Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
Dual-Platform Backdoor from a South Asian Threat Group: StealthServer
Posted on: 22 October 2025 | Author: Foresiet
In my ongoing monitoring of cyber threats in South Asia, I’ve encountered a series of advanced persistent threat (APT) activities. This region has long been a hotspot for sophisticated cyberattacks, with various groups ramping up their operations in terms of frequency and technical complexity. Starting from early July, I’ve captured multiple new malware samples targeting both Windows and Linux platforms. These files often masquerade as legitimate documents related to meetings, procurement, or similar topics, such as “Meeting_Ltr_ID1543ops.pdf.desktop” or “PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.desktop”. When executed, they appear to open a harmless PDF to deceive the user, while the actual malicious payload runs silently in the background. The decoy PDFs typically cover themes like politics, military affairs, or conferences, all tied to a specific South Asian country.

Through detailed reverse engineering, I’ve identified this as a backdoor dubbed “StealthServer”. Its core components are developed in Golang, enabling cross-platform compatibility across Windows and Linux, with several evolving variants. The name “StealthServer” originates from an early Linux sample where the command-and-control (C2) server responds with a confirmation message like {“service”:”stealth-server”,”status”:”ok”}. In one Windows variant, I spotted references to “ULTRA-” strings, suggesting the developers initially considered naming the Windows version “ULTRA-CLIENT”, but this was removed in later iterations. For consistency, I’ll refer to all variants under the “StealthServer” umbrella.
Functionally, StealthServer focuses on two primary capabilities: exfiltrating files from the victim’s machine and executing arbitrary commands issued by the C2 server. In terms of communication, it dynamically switches protocols to evade detection—I’ve observed three Windows variants: the first two using TCP sockets, and the third shifting to WebSocket. For Linux, there are two variants employing HTTP and WebSocket respectively.
A standout feature of StealthServer is its heavy use of obfuscation techniques, including injecting vast amounts of junk code and redundant functions to slow down reverse engineering efforts. Some variants also attempt to mask network traffic by repeatedly accessing whitelisted domains like “google.com” or “microsoft.com”, making it harder to isolate malicious communications during traffic analysis.
Using custom asset scanning methods, I’ve searched for assets with web titles containing “Stealth Server” since early June and uncovered several active backend login pages, such as those titled “Stealth Server – Login”. However, C2 servers for StealthServer tend to have short lifespans, limiting opportunities for deeper command tracking or infection chain observation. This analysis primarily emphasizes the malware samples themselves, drawing from patterns I’ve observed in similar threats.
The backend login interface features a simple form for username and password entry, indicative of a basic but effective control panel for operators.
Linking to Known Threat Actors
Based on behavioral and infrastructural clues I’ve gathered, this backdoor shows potential ties to a well-known South Asian APT group often involved in espionage against regional targets. Here’s a breakdown of the key indicators:
- Behavioral Patterns: The samples align with historical tactics of this group, such as distributing ELF binaries via .desktop files on Linux, disguised as PDF shortcuts. File names and decoy PDF contents frequently revolve around political, procurement, or meeting themes relevant to a specific South Asian nation. Decoy PDFs are commonly hosted on Google Drive links, a common lure method.
- Infrastructure Overlaps: The domains used by StealthServer mimic government or utility sites from the target country, e.g., “modindia[.]serveminecraft.net”, “modgovindia[.]space”, or “kavach[.]space”. These exhibit naming similarities and resolution patterns to other indicators I’ve tracked. For instance, “modindia[.]serveminecraft.net” and “modgovindia[.]space” resolved to “101.99.94[.]109” in early July, alongside another domain “zahcomputers.pk[.]modpersonnel.support” pointing to the same IP. This structure echoes phishing domains like “mod.gov.in[.]defencepersonnel.support” or “email.gov.in[.]modindia.link”, using TLDs such as “.support” or “.link”.
- Public Correlations: Independent research and shared data from security communities have labeled certain C2 domains as belonging to this group, reinforcing the connection through overlapping IoCs.
Sample Analysis
Both Windows and Linux samples are built in Golang, sharing similar development paths like */bossmaya/*/obfuscated*.go. Here’s a list of paths I’ve extracted from various samples:

Delivery methods differ by platform: Windows uses PPT documents with malicious macros, while Linux employs .desktop files—a staple for this threat actor. Despite minor functional variances, common traits include anti-analysis checks and persistence techniques. Two prominent shared characteristics stand out:
- Code Layout: The majority of the code upfront consists of junk functions and irrelevant operations, with the actual malicious logic buried at the end. This deliberately prolongs disassembly and understanding, as visualized in process flow graphs where obfuscation dominates the structure.
- Junk Code Insertion: Beyond initial bloat, junk is interspersed around critical sections. Examples include pointless loops for calculations or sham encryption/decryption routines, such as a redundant Fibonacci sequence generator that serves no purpose other than to confuse analysts.
Windows Variant 1: TCP Protocol
Loader Mechanism
The initial Windows variant surfaced in July, delivered via a PPT file named “PM & Est Sanction Final 2025.ppam”. This contains embedded malicious VBA macros, extractable using tools like oledump for inspection. Enabling macros triggers the script, which downloads a decoy PPT from “https://filestore[.]space/SoftsCompany/d/11/MES-Presentation” to distract the user, while the real payload “nodejs” is fetched from “https://filestore[.]space/SoftsCompany/d/14/nodejs” and executed.
StealthServer Core
- Evasion and Anti-Analysis:
- Anti-Debug/Anti-Sandbox: Runs commands like tasklist /fi “imagename eq %s*” | find /i “%s” to scan for processes containing strings such as “VMware”, “VirtualBox”, “QEMU”, “Xen”, “Hyper-V”, “Parallels”, “KVM”, “Virtual”, “vbox”, or “vmware”. Also calls IsDebuggerPresent() and checks PEB DebugFlag. Scans for directories like “C:\analysis” or “C:\sandbox”, and blacklisted usernames like “admin”, “sandbox”, or “malware”.
- Traffic Obfuscation: Loops requests to benign sites including “google.com”, “microsoft.com”, “cloudflare.com”, “amazon.com”, “facebook.com”, and “httpbin.org”.
- Hidden Execution: Spawns a concealed PowerShell window via cmd /C powershell -WindowStyle Hidden -Command exit.
- Mutex Check: Computes SHA256 of “nodejs_instance_mutex”, formats as “Global%x”, and uses PowerShell to verify if an instance is running: powershell -Command “$mutex = New-Object System.Threading.Mutex($false, ‘%s’); if($mutex.WaitOne(0)) { exit 0 } else { exit 1 }.
- Persistence Strategies:
- File Hiding: Copies itself to %APPDATA%\nodejs.exe and applies attrib +h +s for hidden/system attributes.
- Registry Autostart: Adds key via reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v nodejs /t REG_SZ /d “%s” /f.
- Startup Shortcut: Creates a PowerShell script “create_shortcut.ps1” to generate “System Update.lnk” in the Startup folder, pointing to nodejs.exe.
- Scheduled Service: Uses sc create “NodeJSUpdater” binPath= “%s” start= auto DisplayName= “Node.js Background Updater” type= own and sc start “NodeJSUpdater”.
- C2 Communication:
C2 at “modindia.serveminecraft[.]net:8080” using TCP with JSON data. Beacon includes hardcoded ID, location (“windows – [hostname]”), and AV name. Supports commands: LIST (file enumeration), UPLOAD (file exfil), DOWNLOAD (file retrieval). Junk code is woven into the comms logic for added obfuscation.
Windows Variant 2: TCP Protocol
Discovered in late August, this variant (“proxifiersetup.exe”) features obfuscated function names and a dev path “D:/bossmaya/newblkul/client/client_obfuscated.go”. It includes “ULTRA-CLIENT” strings and adds anti-debug checks for tools like OllyDbg, x64dbg, and IDA. Core functions remain similar, with minor tweaks.
C2 uses XOR-encrypted domains but falls back to IPs “45.155.54[.]122” and “45.155.54[.]62” on port 8080. Beacon adds “os” field; ID is random 8-byte hex. Commands unchanged: LIST, UPLOAD, DOWNLOAD.
Windows Variant 3: WebSocket Protocol
Also from late August, this shifts to WebSocket at “ws://kavach[.]space:5500”. Functions mirror the Linux Variant 2 below.
Linux Variant 1: HTTP Protocol
Loader Mechanism
First seen in early August, via “Meeting_Ltr_ID1543ops.pdf.desktop”—a Linux shortcut mimicking a PDF. Execution opens Firefox to a Google Drive decoy PDF (confidential defense alliance content) while downloading “Mt_dated_29.txt” from “https://securestore[.]cv/ghg/Mt_dated_29.txt” to /tmp, converting it from HEX to ELF using xxd -r -p, chmod +x, and running it.
Another loader uses HEX-encoded URLs, decoded to fetch via curl, open Firefox decoy, and process with xxd.
StealthServer Core
Dev path: “D:/bossmaya/client/obfuscated_client.go” with function name obfuscation.
- Junk Code: Bulk at init/main start; includes empty loops, sleeps, or pointless compress/encrypt/decrypt on dummy data.
- Anti-Debug: Parses /proc/self/status for “TracerPid” > 0 indicating debugger attachment.
- Persistence:
- Systemd Service: Creates ~/.config/systemd/user structure with symlink, copies ELF to ~/.config/systemd/systemd-update, deploys service file for auto-restart, starts via systemctl.
- Shell Configs: Appends nohup launch to ~/.bashrc and ~/.profile: nohup /home/username/.config/systemd/systemd-update >/dev/null 2>&1 &.
- C2 Communication: C2 “modgovindia[.]space:4000”. Checks /health for status (reveals “stealth-server”). Fetches commands from /commands: browse (list files), upload (exfil file), execute (run bash). Responses to /command-response.
- File Exfiltration: Recursively scans / for .pdf, .doc, .xls, .ppt, .txt, .zip, .rar. Notifies C2 via GET with X-Username, then POST /upload?last=true with AES-GCM encrypted content (key from SHA256 of hardcoded string, nonce in X-Nonce, tag appended). X-File-Name is base64 filename.
Linux Variant 2: WebSocket Protocol
Loader Mechanism
Mid-August, via “PROCUREMENT_OF_MANPORTABLE_&_COMPAC.pdf.desktop” with base64-encoded commands amid comments. Opens Firefox to procurement-themed Google Drive PDF decoy. Downloads HEX payload from Google Drive ID, converts with xxd -r -p, chmod +x, executes.
StealthServer Core
Dev path: “D:/bossmaya/newlinuxblkul/client/main_obfuscated_enhanced.go” (enhanced, no function obfuscation).
- Persistence: Accepts “–hidden” flag to skip. Otherwise, copies to ~/.config/system-backup/, adds crontab @reboot, deploys systemd “system-backup.service” for restart.
- C2 Communication: WebSocket at base64-decoded “ws://seemysitelive[.]store:8080/ws”. Welcomes with “Welcome to Stealth Server”, sends client info (dir, hostname, IP, location, OS, username). Heartbeats every 30s. Commands: browse_files (list), upload_execute (exfil), start_collection (search suffixes), ping, welcome, heartbeat.
Final Thoughts
This threat group demonstrates high activity levels, with diverse tools, frequent variants, and rapid delivery cycles. Their focus on evasion through obfuscation and protocol switching highlights evolving sophistication. If you’re researching similar topics, feel free to reach out via relevant forums.
Indicators of Compromise (IoCs)
Samples (SHA256): dc64c34ba92375f8dc8ae8cf90a1f535a0aa5a29fcf965af5ad4982cd16e9d71 8f8da8861c368e74b9b5c1c59e64ef00690c5eff4a95e1b4fcf386973895bef1 6347f46d77a47b90789a1209b8f573b2529a6084f858a27d977bf23ee8a79113 662890bb5baba4a7a9ba718bdedd6991fbf9867c83e676172f5527617e05cafa 264d88624ec527458d4734eff6f1e534fcacb77e5616ae61abed94a941389232 56260e90bba2c50af7c6d82e8656224ece23445f1d76e87a97c938ad9883005f 499f16ed2def90b3d4c0de5ca22d8c8080c26a1a405b4078e262a0a34bcb1e31 7a946339439eb678316a124b8d700b21de919c81ee5bef33e8cb848b7183927b 10b54abba525686869c9da223250f70270a742b1a056424c943cfc438c40cc50 ece1620e218f2c8b68312c874697c183f400c72a42855d885fc00865e0ccc1a1 ab85924ba95692995ac622172ed7f2ebc1997450d86f5245b03491422be2f3d6 cf39bb998db59d3db92114d2235770a4a6c9cbf6354462cfedd1df09e60fe007
Domains: modindia[.]serveminecraft.net modgovindia[.]space seemysitelive[.]store solarwindturbine[.]site sinjita[.]store sinjita[.]space seeconnectionalive[.]website windturbine[.]website kavach[.]space zahcomputers.pk[.]modpersonnel.support discoverlive[.]site cloudstore[.]cam
IPs: 45.155.54[.]122 (Switzerland|Zurich|Zürich AS200019|ALEXHOST SRL) 45.155.54[.]62 (Switzerland|Zurich|Zürich AS200019|ALEXHOST SRL) 45.155.54[.]28 (Switzerland|Zurich|Zürich AS200019|ALEXHOST SRL) 45.155.53[.]179 (Switzerland|Zurich|Zürich AS200019|ALEXHOST SRL) 45.155.53[.]204 (Switzerland|Zurich|Zürich AS200019|ALEXHOST SRL) 45.141.58[.]199 (The Netherlands|Flevoland|Dronten AS213373|IP Connect Inc) 101.99.94[.]109 (Bulgaria|Sofia-Capital|Sofia AS45839|Shinjiru Technology Sdn Bhd) 164.215.103[.]55 (The Netherlands|Flevoland|Dronten AS213373|IP Connect Inc) 161.97.82[.]97 (France|Grand Est|Lauterbourg AS51167|Contabo GmbH) 5.178.0[.]29 (The Netherlands|Flevoland|Dronten AS213373|IP Connect Inc)
Golang Paths: D:/bossmaya/linuxnewdownloader/windows-client/obfuscated_main.go D:/bossmaya/newlinuxblkul/client/main_obfuscated.go D:/bossmaya/newlinuxblkul/client/main_obfuscated_enhanced.go D:/bossmaya/client/obfuscated_client.go D:/bossmaya/newblkul/client/client.go D:/bossmaya/newblkul/client/client_obfuscated.go /home/boss/Desktop/tgtfile/main_obfuscated_enhanced.go
Conclusion
StealthServer represents a sophisticated, dual-platform backdoor from a prolific South Asian APT group, emphasizing evasion through extensive junk code, protocol switching (TCP/HTTP/WebSocket), and multi-layered persistence. My analysis reveals rapid evolution across 5 variants since July, targeting regional espionage via themed lures. Key strengths: cross-platform Golang efficiency, file exfiltration, and command execution. Defenders should monitor listed IoCs, .desktop/PPT loaders, and obfuscated Golang paths for early detection.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.