{ "id": "06fe9a7a-f9b1-4fb6-806f-4cb5c0af6c18", "created_at": "2026-04-06T00:21:33.315381Z", "updated_at": "2026-04-10T03:30:57.865593Z", "deleted_at": null, "sha1_hash": "8021a9a321699410b80fa8d4eec506fb190079e5", "title": "BlueShell (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 39620, "plain_text": "BlueShell (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:58:14 UTC\r\nwin.blueshell (Back to overview)\r\nBlueShell\r\nAccording to AhnLab, BlueShell is a backdoor malware developed in Go language, published on Github, and it\r\nsupports Windows, Linux, and Mac operating systems. Currently, the original Github repository is presumed to\r\nhave been deleted, but the BlueShell source code can still be obtained from other repositories. It features an\r\nexplanatory ReadMe file in Chinese, indicating the possibility that the creator is a Chinese user.\r\nReferences\r\n2024-04-09 ⋅ Hunt.io ⋅ Hunt.io\r\nBlueShell: Four Years On, Still A Formidable Threat\r\nBlueShell\r\n2023-09-11 ⋅ AhnLab ⋅ Sanseo\r\nBlueShell Used in APT Attacks Against Korean and Thai Targets\r\nBlueShell Sliver Dalbit\r\n2023-09-05 ⋅ ⋅ AhnLab ⋅ Sanseo\r\nBlueShell malware used in APT attacks targeting Korea and Thailand\r\nBlueShell SparkRAT\r\n2023-02-13 ⋅ AhnLab ⋅ kingkimgim\r\nDalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign\r\nGodzilla Webshell ASPXSpy BlueShell CHINACHOPPER Cobalt Strike Ladon MimiKatz Dalbit\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell" ], "report_names": [ "win.blueshell" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bcf899bb-34bb-43e1-929d-02bc91974f2a", "created_at": "2023-02-18T02:04:24.050644Z", "updated_at": "2026-04-10T02:00:04.639142Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "ETDA:Dalbit", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "AntSword", "BadPotato", "BlueShell", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "EFSPotato", "FRP", "Fast Reverse Proxy", "Godzilla", "Godzilla Loader", "HTran", "HUC Packet Transmit Tool", "JuicyPotato", "LadonGo", "Metasploit", "Mimikatz", "NPS", "ProcDump", "PsExec", "Remcom", "RemoteCommandExecution", "RottenPotato", "SinoChopper", "SweetPotato", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5", "created_at": "2023-11-08T02:00:07.176033Z", "updated_at": "2026-04-10T02:00:03.435082Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "MISPGALAXY:Dalbit", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434893, "ts_updated_at": 1775791857, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8021a9a321699410b80fa8d4eec506fb190079e5.pdf", "text": "https://archive.orkl.eu/8021a9a321699410b80fa8d4eec506fb190079e5.txt", "img": "https://archive.orkl.eu/8021a9a321699410b80fa8d4eec506fb190079e5.jpg" } }