{ "id": "f8714c80-07ee-4742-a612-52d1005ca871", "created_at": "2026-04-06T00:15:04.076115Z", "updated_at": "2026-04-10T13:12:54.952967Z", "deleted_at": null, "sha1_hash": "08765de0f0af887a24b555efd1d9fa99ce818f01", "title": "Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and GitHub", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 12080918, "plain_text": "Good Game, Gone Bad: Xeno RAT Spread Via .gg Domains and\r\nGitHub\r\nPublished: 2024-06-25 · Archived: 2026-04-05 17:33:38 UTC\r\nTABLE OF CONTENTS\r\nIntroductionXeno RAT in the WildA Closer Look at Xeno RAT Network TrafficDiscovery of Xeno RAT C2s on\r\n.gg DomainsExamplesThe GitHub RepoPotential Impacts on the Gaming CommunityConclusion\r\nIntroduction\r\nXenoRAT, an open-source malware available on GitHub, has been linked to a North Korean hacking group and\r\nunnamed threat actors preying on the gaming community. Recently, Hunt’s Research Team discovered the remote\r\naccess tool (RAT) spreading through .gg domains, a term synonymous with “good game” in esports, and a GitHub\r\nrepository portraying its software as scripting engine tools for the popular game Roblox.\r\nIn this post, we’ll explore the specific .gg domains hosting Xeno RAT, the GitHub account, and a possibly linked\r\nYouTube account and provide insight into how this emerging threat targets gamers and developers.\r\nXeno RAT in the Wild\r\nMost recently, AhnLab’s ASEC reported on a likely North Korea-linked group using Dropbox to deliver Xeno\r\nRAT to victim networks. In late April, a third-party researcher on X posted on an open directory likely\r\nadministered by the Kimsuky threat group, hosting a copy of the tool in a folder titled “/rat.”\r\nThe tools GitHub page boasts several advanced features, including HVNC, real-time audio surveillance, and a\r\nSOCKS5 reverse proxy. The README, detailing these capabilities, is pictured below in Figure 1.\r\nhttps://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nPage 1 of 12\n\nFigure 1: Screenshot of Xeno RAT README\r\nA Closer Look at Xeno RAT Network Traffic\r\nCommunication between the controller and Xeno RAT clients occurs over TCP sockets, as illustrated in Figure 2.\r\nThe initial exchange follows a recognizable pattern, which can help identify malicious activity.\r\nAdditionally, C2 servers respond to requests in the same pattern as the one seen below. For an in-depth talk on\r\ndetecting malware infrastructure according to controller responses, we recommend Greg Lesnewich's LABScon23\r\ntalk.\r\nhttps://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nPage 2 of 12\n\nFigure 2: Xeno RAT Client -\u003e Controller Communication (Source Hatching Triage)\r\nIf you're in need of robust network IDS rules (Suricata/Snort) to detect these servers, check out @Jane0sint’s\r\ncontributions on the Emerging Threats website.\r\nDiscovery of Xeno RAT C2s on .gg Domains\r\nXeno RAT infrastructure hosted on .gg domains spotlights a troubling trend in malware distribution as the top-level domain (TLD) is popular in the esports community and is now being exploited to spread malware.\r\nThis section will provide an overview of controller domains and the associated clients.\r\nExamples\r\nThe following section provides a detailed list of identified .gg domains hosting XenoRAT controllers, the\r\nresolving IP addresses, and the sandbox analysis results.\r\nDomain people-weekend.gl.at.ply_gg:5719\r\nIP 147.185.221_20\r\nFilename Client.exe\r\nhttps://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nPage 3 of 12\n\nSHA1 38ce2a41d59a1bf0f3332fb867f43794c39577af\r\nTriage Link Link\r\nDomain anyone-blogging.gl.at.ply_gg:22284\r\nIP 147.185.221_20\r\nFilename SynapseX.revamaped.V1.2.rar\r\nSHA1 2051551c6c0f18eaf3c4cf45ffe6119e582c19ae\r\nTriage Link Link\r\nDomain performance-ha.gl.at.ply_gg:33365\r\nIP 147.185.221_19\r\nFilename 4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe\r\nSHA1 af68a0b9e9c58dcbdd2ede205c30537bca39650c\r\nTriage Link Link\r\nDomain character-acquisitions.gl.at.ply_gg:5050\r\nIP 147.185.221_17\r\nFilename a3254b90b2c6e12c29f7d9f538087da2d4bb7f64d003c591c8936cee7dd74b39.exe\r\nSHA1 029f3396c39f543dd984031eb82edcc035ed0a25\r\nTriage Link Link\r\nDomain related-directed.gl.at.ply_gg:3403\r\nIP 147.185.221_20\r\nFilename testingrat.exe\r\nSHA1 e9251ef1dd3ebe4f17acf0b3552e22751009c8c1\r\nTriage Link Link\r\nDomain david-login.gl.at.ply_gg:54479\r\nIP 147.185.221_19\r\nhttps://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nPage 4 of 12\n\nFilename WavePreTest.rar\r\nSHA1 5e7138c7ee8a1de9d041804fd11ac0ba63cb1f34\r\nTriage Link Link\r\nDomain taking-headquarters.gl.at.ply_gg:3069\r\nIP 147.185.221_20\r\nFilename xeno.exe\r\nSHA1 707c68257c2ea97fa4591f58be326e1308fd1106\r\nTriage Link Link\r\nEach domain was hosted on one of three shared IP addresses belonging to the Developed Methods LLC ASN\r\nin the U.S. Notably, IP 147.185.221_19 also served as controller infrastructure for DcRAT and VenomRAT, as\r\nseen in Figure 3. Additionally, this same IP hosted a C2 server for Redline Stealer just last month.\r\nFigure 3: Historical Certificate Data in Hunt for 147.185.221_19\r\nhttps://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nPage 5 of 12\n\nThe GitHub Repo\r\nDuring our analysis, one file name stood out among those communicating with the .gg domains:\r\nSynapseX.revamped.V1.2.rar. This file led us to a GitHub repository (Figure 4) under an account claiming to\r\nown Synapse X Revamp, a scripting engine for Roblox. The account hosts 10 repositories, most disguised as\r\ngaming-related executors and named loader.exe.\r\nFigure 4: GitHub repository containing malicious files, including Xeno RAT.\r\nWhen extracted, the .rar file, as mentioned above, contains two executables: Synapse X Launcher.exe.exe and\r\nSynapse X Launcher.exe. The first file is identified as XenoRAT, while the latter is detected as Quasar, a well-known malware family also written in .NET. Sandbox results for both files are displayed below.\r\nhttps://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nPage 6 of 12\n\nFigure 5: Sandbox Analysis of Synapse X File\r\nThe C2 server for Quasar uses portmap.io, a free port forwarding service. Interestingly, suppose you’re a fan of\r\nanimated YouTube series or have young children. In that case, you might recognize that the domain name\r\nresembles Skibidi Toilet, a popular machinima series featuring videos and shorts.\r\nDetails\r\nDomain anyone-blogging.gl.at.ply.gg\r\nIP 147.185.221_20\r\nFilename Synapse X Launcher.exe.exe\r\nSHA1 7c7408870da2fe079aa460fe0d237e12e19cb7cb\r\nTriage Link Link\r\nhttps://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nPage 7 of 12\n\nFigure 6: Quasar RAT Sandbox Analysis and Config\r\nDetails for the Quasar sample:\r\nDomain skbidiooiilet-31205.portmap_host:31205\r\nIP 193.161.193_99\r\nFilename OOO GETWIFI\r\nASN OOO GETWIFI\r\nSHA1 33ac2b2d228a1ec93b0ea70ffadb436933b9a1e5\r\nTriage Link Link\r\nHunt researchers weren't the first to uncover this repository's malicious nature. Two weeks ago, a GitHub user\r\nnamed ByfronTechnologies submitted an issue, complete with screenshots from Hatching Triage, indicating that\r\nthe file in the XMainDab folder was detected as XWorm malware. Figure 7 includes a screenshot of the\r\ncomment and the analysis images.\r\nhttps://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nPage 8 of 12\n\nFigure 7: GitHub Issue Identifying Loader.exe as XWorm Malware\r\nBy pivoting on the file and folder names in the repository, we discovered what appears to be the YouTube channel\r\nassociated with this threat actor. The account, named P-Denny Gaming (Figure 8), features several videos related\r\nto Roblox. The video titles use similar names to those found in the GitHub account, further linking the two.\r\nFigure 8: Screenshot of YouTube Account Associated with Xeno RAT \u0026 Quasar Distribution\r\nFigure 9 shows a screenshot from one of the videos instructing users to disable Windows Defender before\r\ninstalling the Synapse X RAR file. Notably, the screenshot reveals that the user's Windows desktop uses the\r\nSwedish language and includes a browser bookmark labeled 'Roblox Stealer,' providing additional context\r\nabout the actor's intent.\r\nhttps://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nPage 9 of 12\n\nFigure 9: Screenshot of YouTube Video Instructing Users to Install Synapse X File\r\nIn the same video, several comments vouched for the legitimacy of the files, dismissing warnings from other users\r\nwho had correctly identified the software as malicious.\r\nhttps://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nPage 10 of 12\n\nFigure 10: Comments on the video supporting the video uploader and the legitimacy of the files\r\nThe presence of XenoRAT and other malware on .gg domains and GitHub poses significant risks to the gaming\r\ncommunity. Gamers and developers are particularly vulnerable to these threats due to the seamless integration of\r\nmalicious software into legitimate-looking tools and resources.\r\nMalicious software like those mentioned above can lead to the theft of personal information, in-game assets, and\r\nfinancial data, severely impacting users' digital lives. Furthermore, using open-source platforms like GitHub to\r\ndistribute malware disguised as game scripts or executors increases the likelihood of widespread infection.\r\nNote: Hunt is actively scanning for XenoRAT infrastructure using its default port, 4444. Our detection methods\r\nfor these servers have proven effective; we plan to expand our monitoring to include all ports, ensuring\r\ncomprehensive coverage in identifying and tracking C2 servers. Stay tuned for updates on our progress.\r\nhttps://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nPage 11 of 12\n\nFigure 11: Xeno RAT Detections in Hunt\r\nConclusion\r\nHunt has identified several Xeno RAT samples that distribute malware by leveraging .gg domains and a GitHub\r\naccount. Both pieces of malicious software pose a significant threat to the gaming community.\r\nUsers must remain vigilant and exercise caution when downloading and installing software, regardless of the\r\nplatform. A healthy dose of caution can help mitigate the risks associated with these threats, ensuring a safe online\r\ngaming environment.\r\nContact us for a demo today, and join a community committed to seeking out and exposing malicious\r\ninfrastructure wherever it may rear its ugly head.\r\nSource: https://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nhttps://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://hunt.io/blog/good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github" ], "report_names": [ "good-game-gone-bad-xeno-rat-spread-via-gg-domains-and-github" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434504, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/08765de0f0af887a24b555efd1d9fa99ce818f01.pdf", "text": "https://archive.orkl.eu/08765de0f0af887a24b555efd1d9fa99ce818f01.txt", "img": "https://archive.orkl.eu/08765de0f0af887a24b555efd1d9fa99ce818f01.jpg" } }