Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
During the attack, the main malware, dubbed GoSerpent, received an encrypted argument and started communication with a remote server. It was also used to deploy further malicious tools for sensitive data collection and credential dumping on the system.
9 distinct techniques documented for this family, organized by ATT&CK tactic.
The backdoor connects to command-and-control servers using ChaCha20 encryption for communications... Communications are transported over TCP, HTTP, or WebSocket channels with protection using AES-256-GCM or TLS encryption.
GoSerpent can establish SOCKS5 proxy servers to route traffic through compromised hosts... Stowaway... enabling attackers to establish chained proxy paths across multiple hosts with the following functionalities: SOCKS5 proxying port forwarding reverse tunneling
GoSerpent can establish SOCKS5 proxy servers to route traffic through compromised hosts, enabling attackers to access other networks while masking their true IP addresses.
The backdoor connects to command-and-control servers using ChaCha20 encryption for communications... Communications are transported over TCP...
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Go-based remote access trojan/backdoor with proxy capabilities that communicates with C2 using ChaCha20-encrypted traffic, accepts encrypted command-line arguments, supports remote shell, file transfer, port forwarding, and SOCKS5 proxying, and deploys follow-on tools for collection and credential dumping.
Go-based backdoor/RAT with proxy capabilities that receives encrypted command-line arguments, communicates with C2 using ChaCha20, supports remote shell, file upload/download, port forwarding, and SOCKS5 proxying, and is used to deploy follow-on tools for file collection and credential dumping.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.