{
	"id": "61483b21-b355-4e0e-ad08-095d54390a43",
	"created_at": "2026-04-06T00:19:36.610546Z",
	"updated_at": "2026-04-10T13:11:35.860697Z",
	"deleted_at": null,
	"sha1_hash": "052ad94014422704380d7b81048584fdd9f3088f",
	"title": "New Godlua Malware Evades Traffic Monitoring via DNS over HTTPS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1934126,
	"plain_text": "New Godlua Malware Evades Traffic Monitoring via DNS over HTTPS\r\nBy Sergiu Gatlan\r\nPublished: 2019-07-03 · Archived: 2026-04-05 13:16:05 UTC\r\nA Lua-based backdoor malware capable of targeting both Linux and Windows users while securing its communication\r\nchannels via DNS over HTTPS (DoH) was discovered by researchers at Network Security Research Lab of Qihoo 360.\r\nBy using DoH to encapsulate the communication channels between command-and-control servers, the infected machines,\r\nand the attacker-controlled servers within HTTPS requests, the malware dubbed Godlua manages to block researchers from\r\nanalyzing its traffic.\r\nGodlua's main function seems to be that of a DDoS bot and it was already seen in action when its masters launched an HTTP\r\nflood attack against the liuxiaobei[.]com domain, as observed by the Qihoo 360 researchers.\r\nhttps://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nUntil now, two samples of the Godlua backdoor have been found, with one of them targeting only Linux boxes (version\r\n201811051556) while the other is also able to infect Windows computers, has more built-in commands, and supports more\r\nCPU architectures (version 20190415103713 ~ 2019062117473)\r\nGodlua versions\r\nWhile Godlua version 201811051556 is currently not being updated anymore, the second sample is actively being updated\r\nby its developers which might be the reason behind its extra features and multi-platform support.\r\nThe version that focuses only the Linux platform can receive only two types of instructions from its command and control\r\n(C2) server, allowing the attackers to run custom files and to execute Linux commands.\r\nThe second variant comes with support for five C2 commands and it \"downloads many Lua scripts when executing, and the\r\nscripts can be broken down to three categories: execute, auxiliary, and attack.\"\r\nEven though a number of Linux machines were found to have been infected with the Godlua backdoor using a Confluence\r\nexploit for CVE-2019-3396, the Qihoo 360 researchers are still looking for additional infection vectors.\r\nDNS over HTTPS used to secure C2 traffic\r\nAlthough quite new, the DoH protocol is a proposed standard as of October 2018 and it is already supported by quite a long\r\nlist of publicly available DNS servers, as well as web browsers like Google Chrome and Mozilla Firefox.\r\nDoH increases DNS queries' privacy by enveloping them within HTTPS communication channels which effectively blocks\r\nboth eavesdropping and DNS data manipulation by third parties between the client and the DNS server.\r\nDNS over HTTPS Request\r\nDNS over HTTPS Request\r\nBy abusing the DoH protocol, the Godlua malware hides the URLs of the C2 servers used during the later stages of the\r\ninfection process from prying eyes, URLs that it gets from the DNS TXT record of a domain it collects during the first stage.\r\nGodlua is the first observed malware that makes use of the DNS over HTTPS protocol to conceal part of its C2\r\ninfrastructure from analysts and anti-malware analysis tools according to Cisco Talos threat researcher Nick Biasini.\r\nMore details on how this malware communicates with its C2 infrastructure and indicators of compromise (IOCs) are\r\nprovided by the Qihoo 360's research team in their Godlua backdoor analysis.\r\nhttps://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/\r\nhttps://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/"
	],
	"report_names": [
		"new-godlua-malware-evades-traffic-monitoring-via-dns-over-https"
	],
	"threat_actors": [],
	"ts_created_at": 1775434776,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/052ad94014422704380d7b81048584fdd9f3088f.pdf",
		"text": "https://archive.orkl.eu/052ad94014422704380d7b81048584fdd9f3088f.txt",
		"img": "https://archive.orkl.eu/052ad94014422704380d7b81048584fdd9f3088f.jpg"
	}
}