{
	"id": "f3b99775-ddbf-455f-8452-bb9f5967ad06",
	"created_at": "2026-04-06T00:13:10.522028Z",
	"updated_at": "2026-04-10T03:20:29.992741Z",
	"deleted_at": null,
	"sha1_hash": "85a4dd14bc9c5c98d4626ba62d0cc2723d611782",
	"title": "Go malware on the rise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1215654,
	"plain_text": "Go malware on the rise\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 14:31:19 UTC\r\nIntroduction\r\nThe Go programming language is becoming more and more popular. One of the reasons being that Go programs\r\ncan be compiled for multiple operating systems and architectures in a single binary self containing all needed\r\ndependencies. Based on these properties, and as we expected, we observed an increase in the number of malware\r\nand gray tools written in Go programming language in the last months. We are discovering new samples weekly.\r\n \r\nFor instance, in late April , we discovered two new strains in our internal honeypots, namely Backdoorit and\r\nCaligula , both of which were at that time undetected on VT.\r\nBackdoorit VirusTotal history\r\nBoth of these malware strains are multiplatform bots compiled for many different processor architectures and\r\nwritten in the Go programming language.\r\nAnalyzing Backdoorit\r\nBackdoorit (version 1.1.51562578125) is a multiplatform RAT written in Go programming language and\r\nsupporting both Windows and Linux/Unix operating systems. In many places in the code it’s also referred to as\r\nbackd00rit .\r\nBased on the close inspection of the analyse-full command of Backdoorit , we concluded that the main\r\npurpose of this malware is stealing Minecraft related files, Visual Studio and Intellij projects.\r\nhttps://decoded.avast.io/davidalvarez/go-malware-on-the-rise/\r\nPage 1 of 8\n\nBut the malware is not limited just to those files. Some commands ( upload , basharchive , bashupload and so\r\non) allow it to steal arbitrary files and information, install other malware in the system or run arbitrary commands\r\n( run , run-binary , etc.) and take screenshots of the user activity ( screenshot , ssfile and so on).\r\nEvidence indicates that the Backdoorit developer is not a native English speaker, further pointing to a possible\r\nRussian threat actor. The comments and strings in the code are mostly written in English but often grammatically\r\nincorrect. For instance, we found the message: “An confirmation required, run ”. We also discovered some\r\nisolated strings written in the Russian language.\r\nIn addition to the aforementioned strings we also observed that, amongst others, the VimeWorld files (a Russian\r\nproject that offers Minecraft servers) are being targeted. This further leads us to believe the Russian origin of the\r\nthreat actor behind this malware.\r\nAfter running Backdoorit the RAT retrieves some basic environment information such as the current operating\r\nsystem and the name of the user. It then continuously tries to connect to a C\u0026C server to give the attacker access\r\nto a shell.\r\nThe malware logs all executed operations and taken steps via a set of backd00r1t_logging_* functions. Those\r\nlogs can be uploaded to the server of the attacker either by using uploadlogs and uploadlogs-file shell\r\ncommands or automatically in case a Go panic exception is raised.\r\nIn such case backd00r1t_backdoor_handlePanic handles the exception and performs the following actions:\r\n1. It first sends the logs to the endpoint /api/logs of the C\u0026C server with a JSON request structure as\r\ndefined in the function: backd00r1t_api_SendLogs .\r\n2. It closes the connection with the C\u0026C server.\r\n3. It attempts to reconnect again.\r\nThe mentioned handler helps to keep the bot connected and also allows the attacker to remotely follow the\r\nexecution trace.\r\nOnce the connection to C\u0026C succeeds, the attacker gets the context information listed below. The function\r\nbackd00r1t_backdoor_SocketConnectionHandle is responsible for handling all the commands supported by this\r\nRAT and first calls to backd00r1t_backdoor_printMotd for displaying such information:\r\nLast connected time\r\nThe Backdoorit version\r\nProcess\r\nActive connections\r\nUser name\r\nhttps://decoded.avast.io/davidalvarez/go-malware-on-the-rise/\r\nPage 2 of 8\n\nUser home\r\nUser id\r\nLogin\r\nGid\r\nProcess path\r\nModules Autostart state\r\nThe shell allows the threat actor to remotely execute arbitrary commands. The first command that is likely to be\r\nrun is the analyse-full command because it generates a report.txt file containing the Desktop ,\r\nDocuments , Downloads , Minecraft and VimeWorld folder file trees and uploads the mentioned report and\r\nboth Visual Studio and IntelliJ projects folders contents, to Bashupload, a web service allowing to upload\r\nfiles from command line with a storage limitation of 50GB .\r\nAs mentioned earlier, if the attacker chooses to do so, he/she will be also able to implant other malware in the\r\nsystem. The threat actor can use the commands: run-binary (a command for downloading and executing a\r\nscript), shell (a command allowing to spawn the operating system shell and execute arbitrary commands) or\r\nother available commands.\r\nThe malware also contains a sort of a “ kill-switch ” that can be triggered by the exploit command, but in\r\nthis case this does not simply remove the malware itself, but has the ability to crash the Windows operating\r\nsystem by exploiting CVE-2021-24098 and also corrupt the NTFS of the hard disk via CVE-2021-28312 on\r\nvulnerable systems. This leads to complete loss of file information (including size, time and date stamps,\r\npermissions and data content) as well as, of course, removing evidence of the infection.\r\nThere are many more commands implemented in the shell that you can check at the corresponding section of the\r\nAppendix. As you will notice, the malware incorporates a checkupdates command so we may expect to see new\r\nversions of Backdoorit soon.\r\nAnalyzing Caligula\r\nCaligula is a new IRC multiplatform malicious bot that allows to perform DDoS attacks.\r\nThe malware was written in Go programming language and distributed in ELF files targeting several different\r\nprocessor architectures:\r\nIntel 80386 32-bit\r\nARM 32-bit\r\nPowerPC 64-bit\r\nAMD 64-bit\r\nIt currently supports Linux and Windows platforms via WSL and uses the function os_user_Current for\r\ndetermining the underlying operating system.\r\nhttps://decoded.avast.io/davidalvarez/go-malware-on-the-rise/\r\nPage 3 of 8\n\nCaligula is based on the Hellabot open source project, an easily modifiable event based IRC bot with the\r\nability to be updated without losing connection to the server.\r\nOf course, more code reuse was found in the Caligula coming from open source projects (log15, fd, go-shellwords, go-isatty and go-colorable) but the core functionality is based on Hellabot .\r\nAll the samples that we hunted in the wild are prepared to connect to the same hardcoded IRC channel by using\r\nthe following data:\r\nHost: 45.95.55.24:6667\r\nChannel: #caligula\r\nUsername: It is composed of the platform, current user and a pseudo-random number.\r\ne.g. [LINUX]kali-11066\r\nAs shown in the following screenshot, the bot is prepared for joining the Caligula IRC Net v1.0.0 botnet.\r\nCaligula IRC Net v1.0.0 is a botnet ready for flooding. The bots offers to the attacker the following attacks:\r\nFor more information on how Caligula bot source code is organized, check the source code file listing available in\r\nthe appendix. It can be useful for getting a high level perspective on the malware design, notice that new attack\r\nmethods can be easily added to it and identify the Caligula malware family.\r\nConclusion\r\nDue to its native multiplatform support and relative ease of development, the use of Go programming language for\r\nmalicious purposes is currently growing, especially in malware targeting Unix/Linux operating systems.\r\nNaturally with the growing interest and community around the Go programming language, some of the malicious\r\ntools are being open sourced on Github and resued by different threat actors.\r\nIn this instance, we were one of the firsts in hunting and detecting Backdoorit and Caligula.\r\nAppendix\r\nhttps://decoded.avast.io/davidalvarez/go-malware-on-the-rise/\r\nPage 4 of 8\n\nBackdoorit shell commands reference\r\nhttps://decoded.avast.io/davidalvarez/go-malware-on-the-rise/\r\nPage 5 of 8\n\nBackdoorit bot source code listing\r\nH:/backdoorIt//injected/backdoor/BackdoorEnvironment.go\r\nH:/backdoorIt//injected/backdoor/BackgroundTasks.go\r\nH:/backdoorIt//injected/backdoor/CommandHelpers.go\r\nH:/backdoorIt//injected/backdoor/ConnectionHandler.go\r\nH:/backdoorIt//injected/files/Assets.go\r\nH:/backdoorIt//injected/api/Configuration.go\r\nH:/backdoorIt//injected/backdoor/ExecHandlers.go\r\nH:/backdoorIt//injected/backdoor/ExecHandlers__linux.go\r\nhttps://decoded.avast.io/davidalvarez/go-malware-on-the-rise/\r\nPage 6 of 8\n\nH:/backdoorIt//injected/backdoor/main.go\r\nH:/backdoorIt//injected/launcher/main.go\r\nCaligula bot source code listing\r\n/root/irc/bot/attack/attack.go\r\n/root/irc/bot/attack/methods.go\r\n/root/irc/bot/attack/parser.go\r\n/root/irc/bot/attack/flags.go\r\n/root/irc/bot/network/header.go\r\n/root/irc/bot/network/ip.go\r\n/root/irc/bot/network/tcp.go\r\n/root/irc/bot/routine/timedRoutine.go\r\n/root/irc/bot/attack/methods/httpflood.go\r\n/root/irc/bot/attack/methods/sshflood.go\r\n/root/irc/bot/attack/methods/synflood.go\r\n/root/irc/bot/attack/methods/tcpflood.go\r\n/root/irc/bot/attack/methods/udpflood.go\r\n/root/irc/bot/handle.go\r\n/root/irc/bot/singleInstance/singleinstance.go\r\n/root/irc/bot.go\r\nIoCs\r\nBackdoorit\r\n34366a8dab6672a6a93a56af7e27722adc9581a7066f9385cd8fd0feae64d4b0\r\nCaligula\r\n147aac7a9e7acfd91edc7f09dc087d1cd3f19c4f4d236d9717a8ef43ab1fe6b6\r\n1945fb3e2ed482c5233f11e67ad5a7590b6ad47d29c03fa53a06beb0d910a1a0\r\n4a1bb0a3a83f56b85f5eece21e96c509282fec20abe2da1b6dd24409ec6d5c4d\r\n6cfe724eb1b1ee1f89c433743a82d521a9de87ffce922099d5b033d5bfadf606\r\n71b2c5a263131fcf15557785e7897539b5bbabcbe01f0af9e999b39aad616731\r\n99d523668c1116904c2795e146b2c3be6ae9db67e076646059baa13eeb6e8e9b\r\nfe7369b6caf4fc755cad2b515d66caa99ff222c893a2ee8c8e565121945d7a9c\r\n97195b683fb1f6f9cfb6443fbedb666b4a74e17ca79bd5e66e5b4e75e609fd22\r\nedcfdc1aa30a94f6e12ccf3e3d1be656e0ec216c1e852621bc11b1e216b9e001\r\nThe complete Backdoorit and Caligula IoCs are in our IoC repository.\r\nhttps://decoded.avast.io/davidalvarez/go-malware-on-the-rise/\r\nPage 7 of 8\n\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/\r\nhttps://decoded.avast.io/davidalvarez/go-malware-on-the-rise/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/"
	],
	"report_names": [
		"go-malware-on-the-rise"
	],
	"threat_actors": [],
	"ts_created_at": 1775434390,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/85a4dd14bc9c5c98d4626ba62d0cc2723d611782.pdf",
		"text": "https://archive.orkl.eu/85a4dd14bc9c5c98d4626ba62d0cc2723d611782.txt",
		"img": "https://archive.orkl.eu/85a4dd14bc9c5c98d4626ba62d0cc2723d611782.jpg"
	}
}