{ "id": "7d8f333b-e3ca-43b3-a156-afc5b5aed5bd", "created_at": "2026-04-10T03:20:26.760139Z", "updated_at": "2026-04-10T03:22:17.161871Z", "deleted_at": null, "sha1_hash": "bf1451f1aa181c058ccd28eb5a1557cc1182890a", "title": "Doctor Web detected Linux Trojan written in Go", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 218713, "plain_text": "Doctor Web detected Linux Trojan written in Go\r\nPublished: 2016-08-08 · Archived: 2026-04-10 02:35:53 UTC\r\nBy continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies\r\nrelated to the collection of visitor statistics.\r\nLearn more\r\n08.08.2016\r\nReal-time threat news | Hot news | All the news | Virus alerts\r\nAugust 8, 2016\r\nDoctor Web analysts have detected and examined a new Linux Trojan which is able to run a\r\ncryptocurrency mining program on an infected computer. Its key feature lies in the fact that it is written in\r\nGo, a language developed by Google.\r\nA Trojan, named Linux.Lady.1, can execute a limited range of actions such as to determine an external IP address\r\nof the infected computer, to attack other computers, and to download and launch a cryptocurrency mining\r\nsoftware. Linux.Lady.1 is written in the Google developed programming language—Go. Although Doctor Web\r\nsecurity researchers have already encountered Trojans written in Go, such malware programs are not frequently\r\ndetected in the wild. The architecture of the Trojan consists of numerous libraries published on GitHub—the most\r\npopular collaborative application development service.\r\nOnce Linux.Lady.1 is launched, it sends the following information to the command and control server: the\r\ncurrent Linux version and the name of the operating system family it belongs to, a number of CPUs, names and a\r\nnumber of running processes, and so on. The Trojan receives a configuration file necessary for downloading and\r\nhttps://news.drweb.com/news/?i=10140\u0026lng=en\r\nPage 1 of 3\n\nlaunching of a cryptocurrency mining program in order to generate income which is then transferred to the\r\ncybercriminals’ e-wallet.\r\nLinux.Lady.1 can also determine an external IP address of the infected computer using special websites, specified\r\nin the configuration file, and attack other computers of the network. The Trojan tries to connect to the remote\r\nservers via a port used by the Redis (remote dictionary server) data structure store, without entering a password in\r\nexpectation that the system has not been configured correctly. If the connection is established, the malware adds a\r\ndownloader script, named Linux.DownLoader.196, to the cron scheduler. The script downloads a copy of\r\nLinux.Lady.1 and installs it on the compromised host. Then the Trojan adds a key for connection to the computer\r\nover SSH protocol to the list of authorized keys.\r\nDr.Web for Linux successfully detects and removes Linux.Lady.1 and Linux.DownLoader.196, therefore, these\r\nmalicious programs pose no threat to our users.\r\nMore about this Trojan\r\n10140 en 5\r\n0\r\nDoctor Web’s Q1 2026 review of virus activity on mobile devices\r\n01.04.2026\r\nVirus reviews\r\nRead\r\nDoctor Web’s Q1 2026 virus activity review\r\n01.04.2026\r\nVirus reviews\r\nRead\r\nhttps://news.drweb.com/news/?i=10140\u0026lng=en\r\nPage 2 of 3\n\nDr.Web for personal computers receives SKD AWARDS product excellence distinction\r\n24.03.2026\r\nCorporate news | Dr.Web products\r\nRead\r\nSource: https://news.drweb.com/news/?i=10140\u0026lng=en\r\nhttps://news.drweb.com/news/?i=10140\u0026lng=en\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://news.drweb.com/news/?i=10140\u0026lng=en" ], "report_names": [ "?i=10140\u0026lng=en" ], "threat_actors": [], "ts_created_at": 1775791226, "ts_updated_at": 1775791337, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bf1451f1aa181c058ccd28eb5a1557cc1182890a.pdf", "text": "https://archive.orkl.eu/bf1451f1aa181c058ccd28eb5a1557cc1182890a.txt", "img": "https://archive.orkl.eu/bf1451f1aa181c058ccd28eb5a1557cc1182890a.jpg" } }