New Go-based GobRAT malware targets Linux routers

New Go-based GobRAT malware targets Linux routers

Japan’s Computer Security Incident Response Team (JPCERT/CC) has published a technical analysis of a new Golang-based remote access trojan called ‘GobRAT’ observed in a series of attacks against Linux routers in Japan in February 2023.

Threat actors are targeting Linux routers with publicly exposed WEBUI to execute malicious scripts to deploy the GobRAT malware. Upon gaining initial access to the target router, the attacker downloaded a loader called ‘Loader Script,’ which supports multiple functions, including the ability to disable the device’s firewall, download GobRAT for the target machine's architecture, create Start Script for persistence, and create and run Daemon Script. The script also contains a hard-coded SSH public key likely used as a backdoor.

The GobRAT malware communicates with command and control server via TLS and can execute various commands. The RAT is packed with UPX version 4 series and supports multiple architectures, including ARM, MIPS, x86, and x86-64.

According to JPCERT/CC, the malware can execute 22 commands, including:

  • Obtain machine Information

  • Execute reverse shell

  • Read/write files

  • Configure new C2 and protocol

  • Start socks5

  • Execute file in /zone/frpc

  • Attempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine.

Additional technical details on this RAT can be found here.


Back to the list

Latest Posts

Previously unknown NightEagle APT targets China's high-tech sector

Previously unknown NightEagle APT targets China's high-tech sector

The group is believed to use a suspected Microsoft Exchange zero-day exploit to gain covert access to target systems.
7 July 2025
Cyber Security Week in Review: July 4, 2025

Cyber Security Week in Review: July 4, 2025

In brief: Google patches Chrome 0Day, the US is on the hunt for North Korean IT workers, and more.
4 July 2025
AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025