{ "id": "00d7286c-ca8c-4298-a6c7-39d2b28b621e", "created_at": "2026-04-06T00:08:16.350463Z", "updated_at": "2026-04-10T03:35:12.46248Z", "deleted_at": null, "sha1_hash": "9c3bc123ae8363155ce34f6434695d512e0ef4e9", "title": "ExCobalt: GoRed, the hidden-tunnel technique", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 829431, "plain_text": "ExCobalt: GoRed, the hidden-tunnel technique\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-02 12:34:41 UTC\r\nIntroduction\r\nWhile responding to an incident at one of our clients, the PT ESC CSIRT team discovered a previously unknown backdoor\r\nwritten in Go, which we attributed to a cybercrime gang dubbed ExCobalt.\r\nExCobalt focuses on cyberespionage and includes several members active since at least 2016 and presumably once part\r\nof the notorious Cobalt gang. Cobalt attacked financial institutions to steal funds. One of Cobalt's hallmarks was the use\r\nof the CobInt tool, something ExCobalt began to use in 2022.\r\nOver the past year, the PT ESC has recorded attacks linked to ExCobalt and investigated related incidents at Russian\r\norganizations in the following sectors:\r\nMetallurgy\r\nTelecommunications\r\nMining\r\nInformation technology\r\nGovernment\r\nSoftware development\r\nThis article discusses ExCobalt's new tool, GoRed, how it evolved, and some of the tactics, techniques, and procedures that\r\nthe group has used in its attacks.\r\nThe investigation begins\r\nWhile investigating an incident recorded in March 2024 on one of our client's Linux hosts, we discovered a file named\r\nscrond, compressed with UPX (Ultimate Packer for eXecutables).\r\nThe data in an unpacked sample, written in Go, included package paths containing the substring \"red.team/go-red/\". This\r\nfact suggests that this sample is a proprietary tool called GoRed.\r\nAfter investigating the site, we were unable to find any significant links to malicious activity. Therefore, we can assume that\r\nthe red.team domain found in the GoRed strings is a local repository with penetration testing tools.bsp;longer actively used\r\nby its creators. All the information dates back to 2019, and the design is typical of many similar sites.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 1 of 27\n\nFigure 1. Internal packages\r\nAs for the GoRed backdoor, the following key features can be identified:\r\nOperators can connect to the backdoor and execute commands, similar to other C2 frameworks like Cobalt Strike\r\nor Sliver.\r\nGoRed uses the RPC protocol to communicate with its C2 server.\r\nOperators use DNS/ICMP tunneling, WSS, and QUIC to communicate with GoRed.\r\nGoRed can obtain credentials from compromised systems.\r\nIt collects various types of information from compromised systems: details of active processes, host names, lists\r\nof network interfaces, file system structures, and so on.\r\nOperators use a variety of commands to conduct reconnaissance on the victim's network.\r\nGoRed serializes, encrypts, archives, and sends data it collects to a special server dedicated to storing compromised\r\ndata.\r\nFor a complete technical description of GoRed, see the further section \"GoRed analysis\".\r\nFirst version of GoRed and other malicious tools we found\r\nAs we analyzed GoRed, we found that we had already come across several versions of the backdoor while responding\r\nto incidents at several of our clients earlier. For example, in July 2023, as we were investigating an incident at a certain\r\ncompany, we discovered several different tools inside the attackers' directories due to an error they had made, one of tools\r\nbeing the original version of GoRed.\r\nSimilarly, in an October 2023 incident, we found further tools inside public directories on the attackers' network. A short\r\nname and description of each tool we found during the investigations are presented in the table below.\r\n2586\r\nCVE-2022-2586: a Linux kernel vulnerability associated with pointer abuse in the io_uring\r\nfunction. This was used by the threat actor to escalate privileges and execute arbitrary code\r\nin the vulnerable system\r\n3156.zip\r\nCVE-2021-3156: a sudo vulnerability known as Baron Samedit. This allows a local user\r\nto execute arbitrary code with root privileges, bypassing standard security controls\r\n4034\r\nPwnkit is a local privilege escalation exploit for CVE-2021-4034. This is a vulnerability in the\r\npkexec utility. It allows local users to escalate their privileges to root, which can lead\r\nto complete compromise of the system\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 2 of 27\n\ntraceme\r\nLocal privilege escalation exploit for CVE-2019-13272. This is a vulnerability in the Linux\r\nkernel, in the ptrace component. It allows users with CAP_SYS_PTRACE privileges\r\nto escalate their privileges to root to execute arbitrary code in the system\r\nbitrix.zip\r\nThis is an archive with vote_agent.php and html_editor_action.php files, containing RCE\r\nexploits for Bitrix. It was distributed via Telegram channels in June 2022, and also mentioned\r\nin connection with the May 2023 mass defacement of Russian websites\r\n(https://habr.com/ru/companies/ruvds/articles/739898/)\r\ncol First version of the GoRed backdoor: 0.0.1\r\nfs fscan (https://github.com/shadow1ng/fscan/)\r\nget_wp-commentin.txt\r\nObfuscated PHP file\r\nrun\r\nFreeBSD file. Runs the specified executable file as root, same as the command sudo exec \u003c\r\nspecified file\u003e\r\nset\r\nFreeBSD file. Sets root as file owner and grants rwx (read, write, execute) permissions to it,\r\nsame as the commands chown \u003c file\u003e 0; chmof \u003c file\u003e 777\r\ninstall Installs a malicious module for Apache 2.4\r\ninstall[drop]\r\nContains a dropper with a UPX-compressed binary file that is written to /usr/local/games/w.\r\nThe file’s privileges are then changed: chown root:root; chmod 4755\r\ninstall[drop][upx]\r\n/usr/local/games/w\r\nTries to run the following command as root:\r\n(setuid(0); setgid(0); /bin/sh -c...))\r\nk\r\nContains the following set of basic network utilities and replaces the process name with [kthr]:\r\ncurl Stripped down version of curl\r\nsocksd Proxy (socks4/5 with user+pass support)\r\nshell Bind shell\r\nhost Resolves a host’s name via the 8.8.8.8 DNS server\r\nhash MD5/SHA-1/SHA-256\r\ngz Inflate/deflate functionality\r\nnetcat -\r\nkit\r\nShell script to install kitsune. The MEGATSUNE variable was used instead of KITSUNE.\r\namd64.rpm-bin.link and pkg.dpkg-source.info were used as the C2s\r\nlock.zip Part of the locker wiper ransomware repository with a read.me file in Russian inside\r\nlocker Locker from lock.zip without the configuration files\r\nm Mettle (https://github.com/rapid7/mettle)\r\nrev Bind shell, shares code with shell from k, renames process to [kr]\r\nsf Binary for BSD\r\nspark Spark RAT\r\nw.txt\r\nPHP web shell: WSO\r\n(https://github.com/ndbrain/WSO)\r\nwef Variant of reverse SSH client (https://github.com/NHAS/reverse_ssh)\r\ny.txt PHP shell: p0wny-shell\r\nknife/k We found this file several months after the above-mentioned k, also in a public directory but\r\nin a different domain. It was also named k, and the functionality is similar, which suggests that\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 3 of 27\n\nthis is simply the next version. This is a tool to control a compromised Linux server. It has\r\nextensive functionality; commands to execute are specified in the command line:\r\nsync No handler. Causes segfault if run\r\ncurl \u003c url\u003e Loads content from specified URL\r\nsocksd Starts a SOCKS server\r\nnetcat No handler. Causes segfault if run\r\nhost \u003c host\u003e Tries to resolve the host’s name via the 8.8.8.8:53 DNS server\r\nhash \u003c filename\u003e Calculates the file’s hash (MD5, SHA-1, SHA-256 are available)\r\ngz \u003c filename\u003e Compresses the file\r\nshell \u003c options\u003e \u003c IP\r\naddress:port\u003e\r\nRemote shell. The command can be run with the following possible\r\noptions: -l (listen to the specified address) or -c (connect to the\r\nspecified address)\r\nIn addition to the tools obtained from the threat actors' server directories, ExCobalt used the following tools:\r\nMimikatz\r\nProcDump\r\nSMBExec\r\nMetasploit\r\nrsocx\r\nModified versions of standard utilities\r\nBesides the above tools found in public directories, we came across modified versions of standard Linux utilities in several\r\nincidents, something we first saw in November 2023.\r\nThe modification of utilities serves two purposes:\r\n1. Modified ps and htop hide an active core process of the gsocket module and related processes in terminal output.\r\nLet's take ps as an example.\r\nThe simple_readproc function was modified.\r\nThe original code looks as follows:\r\nFigure 2. Original ps code\r\nThe following code was added:\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 4 of 27\n\nFigure 3. Code added to ps\r\nThe is_target_proc function checks for every process whether its name is equal to any of the hardcoded names of malicious\r\nprocesses:\r\nFigure 4. The check inside is_target_proc\r\nIf the check returns true, the process will be hidden in the terminal output. Here's the list of the names of malicious\r\nprocesses hidden this way:\r\nFigure 5. Names of malicious processes\r\n2. Modified ss and netstat hide the active network connection of the core module of gsocket in terminal output.\r\nLet's take netstat as an example.\r\nThe first code modification was made in the main function.\r\nThe original code looks as follows:\r\nFigure 6. Original code of the main function of netstat\r\nFirst, code was added to copy all C2s from the data section to a global structure:\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 5 of 27\n\nFigure 7. Copying the C2s to a global structure\r\nSecond modification was in the tcp_do_one function, starting here:\r\nFigure 8. Original code of the tcp_do_one function of netstat\r\nChecks for the name of the malicious process and malicious connection were added to the code. If the check returns true, the\r\nprocess with one of the hardcoded names or network connections will be hidden:\r\nFigure 9. Checking for the name of the malicious process and malicious connection\r\nRelation to ExCobalt\r\nIn November 2023, we discussed ExCobalt's attacks on Russian companies.\r\nIn that report, we mentioned the domain lib.rpm-bin.link, where upon directory enumeration we found many of the tools\r\ndescribed above—including col, the first version of GoRed.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 6 of 27\n\nAlso, in a March 2024 incident, we observed infected hosts that contacted the threat actor's servers: get.rpm-bin.link and\r\nleo.rpm-bin.link. Additionally, GoRed used a static_TransportConfig structure with the following C2s:\r\nleo.rpm-bin.link\r\nsula.rpm-bin.link\r\nlib.rest\r\nrosm.pro\r\nIn May 2023, Bi.Zone researchers released an analysis of attacks by Sneaking Leprechaun, whose tools showed some\r\noverlap with the above-mentioned files found inside the public directories.\r\nFurthermore, our colleagues at Rostelecom-Solar in May 2024 released a report on the Shedding Zmiy activity cluster,\r\nwhich also correlated with ExCobalt. Case 7 in this report described the same attack and a GoRed stealer sample with\r\na C2 at pkg.collect.net.in. This sample was designated as Bulldog Backdoor in the report.\r\nGoRed analysis\r\nBefore we proceed to analyzing the current version of GoRed, we will provide a retrospective analysis of its evolution.\r\nVersions we found\r\nAll the versions we found are shown in the table below.\r\nVersion Description\r\n0.0.1\r\nAssumed to be the first one.\r\nCollects information about the victim.\r\nSource obfuscated with garble.\r\n0.0.9\r\nDebug build: GoRed activity logging enabled.\r\nBuilt-in configuration expanded.\r\nCollects information about the victim.\r\nSource obfuscated with garble.\r\n0.0.9\r\nBuilt-in configuration expanded.\r\nCollects information about the victim.\r\nSource obfuscated with garble.\r\n0.0.13\r\nRemoved garble obfuscation.\r\nAdded control flow based on a command line interface.\r\nAdded reverse shell functionality via the WSS and DNS protocols.\r\nCollects only processes.\r\nAdded a configuration structure absent in previous versions.\r\n0.0.23-10-g4528ef3\r\nAdded collection of network interfaces.\r\nAdded beacon mode (gecko command).\r\nAdded protocols for an operator to connect via DNS, ICMP, QUIC, WSS.\r\nAdded CBOR codec for RPC support.\r\nAdded proxy mode.\r\nImplemented updating functionality.\r\nAdded file system monitoring (birdwatch command).\r\nAdded ICMP tunneling.\r\n0.1.3-4-g68c293d This version is mentioned only in the Solar report; we have not come across it.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 7 of 27\n\nVersion Description\r\n0.1.3-62-g4843e53\r\nExpanded victim data collection feature (collector command).\r\nAdded transport configuration.\r\n0.1.4 No changes found from previous version.\r\nThis article examines the current version, 0.1.4.\r\nInternal packages\r\nFirst, we will describe the structure of the internal packages and their purpose to give you an understanding of GoRed\r\nfunctionality. In the backdoor's data, we have found the following package paths containing the substring \"red.team/go-red/\":\r\nPackage Purpose\r\nred.team/go-red/config/ Retrieval of the internal and transport configurations\r\nred.team/go-red/bb/ Processing of an operator's commands\r\nred.team/go-red/birdwatch/ Monitoring of the file system\r\nred.team/go-red/gecko/ Protocol for communication between GoRed and its C2\r\nred.team/go-red/backend/ Connecting to a data exfiltration server\r\nred.team/go-red/collector/ Collecting system information\r\nred.team/go-red/util/ Various auxiliary utilities\r\nred.team/go-red/packer/ Data packing\r\nred.team/go-red/proxy/ Proxy mode operation\r\nred.team/go-red/revshell/ Reverse shell mode operation\r\nred.team/go-red/dns/ DNS tunneling implementation\r\nred.team/go-red/icmptunnel/ ICMP tunneling implementation\r\nLet's now proceed to analysis proper. Here's a simplified diagram of the control flow to give you an understanding of how\r\nit works.\r\nFigure 10. Diagram of the control flow\r\n1. Start of execution\r\nThe control flow relies on the command line interface (CLI). However, before passing control to the CLI, the backdoor\r\ninitializes a number of commands, which are described below.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 8 of 27\n\nservice command\r\ngecko subcommand\r\nFigure 11. Initializing the command and subcommand\r\nThe service command, intended for gaining persistence in the system, is initialized first. The GoRed CLI command\r\nstructure looks as follows:\r\n \r\nstruct cli_Command\r\n{\r\n string Name;\r\n _slice_string Aliases;\r\n string Usage;\r\n string UsageText;\r\n string Description;\r\n string ArgsUsage;\r\n string Category;\r\n PTR_cli_BashCompleteFunc BashComplete;\r\n PTR_cli_BeforeFunc Before;\r\n PTR_cli_AfterFunc After;\r\n PTR_cli_ActionFunc Action;\r\n PTR_cli_OnUsageErrorFunc OnUsageError;\r\n _slice__ptr_cli_Command Subcommands;\r\n _slice_cli_Flag Flags;\r\n cli_FlagCategories flagCategories;\r\n bool SkipFlagParsing;\r\n bool HideHelp;\r\n bool HideHelpCommand;\r\n bool Hidden;\r\n bool UseShortOptionHandling;\r\n string HelpName;\r\n _slice_string commandNamePath;\r\n string CustomHelpTemplate;\r\n cli_CommandCategories categories;\r\n bool isRoot;\r\n cli_separatorSpec separator;\r\n};\r\nIn terms of command identification, the most helpful fields in this structure are the following:\r\nName: command name\r\nUsage: command description\r\nAction: function called when the command is executed\r\nSubcommands: subcommands for the current command\r\nNext, the structure of the CLI itself is initialized into the variable app.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 9 of 27\n\nFigure 12. Initializing the app structure for the CLI\r\nThe app structure looks as follows:\r\n \r\nstruct cli_App\r\n{\r\n string Name;\r\n string HelpName;\r\n string Usage;\r\n string UsageText;\r\n string ArgsUsage;\r\n string Version;\r\n string Description;\r\n string DefaultCommand;\r\n _slice__ptr_cli_Command Commands;\r\n _slice_cli_Flag Flags;\r\n bool EnableBashCompletion;\r\n bool HideHelp;\r\n bool HideHelpCommand;\r\n bool HideVersion;\r\n cli_CommandCategories categories;\r\n cli_FlagCategories flagCategories;\r\n PTR_cli_BashCompleteFunc BashComplete;\r\n PTR_cli_BeforeFunc Before;\r\n PTR_cli_AfterFunc After;\r\n PTR_cli_ActionFunc Action;\r\n PTR_cli_CommandNotFoundFunc CommandNotFound;\r\n PTR_cli_OnUsageErrorFunc OnUsageError;\r\n PTR_cli_InvalidFlagAccessFunc InvalidFlagAccessHandler;\r\n time_Time Compiled;\r\n _slice__ptr_cli_Author Authors;\r\n string Copyright;\r\n io_Reader Reader;\r\n io_Writer Writer;\r\n io_Writer ErrWriter;\r\n PTR_cli_ExitErrHandlerFunc ExitErrHandler;\r\n map_string_interface_ Metadata;\r\n PTR_func_map_string_string ExtraInfo;\r\n string CustomAppHelpTemplate;\r\n string SliceFlagSeparator;\r\n bool DisableSliceFlagSeparator;\r\n bool UseShortOptionHandling;\r\n bool Suggest;\r\n bool AllowExtFlags;\r\n bool SkipFlagParsing;\r\n bool didSetup;\r\n cli_separatorSpec separator;\r\n _ptr_cli_Command rootCommand;\r\n};\r\nHere, too, the most informative fields for identifying commands are as follows:\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 10 of 27\n\nName: current command name\r\nAction: function called\r\nCommands: subcommands for the current command\r\nThe Commands field for the app structure is also initialized.\r\nFigure 13. Initializing the CLI context structure\r\nNext, the Logging field is retrieved from the embedded_Config structure described in the section below. After this, the\r\ncontrol flow moves to the CLI.\r\nFigure 14. Transferring control to the CLI\r\n2. Gaining persistence in the system\r\nThe first command to be executed is service. It achieves persistence in the system. It can be executed with the following\r\noptions:\r\nOption Purpose\r\nno-service Simply proceeds to executing CLI commands\r\nuninstall Removes the service\r\nrestart Restarts the service\r\nIf there are no options from the table above, it gains persistence as a service with the name it received as an argument.\r\nTo maintain presence in the compromised system, it creates environment variables whose names begin with \"BB\", for\r\nexample:\r\nBB_WS\r\nBB_QUIC\r\nBB_ICMP\r\nBB_DNS\r\nBB_START_DELAY\r\n3. Initializing beacon mode\r\nThe control flow is then transferred to the gecko command. This command is the entry point for GoRed to run in beacon\r\nmode.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 11 of 27\n\nFigure 15. Execution options for the gecko command\r\nIt can be executed with the following options:\r\nOption Purpose\r\nwss\r\nUse the corresponding protocol for communication between the operator and GoRed\r\nquic\r\nicmp\r\ndns\r\nbackground Run the command in the background\r\nstart-delay Add delay in communications with the C2\r\nDepending on the protocol received as an option, the command fetches the C2 from the transport configuration whose\r\nstructure is described in the section below. It then begins initializing the beacon functionality.\r\nFigure 16. Initializing the beacon functionality\r\nTo identify the victim, the malware first generates an ID, which is an MD5 hash of the computer's MAC addresses and\r\nname, similarly to the case described in our Hellhounds: Operation Lahat article. The resulting hash sum is added to a field\r\nin the client structure, which stores all data required for communication with the C2.\r\nFigure 17. Obtaining a victim ID\r\n4. Establishing an initial connection\r\nAfter GoRed is initialized, it needs to connect to its C2. The number of connection attempts is defined in the backoff\r\npackage.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 12 of 27\n\nFigure 18. Setting the number of C2 connection attempts\r\nThe execution flow calls the function that registers the beacon functionality, after which the CLI commands are initialized.\r\nFigure 19. Starting beacon functionality\r\nRegistration uses the RPC protocol. Data in the model_Beacon structure is sent to the server, and data in the model_Auth\r\nstructure is used for authentication with the server.\r\n \r\nstruct model_RegisterBeaconRequest\r\n{\r\n model_Beacon Beacon;\r\n model_Auth Auth;\r\n};\r\nstruct model_Beacon\r\n{\r\n string ID;\r\n string Hostname;\r\n string ClientIPs;\r\n _slice_string Tags;\r\n string OS;\r\n string Username;\r\n};\r\nstruct model_Auth\r\n{\r\n string Token;\r\n uuid_UUID ClientID;\r\n string Transport;\r\n};\r\nThe fields in these structures have the following purposes:\r\nField Purpose\r\nBeacon\r\nThe structure containing victim information\r\nField Purpose\r\nID Victim's ID\r\nHostname Victim's hostname\r\nClientIPs Victim's IP addresses\r\nTags Victim's tag\r\nOS Victim's operating system\r\nUsername Victim's username\r\nAuth The structure containing authentication data\r\nField Purpose\r\nToken Authentication token\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 13 of 27\n\nField Purpose\r\nClientID Client ID\r\nTransport Protocol being used\r\nAfter registering, GoRed runs the birdwatch command to monitor the file system.\r\nFigure 20. Running birdwatch in the background\r\nThe execution flow then sets a GoRed beacon mode heartbeat period (for signaling to C2).\r\nFigure 21. Setting a heartbeat period\r\nThe execution flow then runs a command to monitor the password file stored in /etc/shadow/.\r\nFigure 22. Running creds-watcher in the background\r\nFinally, the execution flow initializes all available commands and goes into heartbeat mode.\r\nFigure 23. Entering heartbeat mode\r\n5. Entering listen and execute mode\r\nAt the final stage of initialization, GoRed starts listening for the operator's commands that it previously initialized. It can\r\nexecute both system and built-in commands. Commands can be set to run in the background.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 14 of 27\n\nFigure 24. Function to set a command to run in the background\r\n6. Communications in beacon mode\r\nGoRed uses the RPC protocol to communicate with its C2 in beacon mode.\r\nFigure 25. RPC functionality\r\nIt registers a custom codec to communicate via RPC.\r\nFigure 26. Custom RPC codec functionality\r\nThe registered codec serializes data with CBOR and encrypts with AES-256-GCM (Secret field in embedded_Config) when\r\nsending, and does the reverse when receiving.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 15 of 27\n\nFigure 27. Function that transforms data for exfiltration\r\nConfigurations\r\nGoRed contains two configuration blocks: built-in and transport.\r\nBuilt-in configuration\r\nThis is the configuration of GoRed itself. It is encoded in Base64 and serialized with msgpack.\r\nFigure 28. Built-in configuration\r\nFor versions 0.0.23-10-g4528ef3 through 0.1.4, the structure of the built-in configuration is as follows:\r\n \r\nstruct embedded_Config\r\n{\r\n string Logging;\r\n string Token;\r\n uuid_UUID UserID;\r\n uuid_UUID ClientID;\r\n string ClientKey;\r\n string Version;\r\n _slice_string Tags;\r\n _slice_string Args;\r\n string Secret;\r\n _ptr_url_URL BackendAddress;\r\n _ptr_url_URL ProxyAddress;\r\n};\r\nThe purposes of the built-in configuration fields are as follows:\r\nField Purpose\r\nLogging\r\nLogging and log format:\r\nNo logging\r\nTo a .log file in a temporary directory\r\nDirectly to the operator's console\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 16 of 27\n\nField Purpose\r\nToken Generated JWT for RPC\r\nUserID UUID for the payload field in the JWT (when using RPC)\r\nClientID Unique identifier for the exfiltrated data of the victim\r\nClientKey HS256 key needed to generate the JWT when exfiltrating data\r\nVersion GoRed version\r\nTags Victim's tag\r\nArgs GoRed arguments\r\nSecret AES-256-GCM key for encrypting or decrypting the data transmitted or received via RPC\r\nBackendAddress Address of a dedicated server for data exfiltration\r\nProxyAddress List of proxy addresses for data exfiltration\r\nConfiguration structure for versions 0.0.9 through 0.0.13.\r\n \r\nstruct embedded_Config\r\n{\r\n bool Debug;\r\n string Token;\r\n uuid_UUID ClientID;\r\n string ClientKey;\r\n string Version;\r\n _slice_string Tags;\r\n string Secret;\r\n string BasicAuthLogin;\r\n string BasicAuthPass;\r\n _ptr_url_URL BackendAddress;\r\n _ptr_url_URL ProxyAddress;\r\n};\r\nThe fields in this version of the built-in configuration have the following purposes:\r\nField Purpose\r\nDebug\r\nLogging and log format:\r\nNo logging\r\nTo a .log file in a temporary directory\r\nDirectly to the operator's console\r\nBasicAuthLogin Login for authentication when using the curl command\r\nBasicAuthPass Password for authentication when using the curl command\r\nBuilt-in configuration for version 0.0.1.\r\n \r\nstruct embedded_Config\r\n{\r\n bool Debug;\r\n uuid_UUID ClientID;\r\n string ClientKey;\r\n string Version;\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 17 of 27\n\n_ptr_url_URL BackendAddress;\r\n};\r\nGolang script for getting built-in configuration fields:\r\n \r\npackage main\r\nimport (\r\n \"encoding/base64\"\r\n \"fmt\"\r\n \"net/url\"\r\n \"github.com/google/uuid\"\r\n \"github.com/vmihailenco/msgpack/v5\"\r\n)\r\ntype embedded_Config struct {\r\n Logging string\r\n Token string\r\n UserID uuid.UUID\r\n ClientID uuid.UUID\r\n ClientKey string\r\n Version string\r\n Tags []string\r\n Args []string\r\n Secret string\r\n BackendAddress* url.URL\r\n ProxyAddress* url.URL\r\n}\r\nconst config = `...`\r\nfunc main() {\r\n var item map[string]any\r\n data, _ : = base64.StdEncoding.DecodeString(config)\r\n err : = msgpack.Unmarshal(data, \u0026item)\r\n if err != nil{\r\n panic(err)\r\n }\r\n fmt.Print(\"Logging: \")\r\n fmt.Println(item[\"Logging\"])\r\n fmt.Print(\"Token: \")\r\n fmt.Println(item[\"Token\"])\r\n fmt.Print(\"UserID: \")\r\n fmt.Println(uuid.UUID(item[\"UserID\"].([]byte)))\r\n fmt.Print(\"ClientID: \")\r\n fmt.Println(uuid.UUID(item[\"ClientID\"].([]byte)))\r\n fmt.Print(\"ClientKey: \")\r\n fmt.Println(item[\"ClientKey\"])\r\n fmt.Print(\"Version: \")\r\n fmt.Println(item[\"Version\"])\r\n fmt.Print(\"Tags: \")\r\n fmt.Println(item[\"Tags\"])\r\n fmt.Print(\"Args: \")\r\n fmt.Println(item[\"Args\"])\r\n fmt.Print(\"Secret: \")\r\n fmt.Println(item[\"Secret\"])\r\n fmt.Print(\"BackendAddress: \")\r\n fmt.Println(string(item[\"BackendAddress\"].([]byte)))\r\n fmt.Print(\"ProxyAddress: \")\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 18 of 27\n\nfmt.Println(item[\"ProxyAddress\"])\r\n}\r\nPython script for getting built-in configuration fields:\r\n \r\nimport msgpack\r\nimport base64\r\ns = base64.b64decode('...')\r\nconfig = msgpack.unpackb(s, raw = False)\r\nprint(config)\r\nTransport configuration\r\nThe transport configuration looks as follows:\r\nFigure 29. Transport configuration\r\nIt has the following structure:\r\n \r\nstruct static_TransportConfig\r\n{\r\n static_Transport Revsh;\r\n static_Transport RPC;\r\n static_Transport Proxy;\r\n};\r\nstruct static_Transport\r\n{\r\n _ptr_static_Address WS;\r\n _ptr_static_Address QUIC;\r\n _ptr_static_Address ICMP;\r\n _ptr_static_Address DNS;\r\n _ptr_static_Address TCP;\r\n};\r\nstruct static_Address\r\n{\r\n string Domain;\r\n string BackupIP;\r\n signed __int64 Port;\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 19 of 27\n\nstring Proto;\r\n};\r\nThe fields of the static_TransportConfig structure have the following purposes:\r\nField Purpose\r\nRevsh Reverse shell connection addresses for an operator\r\nRPC Addresses for GoRed beacon mode RPC heartbeats\r\nProxy Addresses for running GoRed in proxy mode\r\nThe fields of the static_Address structure have the following purposes:\r\nField Purpose\r\nDomain Domain to connect to\r\nBackupIP IP to connect to if the domain cannot be resolved\r\nPort Connection port\r\nProto Connection protocol\r\nCommunication protocols\r\nGoRed has several protocols for communicating with the operator.\r\nProtocol Implementation\r\nws Implements WebSocket connection\r\nquic Implements QUIC connection\r\nicmp Implements ICMP tunneling\r\ndns Implements DNS tunneling\r\nDNS\r\nDNS tunneling in GoRed can use Base64 or Base32. This option is selected during compilation.\r\nFigure 30. Using Base32 for traffic tunneling\r\nAn example of a domain used in an attack is\r\n8E1A4QB4OGA66RPJCHL72DJGCKRMIOR8CDN3EDJBDOOAEQ3FEDQ5UQB4OGA66RP.JCHL6EDJGCKRMIOR8CDN3EDJBD\r\nBackground commands\r\nBackground commands run continuously; some of them can be added to the background or removed, depending on the\r\nconditions in the table below.\r\nCommand Description\r\nbirdwatch\r\nWatches for new files inside directories. Runs in the background by default.\r\nlist: subcommand to print a list of paths monitored for new files.\r\nunwatch: subcommand to stop monitoring paths for new files.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 20 of 27\n\nCommand Description\r\ncreds-watcher Watches for passwords. Runs in the background by default.\r\nrevsh-host\r\nEnables reverse shell mode. Runs in the background upon execution.\r\nSets WebSocket as the communication protocol between the operator and GoRed.\r\nSets QUIC as the communication protocol between the operator and GoRed.\r\nSets ICMP as the communication protocol between the operator and GoRed.\r\nSets DNS as the communication protocol between the operator and GoRed.\r\nrev-proxy Enables reverse proxy mode via SOCKS5. Runs in the background upon execution.\r\nrev-fwd Enables reverse port forwarding mode. Runs in the background upon execution.\r\nConnecting in rev-proxy and rev-fwd mode\r\nBefore starting to act as a server, GoRed needs to initialize an embedded X.509 certificate, similarly to the case described\r\nin our Hellhounds: Operation Lahat. Part 2 article.\r\nFigure 31. Retrieving the certificate and host information\r\nThe backdoor also needs to collect information about the victim's host by executing the CollectHostInfo function shown\r\nabove. This produces the structure presented below, except for the Addr field.\r\n \r\nstruct proto_HostInfo\r\n{\r\n string Addr;\r\n string OS;\r\n string Username;\r\n string Hostname;\r\n _slice_string IPs;\r\n};\r\nThe fields in the structure have the following purposes:\r\nField Purpose\r\nAddr Address to connect to, passed to the command as a parameter\r\nOS Victim's operating system\r\nUsername Victim's username\r\nHostname Victim's hostname\r\nIPs Victim's IP addresses\r\nA structure to identify GoRed as a server is initialized as follows:\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 21 of 27\n\nFigure 32. Initializing the structure\r\nThe initialized structure looks as follows:\r\n \r\nstruct proto_BinInfo\r\n{\r\n uuid_UUID ClientID;\r\n string Token;\r\n _slice_string Tags;\r\n};\r\nThe fields in the structure have the following purposes:\r\nField Purpose\r\nClientID Identifies the victim\r\nToken Generated JWT for RPC\r\nTags Victim's tag\r\nHaving received the proto_HostInfo and proto_BinInfo structures, GoRed uses their fields in a handshake message that\r\nit sends to the C2 at the address it gets from the transport configuration. The handshake message structure looks as follows:\r\n \r\nstruct proto_MsgGreeting\r\n{\r\n proto_ConnectionMode Mode;\r\n string MachineID;\r\n proto_BinInfo BinInfo;\r\n _ptr_proto_HostInfo HostInfo;\r\n};\r\nThe fields in the structure have the following purposes:\r\nField Purpose\r\nMode\r\nThe following modes are supported:\r\n2: rev-proxy mode\r\n3: rev-fwd mode\r\nMachineID Victim's computer ID\r\nBinInfo Structure containing the GoRed configuration information\r\nHostInfo Structure containing victim information\r\nThe handshake sequence used to register GoRed as a server looks as follows:\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 22 of 27\n\nFigure 33. Communications with the C2\r\nIn response to the handshake message, the server sends a message with the following structure:\r\n \r\nstruct proto_MsgGreetingResponse\r\n{\r\n string Greeting;\r\n _ptr_proto_BinInfo BinInfo;\r\n _ptr_proto_HostInfo HostInfo;\r\n};\r\nIf the Greeting field contains the string \"welcome\", the connection is considered successful, and GoRed starts running\r\nin server mode; if not, the connection cannot be established.\r\nIssued commands\r\nThe operator uses the following commands to communicate with GoRed:\r\nCommand Description\r\nupload Exfiltrates files. Takes a file path as the argument\r\ndownload Downloads files onto the infected computer. Takes a file path as the argument\r\nbg-list Displays a list of internal background commands\r\nbg-stop\r\nCancels an internal background command. Takes a command ID as an argument. Can be used to stop\r\nall background commands\r\nstealth\r\nAutomatically sets the heartbeat frequency within a larger range for greater stealth.\r\non: subcommand that enables this mode with the time range 0×9D29229E000—\r\n0×105EF39B2000\r\noff: subcommand that disables this mode with the time range 0×12A05F200—0×45D964B800\r\nemit-period Gets or sets a heartbeat frequency manually\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 23 of 27\n\nCommand Description\r\nconn-providers\r\nGets the communication protocols available in the current version of GoRed\r\ninfo\r\nGets victim information:\r\nUserID\r\nLogging\r\nTags\r\nVersion\r\nTime\r\ncollect Collects and exfiltrates system information. See the section below for more details\r\nbb-update\r\nUpdates GoRed. Sends a GET request to the URL passed as the argument and restarts GoRed with the\r\nrestart argument\r\nbb-ps Gets the status of the process passed as the argument\r\nbb-cat Reads the file passed as the argument\r\nbb-find Searches for files passed as the argument\r\nbb-ls Displays the contents of the directory passed as the argument\r\nbb-mkdir Creates the directory passed as the argument\r\nbb-pwd Returns the full path of the current directory\r\nbb-rm Deletes the file passed as the argument\r\nbb-wc\r\nCollects information about the file passed as the argument:\r\nNumber of words\r\nNumber of lines\r\nNumber of characters\r\nNumber of bytes\r\nbb-nmap Scans the network. Takes a host IP as the argument\r\nbb-ping Pings an external host. Takes an IP as the argument\r\nbb-wget\r\nGets files via HTTP. Takes two arguments: the source URL and the output filename specified after the\r\n—output option\r\nbb-curl Similar to curl, but with limited functionality\r\ncollect\r\nSince this command collects system information and data for subsequent exfiltration, we decided to describe it in more\r\ndetail:\r\nOption Purpose\r\nlocal-archive Selects a compression algorithm: tar or gzip\r\nskip-trees Skips collecting file system structure information\r\nskip-files Skips collecting files\r\nexec-timeout Sets a time period for collecting files\r\nCollected information\r\nAn example of the code used to collect information is shown below.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 24 of 27\n\nFigure 34. Example of the code used to collect information\r\nA complete list of collected information is provided in the table below.\r\nFile Contents\r\nprocesses.json List of processes\r\nenvvars.json List of environment variables\r\nhost.json Information about the processor, RAM, installed OS, user name, group name\r\nnetwork_interfaces.json List of network interfaces\r\nnetstats.json List of active network connections\r\n*.txt\r\nFiles that will be collected depending on the values of the fields in the\r\nmodel_CollectionConfig structure\r\nhardware.json Hardware information\r\ntrees.json File system structure\r\nExfiltration\r\nBefore the data is sent, it is serialized with msgpack and encrypted with AES-256-GCM (Secret field in embedded_Config).\r\nFigure 35. Example of collected data preparation\r\nNext, after archiving the data, the backdoor sends it with a POST request to a URL generated by appending \"/api/collection-result\" to the BackendAddress field in embedded_Config.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 25 of 27\n\nFigure 36. Data exfiltration\r\nIt is also possible to update the model_CollectionConfig structure by sending a GET request to a URL generated\r\nby appending \"/api/config\" to the BackendAddress field in embedded_Config.\r\n\\\r\nFigure 37. Configuration update\r\nThe model_CollectionConfig structure is a configuration for the collect command and has the following fields:\r\n \r\nstruct model_CollectionConfig\r\n{\r\n _slice__slice_string Commands;\r\n _slice_string Files;\r\n _slice_string TreePaths;\r\n};\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 26 of 27\n\nThe fields in the structure have the following purposes:\r\nField Purpose\r\nCommands bb_files_* command\r\nFiles Files\r\nTreePaths Paths\r\nConclusion\r\nExCobalt continues to demonstrate a high level of activity and determination in attacking Russian companies, constantly\r\nadding new tools to its arsenal and improving its techniques. Not only is it developing new attack methods, but it's also\r\nactively improving its existing tools, such as the GoRed backdoor.\r\nExCobalt is apparently aiming for more sophisticated and productive methods of hacking and cyberespionage, seeing how\r\nGoRed has been acquiring new capabilities and features. These include expanded functionality for collecting victim data\r\nand increased secrecy both inside the infected system and in communications with C2 servers.\r\nIn addition, ExCobalt demonstrates flexibility and versatility by supplementing its toolset with modified standard utilities,\r\nwhich help the group to easily bypass security controls and adapt to changes in protection methods. The use of modified\r\nutilities is a sign that the members of the group have an in-depth understanding of the weaknesses of companies they attack,\r\nwhile leveraging vulnerabilities helps them to pursue sophisticated attacks on their targets.\r\nOverall, the evolution of ExCobalt and its toolset, including GoRed and the modified utilities, highlights the need for\r\norganizations and cybersecurity professionals to continuously improve detection and protection techniques to combat this\r\ngroup as well as other similar cyberthreats.\r\nAuthors:\r\nVladislav Lunin, Senior Information Security Threat Researcher, PT ESC\r\nAlexander Badaev, Information Security Threat Researcher, PT ESC\r\nSource: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/excobalt-gored-the-hidden-tunnel-technique" ], "report_names": [ "excobalt-gored-the-hidden-tunnel-technique" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "aaa78e4b-9031-46bf-b39e-08a50cbc8db8", "created_at": "2025-02-11T02:00:04.045295Z", "updated_at": "2026-04-10T02:00:03.811805Z", "deleted_at": null, "main_name": "ExCobalt", "aliases": [], "source_name": "MISPGALAXY:ExCobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2603d977-6e3a-4269-ba49-b5a85c943641", "created_at": "2024-06-26T02:00:04.847439Z", "updated_at": "2026-04-10T02:00:03.666442Z", "deleted_at": null, "main_name": "HellHounds", "aliases": [], "source_name": "MISPGALAXY:HellHounds", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434096, "ts_updated_at": 1775792112, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9c3bc123ae8363155ce34f6434695d512e0ef4e9.pdf", "text": "https://archive.orkl.eu/9c3bc123ae8363155ce34f6434695d512e0ef4e9.txt", "img": "https://archive.orkl.eu/9c3bc123ae8363155ce34f6434695d512e0ef4e9.jpg" } }