listener and a reverse TCP relay for durable pivoting. Blackpoint also reported actor-linked exposed Apache directories containing staged GOST executables. Related IOCs from that case included temp[.]sh, IPs 149.28.244[.]152, 45.76.233[.]211, 149.28.253[.]247, 216.128.134[.]133, 45.63.39[.]209, 194.87.125[.]253, 142.248.80[.]106, and 104.238.29[.]81, and a fake svchost.exe SHA-256 of 32ade1df0b89c5922fbb8a1e11a581e887d95db184fe51e02c68c02c2cb63efa. The content also states that during Operation MidnightEclipse, threat actors used the GO Simple Tunnel reverse proxy tool, and that Ember Bear used socket-based tunneling utilities such as NetCat and GOST for command and control. Unit 42 reporting on the Shadow Campaigns attributed to TGR-STA-1030/UNC6619 describes GOST as one of the tunneling tools used alongside FRPS and IOX in a large cyberespionage campaign targeting at least 70 government and critical infrastructure organizations across 37 countries, with victims spanning ministries of finance, law enforcement, border control, energy, telecommunications, mining, trade, and national parliaments.