Tuesday, May 6, 2025
HomeCyber Security NewsHackers Using BlueShell Malware to Attack Windows, Linux, and Mac Systems

Hackers Using BlueShell Malware to Attack Windows, Linux, and Mac Systems

Published on

SIEM as a Service

Follow Us on Google News

The usage of Blueshell malware spikes up by various threat actors to target Windows, Linux, and other operating systems across Korea and Thailand.

Blueshell backdoor malware has been active since 2020 and written in GO language, believed to be created by a Chinese user, which is available on the GitHub repository.

Though the original GitHub repository was deleted, BlueShell’s source code can still be accessed from other repositories. 

- Advertisement - Google News

AhnLab Security Emergency Response Center (ASEC) monitors APT attack cases using BlueShell and has released the summarized report of APT attack cases using BlueShell.

Considering the functionality of the Backshell, it is designed and uses TLS encryption to circumvent network detection with the C&C server. 

The Remote command execution, file download/upload, and Socks5 proxy were executed by the attacker through commands.

Blueshell Malware Config

BlueShell has three configuration data: the C&C server’s IP address, port number, and waiting time. 

The research revealed the usage of blue shell malware by Dalbit Group during the attack against the Windows platform.

The Dalbit Group is a China-based threat group that mostly targets vulnerable servers to steal information containing critical data to demand money.

“While ASEC was monitoring BlueShell targeting the Linux environment, it identified a customized form of BlueShell from VirusTotal.”

The attacker first created Dropper malware and used it to install BlueShell, which is responsible for creating and executing BlueShell like a regular dropper.

But the main difference is that it sets and executes an environment variable named “lgdt” when running. 

The generated BlueShell obtains the “lgdt” environment variable, decrypts it, and uses it as the C&C server address. Accordingly, BlueShell alone cannot verify the address of the C&C server.

Indicator of compromise

– 53271b2ab6c327a68e78a7c0bf9f4044 
– 011cedd9932207ee5539895e2a1ed60a 
–7d9c233b8c9e3f0ea290d2b84593c842  
– 31c4a3f16baa5e0437fdd4603987b812
– 9f55b31c66a01953c17eea6ace66f636
– 33129e959221bf9d5211710747fddabe
-e0f4afe374d75608d604fbf108eac64f
– 96ec8798bba011d5be952e0e6398795d 
– b434df66d0dd15c2f5e5b2975f2cfbe2 
– f4ace89337c8448f13d6eb538a79ce30 
– 5e0845a9f08c1cfc7966824758b6953a
– e981219f6ba673e977c5c1771f86b189
– 85a6e4448f4e5be1aa135861a2c35d35
-21c7b2e6e0fb603c5fdd33781ac84b8f 
– 1a0c704611395b53f632d4f6119ed20c
– 4eb724cc5f3d94510ba5fc8d4dba6bb6
– 47fc0ecb87c1296b860b2e10d119fc6c 
– 2ed0a868520c31e27e69a0ab1a4e6 90d
-985000d076e7720660ab8435639d5ad5
-425c761a125b7cb674887121312bd16c
– 3f022d65129238c2d34e41deba3e24d3 
– 30fe6a0ba1d77e05a19d87fcf99e7ca5

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...