GolangGhost (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.golangghost (Back to overview)

GolangGhost

aka: BitStep RAT, WeaselStore

Actor(s): WageMole

GolanGhost is a RAT written in Go. It uses C2 to receive commands and exfiltrate data such as browser information targeting especially installed cryptocurrency wallets.

It is often used in ClickFix campaigns by North-Korean threat actors.

References

2026-03-23 ⋅ Sophos ⋅ Sophos Counter Threat Unit Research Team
NICKEL ALLEY strategy: Fake it ‘til you make it
PylangGhost GolangGhost

2026-03-11 ⋅ Microsoft ⋅ Microsoft Defender Experts, Microsoft Defender Security Research Team
Contagious Interview: Malware delivered through fake developer job interviews
BeaverTail OtterCookie StoatWaffle InvisibleFerret PylangGhost GolangGhost Contagious Interview

2026-03-09 ⋅ Abstract Security ⋅ Abstract Security Threat Research Organization (ASTRO)
Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains Part 2
GolangGhost PylangGhost GolangGhost

2026-02-25 ⋅ Abstract Security ⋅ Abstract Security Threat Research Organization (ASTRO)
Contagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains - Part 1
BeaverTail PylangGhost GolangGhost

2025-12-17 ⋅ Recorded Future ⋅ Insikt Group
PurpleBravo’s Targeting of the IT Software Supply Chain
BeaverTail InvisibleFerret PylangGhost GolangGhost

2025-09-25 ⋅ ESET Research ⋅ Matěj Havránek, Peter Kálnai
DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
BeaverTail OtterCookie InvisibleFerret PylangGhost AkdoorTea GolangGhost Tropidoor TsunamiKit

2025-09-25 ⋅ Virus Bulletin ⋅ Matěj Havránek, Peter Kálnai
DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
BeaverTail OtterCookie InvisibleFerret PylangGhost AkdoorTea GolangGhost Tropidoor TsunamiKit

2025-09-17 ⋅ GitLab ⋅ GitLab
Tech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure
BeaverTail OtterCookie BeaverTail InvisibleFerret Beavertail GolangGhost

2025-08-27 ⋅ Anthropic ⋅ Anthropic
Anthropic - Threat Intelligence Report: August 2025
BeaverTail OtterCookie GolangGhost InvisibleFerret GolangGhost

2025-08-06 ⋅ ANY.RUN ⋅ Mauro Eldritch
PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology
PylangGhost GolangGhost

2025-07-28 ⋅ Wiz.io ⋅ Merav Bar
TraderTraitor: Deep Dive
GolangGhost Manuscrypt RN Stealer DRATzarus GolangGhost PostNapTea Volgmer wAgentTea

2025-06-23 ⋅ PolySwarm Tech Team ⋅ The Hivemind
Famous Chollima’s PylangGhost
GolangGhost PylangGhost GolangGhost

2025-06-18 ⋅ Cisco Talos ⋅ Vanja Svajcer
Famous Chollima deploying Python version of GolangGhost RAT
GolangGhost PylangGhost GolangGhost

2025-05-12 ⋅ ESET Research ⋅ ESET Research
ESET APT Activity Report Q4 2024–Q1 2025
BeaverTail InvisibleFerret GolangGhost

2025-04-24 ⋅ Silent Push ⋅ Silent Push
Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie
BeaverTail OtterCookie FrostyFerret GolangGhost InvisibleFerret GolangGhost

2025-04-23 ⋅ Trend Micro ⋅ Feike Hacquebord, Stephen Hilt
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations
BeaverTail FrostyFerret GolangGhost InvisibleFerret GolangGhost WageMole

2025-03-31 ⋅ Sekoia ⋅ Amaury G., Coline Chavane, Félix Aime, Sekoia TDR
From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic
FrostyFerret GolangGhost GolangGhost

There is no Yara-Signature yet.

GolangGhost Propose Change

References

GolangGhost