SYMBOLCOMMON_NAMEaka. SYNONYMS
win.golangghost (Back to overview)

GolangGhost

aka: BitStep RAT, WeaselStore

Actor(s): WageMole


GolanGhost is a RAT written in Go. It uses C2 to receive commands and exfiltrate data such as browser information targeting especially installed cryptocurrency wallets.

It is often used in ClickFix campaigns by North-Korean threat actors.

References
2025-09-17GitLabGitLab
Tech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure
BeaverTail OtterCookie BeaverTail InvisibleFerret Beavertail GolangGhost
2025-08-27AnthropicAnthropic
Anthropic - Threat Intelligence Report: August 2025
BeaverTail OtterCookie GolangGhost InvisibleFerret GolangGhost
2025-08-06ANY.RUNMauro Eldritch
PyLangGhost RAT: Rising Stealer from Lazarus Group Striking Finance and Technology
PylangGhost GolangGhost
2025-07-28Wiz.ioMerav Bar
TraderTraitor: Deep Dive
GolangGhost Manuscrypt RN Stealer DRATzarus GolangGhost PostNapTea Volgmer wAgentTea
2025-06-23PolySwarm Tech TeamThe Hivemind
Famous Chollima’s PylangGhost
GolangGhost PylangGhost GolangGhost
2025-06-18Cisco TalosVanja Svajcer
Famous Chollima deploying Python version of GolangGhost RAT
GolangGhost PylangGhost GolangGhost
2025-05-12ESET ResearchESET Research
ESET APT Activity Report Q4 2024–Q1 2025
BeaverTail InvisibleFerret GolangGhost
2025-04-24Silent PushSilent Push
Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie
BeaverTail OtterCookie FrostyFerret GolangGhost InvisibleFerret GolangGhost
2025-04-23Trend MicroFeike Hacquebord, Stephen Hilt
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations
BeaverTail FrostyFerret GolangGhost InvisibleFerret GolangGhost WageMole
2025-03-31SekoiaAmaury G., Coline Chavane, Félix Aime, Sekoia TDR
From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic
FrostyFerret GolangGhost GolangGhost

There is no Yara-Signature yet.