{ "id": "62734a19-02cd-4ffe-bc7c-e3f2dc558018", "created_at": "2026-04-06T00:13:56.706428Z", "updated_at": "2026-04-10T13:11:42.965006Z", "deleted_at": null, "sha1_hash": "9c53b40b2be55764a1879bb8432855032fbf09fe", "title": "Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3738400, "plain_text": "Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite\r\nBy Jia Yu Chan, Salim Bitam, Daniel Stepanic, Seth Goodwin\r\nPublished: 2024-12-13 · Archived: 2026-04-05 13:32:02 UTC\r\nIntroduction\r\nElastic Security Labs recently observed a new intrusion set targeting Chinese-speaking regions, tracked as REF3864. These\r\norganized campaigns target victims by masquerading as legitimate software such as web browsers or social media\r\nmessaging services. The threat group behind these campaigns shows a moderate degree of versatility in delivering malware\r\nacross multiple platforms such as Linux, Windows, and Android. During this investigation, our team discovered a unique\r\nWindows infection chain with a custom loader we call SADBRIDGE. This loader deploys a Golang-based reimplementation\r\nof QUASAR, which we refer to as GOSAR. This is our team’s first time observing a rewrite of QUASAR in the Golang\r\nprogramming language.\r\nKey takeaways\r\nOngoing campaigns targeting Chinese language speakers with malicious installers masquerading as legitimate\r\nsoftware like Telegram and the Opera web browser\r\nInfection chains employ injection and DLL side-loading using a custom loader (SADBRIDGE)\r\nSADBRIDGE deploys a newly-discovered variant of the QUASAR backdoor written in Golang (GOSAR)\r\nGOSAR is a multi-functional backdoor under active development with incomplete features and iterations of\r\nimproved features observed over time\r\nElastic Security provides comprehensive prevention and detection capabilities against this attack chain\r\nREF3864 Campaign Overview\r\nIn November, the Elastic Security Labs team observed a unique infection chain when detonating several different samples\r\nuploaded to VirusTotal. These different samples were hosted via landing pages masquerading as legitimate software such as\r\nTelegram or the Opera GX browser.\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 1 of 27\n\nFake Telegram landing page\r\nDuring this investigation, we uncovered multiple infection chains involving similar techniques:\r\nTrojanized MSI installers with low detections\r\nMasquerading using legitimate software bundled with malicious DLLs\r\nCustom SADBRIDGE loader deployed\r\nFinal stage GOSAR loaded\r\nWe believe these campaigns have flown under the radar due to multiple levels of abstraction. Typically, the first phase\r\ninvolves opening an archive file (ZIP) that includes an MSI installer. Legitimate software like the Windows x64dbg.exe\r\ndebugging application is used behind-the-scenes to load a malicious, patched DLL ( x64bridge.dll ). This DLL kicks off a\r\nnew legitimate program ( MonitoringHost.exe ) where it side-loads another malicious DLL ( HealthServiceRuntime.dll ),\r\nultimately performing injection and loading the GOSAR implant in memory via injection.\r\nMalware researchers extracted SADBRIDGE configurations that reveal adversary-designated campaign dates, and indicate\r\noperations with similar TTP’s have been ongoing since at least December 2023. The command-and-control (C2)\r\ninfrastructure for GOSAR often masquerades under trusted services or software to appear benign and conform to victim\r\nexpectations for software installers. Throughout the execution chain, there is a focus centered around enumerating Chinese\r\nAV products such as 360tray.exe , along with firewall rule names and descriptions in Chinese. Due to these customizations\r\nwe believe this threat is geared towards targeting Chinese language speakers. Additionally, extensive usage of Chinese\r\nlanguage logging indicates the attackers are also Chinese language speakers.\r\nQUASAR has previously been used in state-sponsored espionage, non-state hacktivism, and criminal financially motivated\r\nattacks since 2017 (Qualys, Evolution of Quasar RAT), including by China-linked APT10. A rewrite in Golang might\r\ncapitalize on institutional knowledge gained over this period, allowing for additional capabilities without extensive\r\nretraining of previously effective TTPs.\r\nGOSAR extends QUASAR with additional information-gathering capabilities, multi-OS support, and improved evasion\r\nagainst anti-virus products and malware classifiers. However, the generic lure websites, and lack of additional targeting\r\ninformation, or actions on the objective, leave us with insufficient evidence to identify attacker motivation(s).\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 2 of 27\n\nSADBRIDGE Execution Chain resulting in GOSAR infection\r\nSADBRIDGE Introduction\r\nThe SADBRIDGE malware loader is packaged as an MSI executable for delivery and uses DLL side-loading with various\r\ninjection techniques to execute malicious payloads. SADBRIDGE abuses legitimate applications such as x64dbg.exe and\r\nMonitoringHost.exe to load malicious DLLs like x64bridge.dll and HealthServiceRuntime.dll , which leads to\r\nsubsequent stages and shellcodes.\r\nPersistence is achieved through service creation and registry modifications. Privilege escalation to Administrator occurs\r\nsilently using a UAC bypass technique that abuses the ICMLuaUtil COM interface. In addition, SADBRIDGE incorporates\r\na privilege escalation bypass through Windows Task Scheduler to execute its main payload with SYSTEM level privileges.\r\nThe SADBRIDGE configuration is encrypted using a simple subtraction of 0x1 on each byte of the configuration string.\r\nThe encrypted stages are all appended with a .log extension, and decrypted during runtime using XOR and the LZNT1\r\ndecompression algorithm.\r\nSADBRIDGE employs PoolParty, APC queues, and token manipulation techniques for process injection. To avoid sandbox\r\nanalysis, it uses long Sleep API calls. Another defense evasion technique involves API patching to disable Windows\r\nsecurity mechanisms such as the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW).\r\nThe following deep dive is structured to explore the execution chain, providing a step-by-step walkthrough of the\r\ncapabilities and functionalities of significant files and stages, based on the configuration of the analyzed sample. The\r\nanalysis aims to highlight the interaction between each component and their roles in reaching the final payload.\r\nSADBRIDGE Code Analysis\r\nMSI Analysis\r\nThe initial files are packaged in an MSI using Advanced Installer, the main files of interest are x64dbg.exe and\r\nx64bridge.dll .\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 3 of 27\n\nSignificant files inside the MSI installer\r\nBy using MSI tooling (lessmsi), we can see the LaunchApp entrypoint in aicustact.dll is configured to execute the file\r\npath specified in the AI_APP_FILE property.\r\nCustom actions configured using Advanced Installer\r\nIf we navigate to this AI_APP_FILE property, we can see the file tied to this configuration is x64dbg.exe . This represents\r\nthe file that will be executed after the installation is completed, the legitimate NetFxRepairTool.exe is never executed.\r\nAI_APP_FILE property configured to launch x64dbg.exe\r\nx64bridge.dll Side-loading\r\nWhen x64dbg.exe gets executed, it calls the BridgeInit export from x64bridge.dll . BridgeInit is a wrapper for the\r\nBridgeStart function.\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 4 of 27\n\nControl flow diagram showing call to BridgeStart\r\nSimilar to techniques observed with BLISTER, SADBRIDGE patches the export of a legitimate DLL.\r\nComparison of BridgeStart export from x64bridge.dll\r\nDuring the malware initialization routine, SADBRIDGE begins with generating a hash using the hostname and a magic seed\r\n0x4E67C6A7 . This hash is used as a directory name for storing the encrypted configuration file. The encrypted configuration\r\nis written to C:\\Users\\Public\\Documents\\\u003chostname_hash\u003e\\edbtmp.log . This file contains the attributes\r\nFILE_ATTRIBUTE_SYSTEM, FILE_ATTRIBUTE_READONLY, FILE_ATTRIBUTE_HIDDEN to hide itself from an\r\nordinary directory listing.\r\nConfiguration file hidden from users\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 5 of 27\n\nDecrypting the configuration is straightforward, the encrypted chunks are separated with null bytes. For each byte within the\r\nencrypted chunks, we can increment them by 0x1 .\r\nThe configuration consists of:\r\nPossible campaign date\r\nStrings to be used for creating services\r\nNew name for MonitoringHost.exe ( DevQueryBroker.exe )\r\nDLL name for the DLL to be sideloaded by MonitoringHost.exe ( HealthServiceRuntime.dll )\r\nAbsolute paths for additional stages ( .log files)\r\nThe primary injection target for hosting GOSAR ( svchost.exe )\r\nSADBRIDGE configuration\r\nThe DevQueryBroker directory ( C:\\ProgramData\\Microsoft\\DeviceSync\\Device\\Stage\\Data\\DevQueryBroker\\ ) contains\r\nall of the encrypted stages ( .log files) that are decrypted at runtime. The file ( DevQueryBroker.exe ) is a renamed copy of\r\nMicrosoft legitimate application ( MonitoringHost.exe ).\r\nFile listing of the DevQueryBroker folder\r\nFinally, it creates a process to run DevQueryBroker.exe which side-loads the malicious HealthServiceRuntime.dll in the\r\nsame folder.\r\nHealthServiceRuntime.dll\r\nThis module drops both an encrypted and partially decrypted shellcode in the User’s %TEMP% directory. The file name for\r\nthe shellcode follows the format: log\u003crandom_string\u003e.tmp . Each byte of the partially decrypted shellcode is then\r\ndecremented by 0x10 to fully decrypt. The shellcode is executed in a new thread of the same process.\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 6 of 27\n\nDecryption of a shellcode in HealthServiceRuntime.dll\r\nThe malware leverages API hashing using the same algorithm in research published by SonicWall, the hashing algorithm is\r\nlisted in the Appendix section. The shellcode decrypts DevQueryBroker.log into a PE file then performs a simple XOR\r\noperation with a single byte ( 0x42) in the first third of the file where then it decompresses the result using the LZNT1\r\nalgorithm.\r\nShellcode decrypting DevQueryBroker.log file\r\nThe shellcode then unmaps any existing mappings at the PE file's preferred base address using NtUnmapViewOfSection ,\r\nensuring that a call to VirtualAlloc will allocate memory starting at the preferred base address. Finally, it maps the\r\ndecrypted PE file to this allocated memory and transfers execution to its entry point. All shellcodes identified and executed\r\nby SADBRIDGE share an identical code structure, differing only in the specific .log files they reference for decryption\r\nand execution.\r\nDevQueryBroker.log\r\nThe malware dynamically loads amsi.dll to disable critical security mechanisms in Windows. It patches\r\nAmsiScanBuffer in amsi.dll by inserting instructions to modify the return value to 0x80070057 , the standardized\r\nMicrosoft error code E_INVALIDARG indicating invalid arguments, and returning prematurely, to effectively bypass the\r\nscanning logic. Similarly, it patches AmsiOpenSession to always return the same error code E_INVALIDARG . Additionally, it\r\npatches EtwEventWrite in ntdll.dll , replacing the first instruction with a ret instruction to disable Event Tracing for\r\nWindows (ETW), suppressing any logging of malicious activity.\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 7 of 27\n\nPatching AmsiScanBuffer, AmsiOpenSession and EtwEventWrite APIs\r\nFollowing the patching, an encrypted shellcode is written to temp.ini at path\r\n( C:\\ProgramData\\Microsoft\\DeviceSync\\Device\\Stage\\Data\\DevQueryBroker\\temp.ini ).\r\nThe malware checks the current process token’s group membership to determine its privilege level. It verifies if the process\r\nbelongs to the LocalSystem account by initializing a SID with the SECURITY_LOCAL_SYSTEM_RID and calling\r\nCheckTokenMembership . If not, it attempts to check for membership in the Administrators group by creating a SID using\r\nSECURITY_BUILTIN_DOMAIN_RID and DOMAIN_ALIAS_RID_ADMINS and performing a similar token membership check.\r\nIf the current process does not have LocalSystem or Administrator privileges, privileges are first elevated to Administrator\r\nthrough a UAC bypass mechanism by leveraging the ICMLuaUtil COM interface. It crafts a moniker string\r\n\"Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\" to create an instance of the CMSTPLUA object\r\nwith Administrator privileges. Once the object is created and the ICMLuaUtil interface is obtained, the malware uses the\r\nexposed ShellExec method of the interface to run DevQueryBroker.exe .\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 8 of 27\n\nPrivilege Escalation via ICMLuaUtil COM interface\r\nIf a task or a service is not created to run DevQueryBroker.exe routinely, the malware checks if the Anti-Virus process\r\n360tray.exe is running. If it is not running, a service is created for privilege escalation to SYSTEM, with the following\r\nproperties:\r\nService name: DevQueryBrokerService\r\nBinary path name:\r\n“C:\\ProgramData\\Microsoft\\DeviceSync\\Device\\Stage\\Data\\DevQueryBroker\\DevQueryBroker.exe -svc”.\r\nDisplay name: DevQuery Background Discovery Broker Service\r\nDescription: Enables apps to discover devices with a background task.\r\nStart type: Automatically at system boot\r\nPrivileges: LocalSystem\r\nIf 360tray.exe is detected running, the malware writes an encrypted PE file to DevQueryBrokerService.log , then maps a\r\nnext-stage PE file (Stage 1) into the current process memory, transferring execution to it.\r\nOnce DevQueryBroker.exe is re-triggered with SYSTEM level privileges and reaches this part of the chain, the malware\r\nchecks the Windows version. For systems running Vista or later (excluding Windows 7), it maps another next-stage (Stage\r\n2) into memory and transfers execution there.\r\nOn Windows 7, however, it executes a shellcode, which decrypts and runs the DevQueryBrokerPre.log file.\r\nStage 1 Injection (explorer.exe)\r\nSADBRIDGE utilizes PoolParty Variant 7 to inject shellcode into explorer.exe by targeting its thread pool’s I/O\r\ncompletion queue. It first duplicates a handle to the target process's I/O completion queue. It then allocates memory within\r\nexplorer.exe to store the shellcode. Additional memory is allocated to store a crafted TP_DIRECT structure, which\r\nincludes the base address of the shellcode as the callback address. Finally, it calls ZwSetIoCompletion , passing a pointer to\r\nthe TP_DIRECT structure to queue a packet to the I/O completion queue of the target process's worker factory (worker\r\nthreads manager), effectively triggering the execution of the injected shellcode.\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 9 of 27\n\nI/O Completion Port Shellcode Injection\r\nThis shellcode decrypts the DevQueryBrokerService.log file, unmaps any memory regions occupying its preferred base\r\naddress, maps the PE file to that address, and then executes its entry point. This behavior mirrors the previously observed\r\nshellcode.\r\nStage 2 Injection (spoolsv.exe/lsass.exe)\r\nFor Stage 2, SADBRIDGE injects shellcode into spoolsv.exe , or lsass.exe if spoolsv.exe is unavailable, using the\r\nsame injection technique as in Stage 1. The shellcode exhibits similar behavior to the earlier stages: it decrypts\r\nDevQueryBrokerPre.log into a PE file, unmaps any regions occupying its preferred base address, maps the PE file, and\r\nthen transfers execution to its entry point.\r\nDevQueryBrokerService.log\r\nThe shellcode decrypted from DevQueryBrokerService.log as mentioned in the previous section leverages a privilege\r\nescalation technique using the Windows Task Scheduler. SADBRIDGE integrates a public UAC bypass technique using the\r\nIElevatedFactorySever COM object to indirectly create the scheduled task. This task is configured to run\r\nDevQueryBroker.exe on a daily basis with SYSTEM level privileges using the task name DevQueryBrokerService .\r\nGUID in Scheduled Task Creation (Virtual Factory for MaintenanceUI)\r\nIn order to cover its tracks, the malware spoofs the image path and command-line by modifying the Process Environment\r\nBlock (PEB) directly, likely in an attempt to disguise the COM service as coming from explorer.exe .\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 10 of 27\n\nDevQueryBrokerService.log Spoofed Image Command-Line\r\nDevQueryBrokerPre.log\r\nSADBRIDGE creates a service named DevQueryBrokerServiceSvc under the registry subkey\r\nSYSTEM\\CurrentControlSet\\Services\\DevQueryBrokerServiceSvc with the following attributes:\r\nDescription: Enables apps to discover devices with a background task.\r\nDisplayName: DevQuery Background Discovery Broker Service\r\nErrorControl: 1\r\nImagePath: %systemRoot%\\system32\\svchost.exe -k netsvcs\r\nObjectName: LocalSystem\r\nStart: 2 (auto-start)\r\nType: 16.\r\nFailure Actions:\r\nResets failure count every 24 hours.\r\nExecutes three restart attempts: a 20ms delay for the first, and a 1-minute delay for the second and third.\r\nThe service parameters specify the ServiceDll located at C:\\Program Files (x86)\\Common Files\\Microsoft\r\nShared\\Stationery\\\u003chostname_hash\u003e\\DevQueryBrokerService.dll . If the DLL file does not exist, it will be dropped to disk\r\nright after.\r\nDevQueryBrokerService.dll has a similar code structure as HealthServiceRuntime.dll , which is seen in the earlier\r\nstages of the execution chain. It is responsible for decrypting DevQueryBroker.log and running it. The ServiceDll will\r\nbe loaded and executed by svchost.exe when the service starts.\r\nsvchost.exe’s malicious ServiceDLL parameter\r\nAdditionally, it modifies the SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\netsvcs key to include an entry\r\nfor DevQueryBrokerServiceSvc to integrate the newly created service into the group of services managed by the netsvcs\r\nservice host group.\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 11 of 27\n\nModifies the netsvc registry key to add DevQueryBrokerServiceSvc\r\nSADBRIDGE then deletes the scheduled task and service created previously by removing the registry subkeys\r\nSOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\DevQueryBrokerService and\r\nSYSTEM\\\\CurrentControlSet\\\\Services\\\\DevQueryBrokerService .\r\nFinally, it removes the files DevQueryBroker.exe and HealthServiceRuntime.dll in the\r\nC:\\ProgramData\\Microsoft\\DeviceSync\\Device\\Stage\\Data\\DevQueryBroker folder, as the new persistence mechanism is\r\nin place.\r\nGOSAR Injection\r\nIn the latter half of the code, SADBRIDGE enumerates all active sessions on the local machine using the\r\nWTSEnumerateSessionsA API.\r\nIf sessions are found, it iterates through each session:\r\nFor each session, it attempts to retrieve the username ( WTSUserName ) using WTSQuerySessionInformationA . If the\r\nquery fails, it moves to the next session.\r\nIf WTSUserName is not empty, the code targets svchost.exe , passing its path, the session ID, and the content of the\r\nloader configuration to a subroutine that injects the final stage.\r\nIf WTSUserName is empty but the session's WinStationName is \"Services\" (indicating a service session), it targets\r\ndllhost.exe instead, passing the same parameters to the final stage injection subroutine.\r\nIf no sessions are found, it enters an infinite loop to repeatedly enumerate sessions and invoke the subroutine for injecting\r\nthe final stage, while performing checks to avoid redundant injections.\r\nLogged-in sessions target svchost.exe , while service sessions or sessions without a logged-in user target dllhost.exe .\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 12 of 27\n\nEnumeration of active sessions\r\nIf a session ID is available, the code attempts to duplicate the user token for that session and elevate the duplicated token's\r\nintegrity level to S-1-16-12288 (System integrity). It then uses the elevated token to create a child process ( svchost.exe\r\nor dllhost.exe ) via CreateProcessAsUserA .\r\nDuplication of user token and elevating token privileges\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 13 of 27\n\nIf token manipulation fails or no session ID is available (system processes can have a session ID of 0), it falls back to\r\ncreating a process without a token using CreateProcessA .\r\nThe encrypted shellcode C:\\ProgramData\\Microsoft\\DeviceSync\\Device\\Stage\\Data\\DevQueryBroker\\temp.ini is\r\ndecrypted using the same XOR and LZNT1 decompression technique seen previously to decrypt .log files, and APC\r\ninjection is used to queue the shellcode for execution in the newly created process’s thread.\r\nAPC injection to run GOSAR\r\nFinally, the injected shellcode decrypts DevQueryBrokerCore.log to GOSAR and runs it in the newly created process’s\r\nmemory.\r\nGOSAR injected into dllhost.exe and svchost.exe\r\nGOSAR Introduction\r\nGOSAR is a multi-functional remote access trojan found targeting Windows and Linux systems. This backdoor includes\r\ncapabilities such as retrieving system information, taking screenshots, executing commands, keylogging, and much more.\r\nThe GOSAR backdoor retains much of QUASAR's core functionality and behavior, while incorporating several\r\nmodifications that differentiate it from the original version.\r\nBy rewriting malware in modern languages like Go, this can offer reduced detection rates as many antivirus solutions and\r\nmalware classifiers struggle to identify malicious strings/characteristics under these new programming constructs. Below is\r\na good example of an unpacked GOSAR receiving only 5 detections upon upload.\r\nLow detection rate on GOSAR VT upload\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 14 of 27\n\nNotably, this variant supports multiple platforms, including ELF binaries for Linux systems and traditional PE files for\r\nWindows. This cross-platform capability aligns with the adaptability of Go, making it more versatile than the original .NET-based QUASAR. Within the following section, we will focus on highlighting GOSAR’s code structure, new features and\r\nadditions compared to the open-source version (QUASAR).\r\nGOSAR Code Analysis Overview\r\nCode structure of GOSAR\r\nAs the binary retained all its symbols, we were able to reconstruct the source code structure, which was extracted from a\r\nsample of version 0.12.01\r\nGOSAR code structure\r\nvibrant/config: Contains the configuration files for the malware.\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 15 of 27\n\nvibrant/proto: Houses all the Google Protocol Buffers (proto) declarations.\r\nvibrant/network: Includes functions related to networking, such as the main connection loop, proxy handling and\r\nalso thread to configure the firewall and setting up a listener\r\nvibrant/msgs/resolvers: Defines the commands handled by the malware. These commands are assigned to an object\r\nwithin the vibrant_msgs_init* functions.\r\nvibrant/msgs/services: Introduces new functionality, such as running services like keyloggers, clipboard logger,\r\nthese services are started in the vibrant_network._ptr_Connection.Start function.\r\nvibrant/logs: Responsible for logging the malware’s execution. The logs are encrypted with an AES key stored in the\r\nconfiguration. The malware decrypts the logs in chunks using AES.\r\nvibrant/pkg/helpers: Contains helper functions used across various malware commands and services.\r\nvibrant/pkg/screenshot: Handles the screenshot capture functionality on the infected system.\r\nvibrant/pkg/utils: Includes utility functions, such as generating random values.\r\nvibrant/pkg/native: Provides functions for calling Windows API (WINAPI) functions.\r\nNew Additions to GOSAR\r\nCommunication and information gathering\r\nThis new variant continues to use the same communication method as the original, based on TCP TLS. Upon connection, it\r\nfirst sends system information to the C2, with 4 new fields added:\r\nIPAddress\r\nAntiVirus\r\nClipboardSettings\r\nWallets\r\nThe list of AntiViruses and digital wallets are initialized in the function vibrant_pkg_helpers_init and can be found at the\r\nbottom of this document.\r\nServices\r\nThe malware handles 3 services that are started during the initial connection of the client to the C2:\r\nvibrant_services_KeyLogger\r\nvibrant_services_ClipboardLogger\r\nvibrant_services_TickWriteFile\r\nGOSAR services\r\nKeyLogger\r\nThe keylogging functionality in GOSAR is implemented in the vibrant_services_KeyLogger function. This feature relies\r\non Windows APIs to intercept and record keystrokes on the infected system by setting a global Windows hook with\r\nSetWindowsHookEx with the parameter WH_KEYBOARD_LL to monitor low-level keyboard events. The hook function is\r\nnamed vibrant_services_KeyLogger_func1 .\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 16 of 27\n\nGOSAR setting the keylogger\r\nClipboardLogger\r\nThe clipboard logging functionality is straightforward and relies on Windows APIs. It first checks for the availability of\r\nclipboard data using IsClipboardFormatAvailable then retrieves it using GetClipboardData API.\r\nGOSAR clipboard logging\r\nTickWriteFile\r\nBoth ClipboardLogger and KeyLogger services collect data that is written by the TickWriteFile periodically to\r\ndirectory ( C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\diagnostics ) under a file of the current date,\r\nexample 2024-11-27 .\r\nIt can be decrypted by first subtracting the value 0x1f then xoring it with the value 0x18 as shown in the CyberChef\r\nrecipe.\r\nCyberChef recipe used to decrypt keylogger logs\r\nNetworking setup\r\nAfter initializing its services, the malware spawns three threads dedicated to its networking setup.\r\nvibrant_network_ConfigFirewallRule\r\nvibrant_network_ConfigHosts\r\nvibrant_network_ConfigAutoListener\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 17 of 27\n\nThreads handling networking setup\r\nConfigFirewallRule\r\nThe malware creates an inbound firewall rule for the ports range 51756-51776 under a Chinese name that is translated to\r\nDistributed Transaction Coordinator (LAN) it allows all programs and IP addresses inbound the description is set to\r\n: Inbound rules for the core transaction manager of the Distributed Transaction Coordinator service are managed\r\nremotely through RPC/TCP.\r\nAdded firewall rule\r\nConfigHosts\r\nThis function adds an entry to c:\\Windows\\System32\\Drivers\\etc\\hosts the following 127.0.0.1 micrornetworks.com .\r\nThe reason for adding this entry is unclear, but it is likely due to missing functionalities or incomplete features in the\r\nmalware's current development stage.\r\nConfigAutoListener\r\nThis functionality of the malware runs an HTTP server listener on the first available port within the range 51756-51776 ,\r\nwhich was previously allowed by a firewall rule. Interestingly, the server does not handle any commands, which proves that\r\nthe malware is still under development. The current version we have only processes a GET request to the URI\r\n/security.js , responding with the string callback(); , any other request returns a 404 error code. This minimal\r\nresponse could indicate that the server is a placeholder or part of an early development stage, with the potential for more\r\ncomplex functionalities to be added later\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 18 of 27\n\nCallback handled by GOSAR\r\nLogs\r\nThe malware saves its runtime logs in the directory: %APPDATA%\\Roaming\\Microsoft\\Logs under the filename formatted as:\r\nwindows-update-log-\u003cYearMonthDay\u003e.log .\r\nEach log entry is encrypted with HMAC-AES algorithm; the key is hardcoded in the vibrant_config function, the\r\nfollowing is an example:\r\nLogs example generated by GOSAR\r\nThe attacker can remotely retrieve the malware's runtime logs by issuing the command ResolveGetRunLogs .\r\nPlugins\r\nThe malware has the capability to execute plugins, which are PE files downloaded from the C2 and stored on disk encrypted\r\nwith an XOR algorithm. These plugins are saved at the path: C:\\ProgramData\\policy-err.log . To execute a plugin, the\r\ncommand ResolveDoExecutePlugin is called, it first checks if a plugin is available.\r\nGOSAR checking for existence of a plugin to execute\r\nIt then loads a native DLL reflectively that is stored in base64 format in the binary named plugins.dll and executes its\r\nexport function ExecPlugin .\r\nGOSAR loading plugins.dlll and calling ExecPlugin\r\nExecPlugin creates a suspended process of C:\\Windows\\System32\\msiexec.exe with the arguments /package /quiet .\r\nIt then queues Asynchronous Procedure Calls (APC) to the process's main thread. When the thread is resumed, the queued\r\nshellcode is executed.\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 19 of 27\n\nGOSAR plugin module injecting a PE in msiexec.exe\r\nThe shellcode reads the encrypted plugin stored at C:\\ProgramData\\policy-err.log , decrypts it using a hardcoded 1-byte\r\nXOR key, and reflectively loads and executes it.\r\nHVNC\r\nThe malware supports hidden VNC(HVNC) through the existing socket, it exposes 5 commands\r\nResolveHVNCCommand\r\nResolveGetHVNCScreen\r\nResolveStopHVNC\r\nResolveDoHVNCKeyboardEvent\r\nResolveDoHVNCMouseEvent\r\nThe first command that is executed is ResolveGetHVNCScreen which will first initialise it and set up a view, it uses an\r\nembedded native DLL HiddenDesktop.dll in base64 format, the DLL is reflectively loaded into memory and executed.\r\nThe DLL is responsible for executing low level APIs to setup the HVNC, with a total of 7 exported functions:\r\nExcuteCommand\r\nDoMouseScroll\r\nDoMouseRightClick\r\nDoMouseMove\r\nDoMouseLeftClick\r\nDoKeyPress\r\nCaptureScreen\r\nThe first export function called is Initialise to initialise a desktop with CreateDesktopA API. This HVNC\r\nimplementation handles 17 commands in total that can be found in ExcuteCommand export, as noted it does have a typo in\r\nthe name, the command ID is forwarded from the malware’s command ResolveHVNCCommand that will call\r\nExcuteCommand .\r\nCommand\r\nID\r\nDescription\r\n0x401 The function first disables taskbar button grouping by setting the TaskbarGlomLevel registry key to 2\r\nunder Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced . Next, it ensures the taskbar is\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 20 of 27\n\nCommand\r\nID\r\nDescription\r\nalways visible and on top by using SHAppBarMessage with the ABM_SETSTATE command, setting the\r\nstate to ABS_ALWAYSONTOP .\r\n0x402\r\nSpawns a RUN dialog box by executing the 61th export function of\r\nshell32.dll . C:\\Windows\\system32\\rundll32.exe shell32.dll,#61\r\n0x403 Runs an instance of powershell.exe\r\n0x404 Executes a PE file stored in C:\\\\ProgramData\\\\shell.log\r\n0x405 Runs an instance of chrome.exe\r\n0x406 Runs an instance of msedge.exe\r\n0x407 Runs an instance of firefox.exe\r\n0x408 Runs an instance of iexplore.exe\r\n0x409 Runs an instance of 360se.exe\r\n0x40A Runs an instance of 360ChromeX.exe .\r\n0x40B Runs an instance of SogouExplorer.exe\r\n0x40C Close current window\r\n0x40D Minimizes the specified window\r\n0x40E Activates the window and displays it as a maximized window\r\n0x40F Kills the process of a window\r\n0x410 Sets the clipboard\r\n0x411 Clears the Clipboard\r\nScreenshot\r\nThe malware loads reflectively the third and last PE DLL embedded in base64 format named Capture.dll , it has 5 export\r\nfunctions:\r\nCaptureFirstScreen\r\nCaptureNextScreen\r\nGetBitmapInfo\r\nGetBitmapInfoSize\r\nSetQuality\r\nThe library is first initialized by calling resolvers_ResolveGetBitmapInfo that reflectively loads and executes its\r\nDllEntryPoint which will setup the screen capture structures using common Windows APIs like CreateCompatibleDC ,\r\nCreateCompatibleBitmap and CreateDIBSection . The 2 export functions CaptureFirstScreen and CaptureNextScreen\r\nare used to capture a screenshot of the victim's desktop as a JPEG image.\r\nObservation\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 21 of 27\n\nInterestingly, the original .NET QUASAR server can still be used to receive beaconing from GOSAR samples, as they have\r\nretained the same communication protocol. However, operational use of it would require significant modifications to support\r\nGOSAR functionalities.\r\nIt is unclear whether the authors updated or extended the open source .NET QUASAR server, or developed a completely\r\nnew one. It is worth mentioning that they have retained the default listening port, 1080, consistent with the original\r\nimplementation.\r\nNew functionality\r\nThe following table provides a description of all the newly added commands:\r\nNew commands\r\nResolveDoRoboCopy Executes RoboCopy command to copy files\r\nResolveDoCompressFiles Compress files in a zip format\r\nResolveDoExtractFile Extract a zip file\r\nResolveDoCopyFiles Copies a directory or file in the infected machine\r\nResolveGetRunLogs Get available logs\r\nResolveHVNCCommand Execute a HVNC command\r\nResolveGetHVNCScreen Initiate HVNC\r\nResolveStopHVNC Stop the HVNC session\r\nResolveDoHVNCKeyboardEvent Send keyboard event to the HVNC\r\nResolveDoHVNCMouseEvent Send mouse event to the HVNC\r\nResolveDoExecutePlugin Execute a plugin\r\nResolveGetProcesses Get a list of running processes\r\nResolveDoProcessStart Start a process\r\nResolveDoProcessEnd Kill a process\r\nResolveGetBitmapInfo Retrieve the BITMAPINFO structure for the current screen's display settings\r\nResolveGetMonitors Enumerate victim’s display monitors with EnumDisplayMonitors API\r\nResolveGetDesktop Start screen capture functionality\r\nResolveStopGetDesktop Stop the screen capture functionality\r\nResolveNewShellExecute Opens pipes to a spawned cmd.exe process and send commands to it\r\nResolveGetSchTasks Get scheduled tasks by running the command schtasks /query /fo list /v\r\nResolveGetScreenshot Capture a screenshot of the victim’s desktop\r\nResolveGetServices Get the list of services with a WMI query: select * from Win32_Service\r\nResolveDoServiceOperation Start or stop a service\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 22 of 27\n\nNew commands\r\nResolveDoDisableMultiLogon\r\nDisable multiple session by user by setting the value fSingleSessionPerUser\r\nto 1 under the key\r\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\TerminalServer\r\nResolveDoRestoreNLA\r\nRestores the security settings for Remote Desktop Protocol (RDP), enabling\r\nNetwork Level Authentication (NLA) and enforcing SSL/TLS encryption for\r\nsecure communication.\r\nResolveGetRemoteClientInformation\r\nGet a list of all local users that are enabled, the RDP port and LAN IP and OS\r\nspecific information: DisplayVersion, SystemRoot and\r\nCurrentBuildNumber extracted from the registry key\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nResolveDoInstallWrapper Setup a Hidden Remote Desktop Protocol (HRDP)\r\nResolveDoUninstallWrapper Uninstall HRDP\r\nResolveDoRecoverPrivileges\r\nRestores the original HKEY_LOCAL_MACHINE\\\\SAM\\\\SAM registry before changes\r\nwere made during the installation of the HRDP\r\nResolveGetRemoteSessions Retrieve information about the RDP sessions on the machine.\r\nResolveDoLogoffSession Logoff RDP session with ** WTSLogoffSession ** API\r\nResolveGetSystemInfo Get system information\r\nResolveGetConnections Get all the connections in the machine\r\nResolveDoCloseConnection Not implemented\r\nMalware and MITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that threats use\r\nagainst enterprise networks.\r\nTactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an\r\naction.\r\nCollection\r\nCommand and Control\r\nDefense Evasion\r\nDiscovery\r\nExecution\r\nExfiltration\r\nPersistence\r\nPrivilege Escalation\r\nTechniques\r\nTechniques represent how an adversary achieves a tactical goal by performing an action.\r\nHijack Execution Flow: DLL Side-Loading\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 23 of 27\n\nInput Capture: Keylogging\r\nProcess Injection: Asynchronous Procedure Call\r\nProcess Discovery\r\nHide Artifacts: Hidden Window\r\nCreate or Modify System Process: Windows Service\r\nNon-Standard Port\r\nAbuse Elevation Control Mechanism: Bypass User Account Control\r\nObfuscated Files or Information\r\nImpair Defenses: Disable or Modify Tools\r\nVirtualization/Sandbox Evasion: Time Based Evasion\r\nMitigating REF3864\r\nDetection\r\nPotential Antimalware Scan Interface Bypass via PowerShell\r\nUnusual Print Spooler Child Process\r\nExecution from Unusual Directory - Command Line\r\nExternal IP Lookup from Non-Browser Process\r\nUnusual Parent-Child Relationship\r\nUnusual Network Connection via DllHost\r\nUnusual Persistence via Services Registry\r\nParent Process PID Spoofing\r\nPrevention\r\nNetwork Connection via Process with Unusual Arguments\r\nPotential Masquerading as SVCHOST\r\nNetwork Module Loaded from Suspicious Unbacked Memory\r\nUAC Bypass via ICMLuaUtil Elevated COM Interface\r\nPotential Image Load with a Spoofed Creation Time\r\nYARA\r\nElastic Security has created YARA rules to identify this activity.\r\nMulti.Trojan.Gosar\r\nWindows.Trojan.SadBridge\r\nObservations\r\nThe following observables were discussed in this research:\r\nObservable Type Name Reference\r\nopera-x[.]net\r\ndomain-name\r\nLanding pa\r\nteledown-cn[.]com\r\ndomain-name\r\nLanding pa\r\n15af8c34e25268b79022d3434aa4b823ad9d34f3efc6a8124ecf0276700ecc39\r\nSHA-256\r\nNetFxRepairTools.msi MSI\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 24 of 27\n\nObservable Type Name Reference\r\naccd651f58dd3f7eaaa06df051e4c09d2edac67bb046a2dcb262aa6db4291de7\r\nSHA-256\r\nx64bridge.dll SADBRID\r\n7964a9f1732911e9e9b9e05cd7e997b0e4e2e14709490a1b657673011bc54210\r\nSHA-256\r\nGOSAR\r\nferp.googledns[.]io\r\ndomain-nameGOSAR C\r\nServer\r\nhk-dns.secssl[.]com\r\ndomain-nameGOSAR C\r\nServer\r\nhk-dns.winsiked[.]com\r\ndomain-nameGOSAR C\r\nServer\r\nhk-dns.wkossclsaleklddeff[.]is\r\ndomain-nameGOSAR C\r\nServer\r\nhk-dns.wkossclsaleklddeff[.]io\r\ndomain-nameGOSAR C\r\nServer\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://zcgonvh.com/post/Advanced_Windows_Task_Scheduler_Playbook-Part.2_from_COM_to_UAC_bypass_and_get_SYSTEM_dirtectly.html\r\nhttps://www.sonicwall.com/blog/project-androm-backdoor-trojan\r\nhttps://www.safebreach.com/blog/process-injection-using-windows-thread-pools/\r\nhttps://gist.github.com/api0cradle/d4aaef39db0d845627d819b2b6b30512\r\nAppendix\r\nHashing algorithm (SADBRIDGE)\r\ndef ror(x, n, max_bits=32) -\u003e int:\r\n \"\"\"Rotate right within a max bit limit, default 32-bit.\"\"\"\r\n n %= max_bits\r\n return ((x \u003e\u003e n) | (x \u003c\u003c (max_bits - n))) \u0026 (2**max_bits - 1)\r\ndef ror_13(data) -\u003e int:\r\n data = data.encode('ascii')\r\n hash_value = 0\r\n for byte in data:\r\n hash_value = ror(hash_value, 13)\r\n if byte \u003e= 0x61:\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 25 of 27\n\nbyte -= 32 # Convert to uppercase\r\n hash_value = (hash_value + byte) \u0026 0xFFFFFFFF\r\n return hash_value\r\ndef generate_hash(data, dll) -\u003e int:\r\n dll_hash = ror_13(dll)\r\n result = (dll_hash + ror_13(data)) \u0026 0xFFFFFFFF\r\n return hex(result)\r\nAV products checked in GOSAR\r\n360sd.exe kswebshield.exe\r\n360tray.exe kvmonxp.exe\r\na2guard.exe kxetray.exe\r\nad-watch.exe mcshield.exe\r\narcatasksservice.exe mcshield.exe\r\nashdisp.exe miner.exe\r\navcenter.exe mongoosagui.exe\r\navg.exe mpmon.exe\r\navgaurd.exe msmpeng.exe\r\navgwdsvc.exe mssecess.exe\r\navk.exe nspupsvc.exe\r\navp.exe ntrtscan.exe\r\navp.exe patray.exe\r\navwatchservice.exe pccntmon.exe\r\nayagent.aye psafesystray.exe\r\nbaidusdsvc.exe qqpcrtp.exe\r\nbkavservice.exe quhlpsvc.EXE\r\nccapp.exe ravmond.exe\r\nccSetMgr.exe remupd.exe\r\nccsvchst.exe rfwmain.exe\r\ncksoftshiedantivirus4.exe rtvscan.exe\r\ncleaner8.exe safedog.exe\r\ncmctrayicon.exe savprogress.exe\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 26 of 27\n\n360sd.exe kswebshield.exe\r\ncoranticontrolcenter32.exe sbamsvc.exe\r\ncpf.exe spidernt.exe\r\negui.exe spywareterminatorshield.exe\r\nf-prot.EXE tmbmsrv.exe\r\nf-prot.exe unthreat.exe\r\nf-secure.exe usysdiag.exe\r\nfortitray.exe v3svc.exe\r\nhipstray.exe vba32lder.exe\r\niptray.exe vsmon.exe\r\nk7tsecurity.exe vsserv.exe\r\nknsdtray.exe wsctrl.exe\r\nkpfwtray.exe yunsuo_agent_daemon.exe\r\nksafe.exe yunsuo_agent_service.exe\r\nSource: https://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nhttps://www.elastic.co/security-labs/under-the-sadbridge-with-gosar\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.elastic.co/security-labs/under-the-sadbridge-with-gosar" ], "report_names": [ "under-the-sadbridge-with-gosar" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434436, "ts_updated_at": 1775826702, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9c53b40b2be55764a1879bb8432855032fbf09fe.pdf", "text": "https://archive.orkl.eu/9c53b40b2be55764a1879bb8432855032fbf09fe.txt", "img": "https://archive.orkl.eu/9c53b40b2be55764a1879bb8432855032fbf09fe.jpg" } }