{
	"id": "be177832-ec43-43b7-ba0d-803da3eaf754",
	"created_at": "2026-04-06T00:10:08.220842Z",
	"updated_at": "2026-04-10T13:11:54.834135Z",
	"deleted_at": null,
	"sha1_hash": "a44d6c6fee81740737513544ec14060c91443d72",
	"title": "An Analysis of Godlua Backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 733606,
	"plain_text": "An Analysis of Godlua Backdoor\r\nBy Alex.Turing\r\nPublished: 2019-07-01 · Archived: 2026-04-05 16:23:26 UTC\r\nBackground\r\nOn April 24, 2019, our Unknown Threat Detection System highlighted a suspicious ELF file which was marked by a few\r\nvendors as mining related trojan on VT. We cannot confirm it has mining related module, but we do see it starts to perform\r\nDDoS function recently.\r\nThe file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua byte-code file loaded by this sample has a\r\nmagic number of “God”.\r\nGodlua Backdoor has a redundant communication mechanism for C2 connection, a combination of hardcoded dns name,\r\nPastebin.com, GitHub.com as well as DNS TXT are used to store the C2 address, which is not something we see often. At\r\nthe same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure\r\nsecure communication between the bots, the Web Server and the C2.\r\nWe noticed that there are already 2 versions of Godlua Backdoor and there are ongoing updates. We also observed that\r\nattackers has been using Lua command to run Lua code dynamically and initiate HTTP Flood attacks targeting some\r\nwebsites.\r\nOverview\r\nAt present, we see that there are two versions of Godlua. Version 201811051556 is obtained by traversing Godlua download\r\nservers and there has been no update on it. Version 20190415103713 ~ 2019062117473 is active and is actively being\r\nupdated. They are all written in C, but the active one supports more computer platforms and more features. The following is\r\na comparison.\r\nGodlua Backdoor Reverse Analysis\r\nversion 201811051556\r\nThis is the version we found earlier (201811051556). It focuses on the Linux platform and supports two kinds of C2\r\ninstructions, to execute Linux system commands and to run custom files.\r\nSample information\r\nMD5: 870319967dba4bd02c7a7f8be8ece94f\r\nELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.32, dynamically linked (uses\r\nshared libs), for GNU/Linux 2.6.32, stripped\r\nC2 redundant mechanism\r\nhttps://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/\r\nPage 1 of 11\n\nThis version perform C2 communications in two ways, hardcoded domain name and Github link.\r\nIts hardcoded C2 domain is: d.heheda.tk\r\nhttps://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/\r\nPage 2 of 11\n\nIt also has a Github page and the real C2 address is in the project description.\r\nC2 instruction\r\ncmd_call, execute Linux system commands\r\ncmd_shell, execute custom file\r\nC2 protocol analysis\r\nPacket format\r\nhttps://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/\r\nPage 3 of 11\n\nLength Type Data\r\nLittle endian,2 bytes 1 bytes (Length -3) bytes\r\nEncryption Algorithm\r\nXOR’s Key is randomly generated of 16 bytes of data, the algorithm is as follow:\r\nPacket Overview\r\ncmd_handshake\r\npacket[0:31]:\r\n24 00 02 ec 86 a3 23 fb d0 d1 e9 e8 5f 23 6f 6d\r\n70 b5 95 24 44 e0 fc 2e 00 00 00 6c 69 6e 75 78\r\n2d 78 38 36\r\nLength: packet[0:1] ---\u003e0x0024\r\nType: packet[2] ---\u003e0x02,handshake\r\nData: packet[3:31]\r\n Data\r\n Data[0:15] ----\u003exor key\r\n Data[16:23] ----\u003eversion,hardcoded,little endian.\r\n Data[24:31] ----\u003earch,hardcoded.\r\ncmd_heartbeat\r\npacket[0:10]:\r\n0b 00 03 87 19 45 cb 91 d1 d1 a9\r\nLength: packet[0:1] ---\u003e0x000b\r\nType: packet[2] ---\u003e0x03,heartbeat\r\nData: packet[3:10] ---\u003exored clock64()\r\nversion 20190415103713 ~ 20190621174731\r\nThis active version runs on both Windows and Linux.\r\nThe control module is implemented in Lua and five C2 commands are supported\r\nSample information\r\nversion 20190415103713\r\nMD5: c9b712f6c347edde22836fb43b927633\r\nhttps://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/\r\nPage 4 of 11\n\nELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), statically linked, stripped\r\nversion 20190621174731\r\nMD5: 75902cf93397d2e2d1797cd115f8347a\r\nELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), statically linked, stripped\r\nC2 redundant mechanism\r\nStage-1 URL\r\nThe backdoor uses 3 different ways to store the Stage-1 URL. hardcoded ciphertext, Github project description, and Pastebin\r\ntext.\r\nAfter the Stage-1 URL is retrieved and decrypted, a start.png file will be downloaded, which is actually a Lua bytecode.\r\nThe Bot then loads it into memory and executes it to get the Stage-2 URL.\r\nEncryption Algorithm\r\nAES，CBC Mode\r\nkey：13 21 02 00 31 21 94 E2 F2 F1 35 61 93 4C 4D 6A\r\niv：2B 7E 15 16 28 AE D2 01 AB F7 15 02 00 CF 4F 3C\r\nHard coded ciphertext\r\nversion 20190415103713\r\nAES ciphertext：03 13 84 29 CC 8B A5 CA AB 05 9E 2F CB AF 5E E6 02 5A 5F 17 74 34 64 EA 5B F1 38 5B 8D\r\nB9 A5 3E\r\nStage-1 URL plaintext： https://d.heheda.tk/%s.png\r\nversion 20190621174731\r\nhttps://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/\r\nPage 5 of 11\n\nAES ciphertext：F1 40 DB B4 E1 29 D9 DC 8D 78 45 B9 37 2F 83 47 F1 32 3A 11 01 41 07 CD DB A3 7B 1F 44\r\nA7 DE 6C 2C 81 0E 10 E9 D8 E1 03 38 68 FC 51 81 62 11 DD\r\nStage-1 URL plaintext： https://img0.cloudappconfig.com/%s.png\r\nGithub project description\r\nAES ciphertext：EC 76 44 29 59 3D F7 EE B3 01 90 A9 9C 47 C8 96 53 DE 86 CB DF 36 68 41 60 5C FA F5 64\r\n60 5A E4 AE 95 C3 F5 A6 04 47 CB 26 47 A2 23 80 C6 5F 92\r\nGithub URL plaintext： https://api.github.com/repos/helegedada/heihei\r\nDecryption Process:\r\nProject description ciphertext: oTre1RVbmjqRn2kRrv4SF/l2WfMRn2gEHpqJz77btaDPlO0R9CdQtMM82uAes+Fb\r\nStage-1 URL plaintext： https://img1.cloudappconfig.com/%s.png\r\nPastebin text\r\nAES ciphertext：19 31 21 32 BF E8 29 A8 92 F7 7C 0B DF DC 06 8E 8E 49 F0 50 9A 45 6C 53 77 69 2F 68 48\r\nDC 7F 28 16 EB 86 B3 50 20 D3 01 9D 23 6C A1 33 62 EC 15\r\nPastebin URL plaintext： https://pastebin.com/raw/vSDzq3Md\r\nDecryption Process:\r\nPastebin Ciphertext: G/tbLY0TsMUnC+iO9aYm9yS2eayKlKLQyFPOaNxSCnZpBw4RLGnJOPcZXHaf/aoj\r\nStage-1 URL plaintext： https://img2.cloudappconfig.com/%s.png\r\nStage-2 URL\r\nHere at stage-2, two mechanisms are being used for storing the Stage-2 URL, Github project file and DNS over HTTPS.\r\nAfter the Stage-2 URL is retrieved and decrypted, a run.png file, also a Lua bytecode, will be downloaded.\r\nBot will load this file into memory and run it to get Stage-3 C2.\r\nEncryption Algorithm\r\nAES，CBC Mode\r\nkey：22 85 16 13 57 2d 17 90 2f 00 49 18 5f 17 2b 0a\r\niv：0d 43 36 41 86 41 21 d2 41 4e 62 00 41 19 4a 5c\r\nGithub project file\r\nhttps://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/\r\nPage 6 of 11\n\nGithub URL is stored in the Lua byte-code file (start.png) in plaintext. We get the following information by\r\ndisassembling it：\r\nGithub project file ciphertext:\r\nkI7xf+Q/fXC0UT6hCUNimtcH45gPgG9i+YbNnuDyHyh2HJqzBFQStPvHGCZH8Yoz9w02njr41wdl5VNlPCq18qTZUVco5WrA1EI\r\nStage-2 URL plaintext： {\"u\":\"https:\\/\\/dd.heheda.tk\\/%s.png\",\"c\":\"dd.heheda.tk::198.204.231.250:\"}\r\nDNS TXT\r\nStage-3 C2\r\nStage-3 C2 is hardcoded in the Lua byte-code file (run.png). We disassembled it to get the following information.\r\nversion 20190415103713\r\nversion 20190621174731\r\nDNS Over HTTPS Request\r\nC2 instruction\r\n| CMD | Type |\r\n| --------- | ---- |\r\n| HANDSHAKE | 1 |\r\n| HEARTBEAT | 2 |\r\n| LUA | 3 |\r\n| SHELL | 4 |\r\n| UPGRADE | 5 |\r\n| QUIT | 6 |\r\n| SHELL2 | 7 |\r\n| PROXY | 8 |\r\nC2 protocol analysis\r\nPacket format\r\nhttps://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/\r\nPage 7 of 11\n\nType Length Data\r\n1byte Big endian,2 bytes Length bytes\r\nPacket overview\r\nHANDSHAKE\r\nType: packet[0] ---\u003e0x01,HANDSHAKE\r\nLENGTH: packet[1:2] ---\u003e0x0010\r\nData: packet[3:end]\r\n data[0:7] ---\u003eSession\r\n data[8:end] ---\u003eversion,0x00125cfecd8bcb-\u003e20190621174731\r\nHEARTBEAT\r\nSend:\r\nType: packet[0] ---\u003e0x02,HEARTBEAT\r\nLength: packet[1:2] ---\u003e0x4\r\nData: packet[3:end] ---\u003etime,0x5d13779b,1561556891\r\nReplay:\r\nType: packet[0] ---\u003e0x02,HEARTBEAT\r\nLength: packet[1:2] ---\u003e0x4\r\nData: packet[3:end] ---\u003e1561556891\r\nLUA Payload\r\nType: packet[0] ---\u003e0x03,LUA\r\nLength: packet[1:2] ---\u003e0x00ab\r\nData: packet[3:end] ---\u003eLua script\r\nhttps://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/\r\nPage 8 of 11\n\nWe observe the attacker performing a HTTP Flood attack against www.liuxiaobei.com.\r\nLua script analysis\r\nThe Bot sample downloads many Lua scripts when executing, and the scripts can be broken down to three categories:\r\nexecute, auxiliary, and attack.\r\nexecute: start.png,run.png,quit.png,watch.png,upgrade.png,proxy.png\r\nauxiliary: packet.png,curl.png,util.png,utils.png\r\nattack: VM.png,CC.png\r\nEncryption Algorithm\r\nAES，CBC Mode\r\nkey：13 21 02 00 31 21 94 E2 F2 F1 35 61 93 4C 4D 6A\r\niv：2B 7E 15 16 28 AE D2 01 AB F7 15 02 00 CF 4F 3C\r\nLua magic number\r\nThe decrypted files are all pre-compiled, take upgrade.png as an example, note the highlighted part is the file header.\r\nYou can see that the magic number has changed from “Lua” to “God”.\r\nThe malware author also seems to set a trap for researcher here by manually changing the LuaVerion number in the sample\r\nto 5.1.4 ($LuaVersion: God 5.1.4 C$$LuaAuthors: R. $). We think the real version should be definitely newer than 5.2.\r\nhttps://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/\r\nPage 9 of 11\n\nDecompile\r\nIn order to decompile the above script, we have to know what changes have been made to Lua. After some analysis, we\r\nconcluded that the modification can be divided into two major sections: Lua Header and Lua Opcode.\r\nDecompiled by Luadec[1]\r\nSuggestions\r\nWe have yet to see the whole picture of how exactly the Godlua backdoor infects the targets, at this point we know at least\r\nsome linux users were infected via the Confluence exploit(CVE-2019-3396), if our readers have more information, feel free\r\nto contact us.\r\nWe suggest that at least to monitor and block the relevant IP, URL and domain name of Godlua Backdoor on your network.\r\nContact us\r\nReaders are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab at 360 dot cn.\r\nIoC list\r\nSample MD5\r\n870319967dba4bd02c7a7f8be8ece94f\r\nc9b712f6c347edde22836fb43b927633\r\n75902cf93397d2e2d1797cd115f8347a\r\nURL\r\nhttps://helegedada.github.io/test/test\r\nhttps://api.github.com/repos/helegedada/heihei\r\nhttp://198.204.231.250/linux-x64\r\nhttp://198.204.231.250/linux-x86\r\nhttps://dd.heheda.tk/i.jpg\r\nhttps://dd.heheda.tk/i.sh\r\nhttps://dd.heheda.tk/x86_64-static-linux-uclibc.jpg\r\nhttps://dd.heheda.tk/i686-static-linux-uclibc.jpg\r\nhttps://dd.cloudappconfig.com/i.jpg\r\nhttps://dd.cloudappconfig.com/i.sh\r\nhttps://dd.cloudappconfig.com/x86_64-static-linux-uclibc.jpg\r\nhttps://dd.cloudappconfig.com/arm-static-linux-uclibcgnueabi.jpg\r\nhttps://dd.cloudappconfig.com/i686-static-linux-uclibc.jpg\r\nhttp://d.cloudappconfig.com/i686-w64-mingw32/Satan.exe\r\nhttps://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/\r\nPage 10 of 11\n\nhttp://d.cloudappconfig.com/x86_64-static-linux-uclibc/Satan\r\nhttp://d.cloudappconfig.com/i686-static-linux-uclibc/Satan\r\nhttp://d.cloudappconfig.com/arm-static-linux-uclibcgnueabi/Satan\r\nhttps://d.cloudappconfig.com/mipsel-static-linux-uclibc/Satan\r\nC2 Domain\r\nd.heheda.tk\r\ndd.heheda.tk\r\nc.heheda.tk\r\nd.cloudappconfig.com\r\ndd.cloudappconfig.com\r\nc.cloudappconfig.com\r\nf.cloudappconfig.com\r\nt.cloudappconfig.com\r\nv.cloudappconfig.com\r\nimg0.cloudappconfig.com\r\nimg1.cloudappconfig.com\r\nimg2.cloudappconfig.com\r\nIP\r\n198.204.231.250 United States ASN 33387 DataShack, LC\r\n104.238.151.101 Japan ASN 20473 Choopa, LLC\r\n43.224.225.220 Hong Kong ASN 22769 DDOSING NETWORK\r\nSource: https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/\r\nhttps://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/"
	],
	"report_names": [
		"an-analysis-of-godlua-backdoor-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434208,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a44d6c6fee81740737513544ec14060c91443d72.pdf",
		"text": "https://archive.orkl.eu/a44d6c6fee81740737513544ec14060c91443d72.txt",
		"img": "https://archive.orkl.eu/a44d6c6fee81740737513544ec14060c91443d72.jpg"
	}
}