Threat Research

Bulbature: Exploring the Depths of GobRAT

SekoiaIO

Sekoia TDR mapped a modular attack infrastructure that uses staging servers to deliver Bash scripts, GobRAT and Bulbature to compromise edge devices and turn them into Operational Relay Boxes (ORBs) for proxying, vulnerability exploitation and DDoS. The ecosystem includes a proxies-provider UI and a GobRAT administration interface that enable on-demand proxy tunnels, credential brute‑forcing, exploit campaigns and coordinated DDoS tasks. #GobRAT #Bulbature

Keypoints

  • Investigation identified 63 staging/administration hosts (20 active at cut-off) hosting an open /static/ directory with Bash scripts, GobRAT and Bulbature binaries.
  • Infection chain: operator deploys staging servers → compromises edge device → runs zonesetup/zoneupdate scripts to download and execute GobRAT/Bulbature → device becomes an ORB communicating with C2/Dispenser.
  • Bash scripts perform installation, persistence (rc.local, crontab), firewall disabling, resource limit increases, process supervision and blocking of other attackers (sshdeny1.sh).
  • GobRAT (Go) offers RAT features, proxy/FRP/SOCKS5 support, credential brute‑forcing and multiple DDoS vector capabilities; Bulbature (C, UPX-packed) functions primarily as a relay/ORB and uses a Dispenser/C2 model over UDP/TCP.
  • Proxies-provider interface exposes APIs and a frontend that lets operators create on-demand tunnels (WireGuard/OpenVPN/L2TP/PPTP/SSTP/SOCKS/HTTPS) deployed on compromised nodes.
  • GobRAT admin interface supports task creation: “Weak password” brute force, “Exp” exploit campaigns (plugin system) and “DDoS” campaigns, plus user management suggesting multiple operators.

MITRE Techniques

  • [T1071] Remote Application Layer Protocols / RAT – GobRAT used application-layer channels and RAT features to communicate and execute commands (‘GobRAT provides standard RAT functionalities and can relay specific attacks’).
  • [T1071] Command and Control – Both GobRAT and Bulbature contact staging/C2 infrastructure for commands/configuration and updates (‘GobRAT and Bulbature communicate with staging servers for commands and updates’).
  • [T1003] Credential Dumping / Brute Force – Operator-created tasks and scripts perform credential-guessing against SSH/Telnet/Redis/MySQL/PostgreSQL (‘Attempts to login on services like SSH, Telnet, Redis, MySQL or PostgreSQL’).
  • [T1210] Exploitation of Remote Services – The platform can launch automated exploit campaigns against web vulnerabilities using plugin templates (‘creates a campaign designed to exploit a web vulnerability against pre-selected targets’).
  • [T1499] Network Denial of Service – GobRAT supports multiple DDoS methods and the admin UI can schedule DDoS campaigns (‘Performs DDoS attacks using SYN, TCP, UDP, HTTP, ICMP’).

Indicators of Compromise

  • [IPv4] Staging & admin hosts – examples: 38.54.56.5 (staging host, AS138915), 38.54.85.21 (GobRAT admin UI, AS138915); and many other staging/C2 IPs listed in the report.
  • [Domains] Bulbature Dispensers – examples: eyh.ocry[.]com:443 (Dispenser), nbt201.dynamic-dns[.]net:8080 (Dispenser).
  • [File names] Malware and tools on /static/ – examples: bulbature (Bulbature binary), zone.x86_64 (GobRAT x86_64 binary).
  • [SHA256 hashes] Sample binaries – examples: bulbature SHA256 41e189a5b68f305ab6251a06475b76777bda0d035ea06cd569306ed5c98bdc98, zone.x86_64 SHA256 91eaa94223c12ddc89eca5220a8c57f0254f587f73c9edc161fc161a56e2c2f0; and other hashes listed (≈10+).
  • [Certificate fingerprint MD5] Self-signed certs used to identify hosts – examples: af4ad0bd9221ffc63ae5acff4034834a, e4b7b3a2610ad706a83667a5bac7cd31 (proxies provider servers).

Operators prepare staging servers that host an open /static/ directory serving dozens to hundreds of files: installation/management Bash scripts, multi-architecture GobRAT binaries (zone.[ARCH]), Bulbature binaries, and FRP (frpc) executables. The deployed infection workflow runs in this order: zonesetup.sh fetches zoneController.sh and executes it; zoneController.sh and zoneupdate.sh then install wget, expand system limits, disable/clear firewall rules, create /zone, fetch the correct GobRAT binary and Bulbature, and set executable permissions. The scripts also ensure persistence (rc.local and crontab entries), repeatedly supervise and restart processes (hold_by_bot.sh checks every few seconds), and remove competing artifacts by running sshdeny1.sh to block other brute-force actors.

Once running, GobRAT (written in Go) establishes TCP communication with its staging/C2 servers and supports 22+ commands: retrieving C2 config, reverse shells, executing shell commands, file read/write, host fingerprinting, system state capture, establishing TCP/UDP channels, running a SOCKS5 proxy or FRP client, credential guessing against services (SSH/Telnet/Redis/MySQL/Postgres), issuing HTTP requests or dictionary attacks, and launching DDoS using SYN/TCP/UDP/HTTP/ICMP. Bulbature (C, UPX-packed, heavy obfuscation) primarily turns the device into an ORB: when run without args it contacts a Dispenser to obtain a list of C2 [IP:PORT], then connects to chosen Bulbature C2s and exchanges data (often over UDP on a random port, and binds an 8001 TCP listener on localhost when provided an argument), enabling relaying of attacker traffic and proxying behaviors.

The wider admin ecosystem exposes two key web UIs: a proxies-provider console that can create on-demand tunnels (WireGuard/OpenVPN/L2TP/PPTP/SSTP/SOCKS/HTTPS) deployed to compromised nodes, and a GobRAT administration interface rebuilt from frontend assets that lets operators manage nodes, run “Weak password” brute-force tasks, deploy “Exp” exploit plugins against web targets, schedule DDoS campaigns, and upload credential dictionaries or target IP segments—effectively automating mass exploitation and proxy rotation from their ORB fleet.

Read more: https://blog.sekoia.io/bulbature-beneath-the-waves-of-gobrat/