user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/SuspGolang.AG
Trojan:Win32/SuspGolang.AG - Windows Defender threat signature analysis

Trojan:Win32/SuspGolang.AG - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/SuspGolang.AG
Classification:
Type:Trojan
Platform:Win32
Family:SuspGolang
Detection Type:Concrete
Known malware family with identified signatures
Variant:AG
Specific signature variant within the malware family
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family SuspGolang

Summary:

Trojan:Win32/SuspGolang.AG is a backdoor trojan written in the Go programming language that establishes unauthorized remote access to an infected system. The threat is capable of creating SOCKS proxies and TCP forwarders to tunnel malicious traffic through the compromised host and can manipulate system services for persistence or defense evasion.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - WGSocksStopReq). (PEHSTR_EXT)
 - WGTCPForwardersReq). (PEHSTR_EXT)
 - WGSocksServersReq). (PEHSTR_EXT)
 - WGTCPForwarder). (PEHSTR_EXT)
 - ServiceInfoReq). (PEHSTR_EXT)
 - StopServiceReq). (PEHSTR_EXT)
 - RemoveServiceReq). (PEHSTR_EXT)
 - BackdoorReq). (PEHSTR_EXT)
 - ).SetUniformBytes (PEHSTR_EXT)
 - ).SetCanonicalBytes (PEHSTR_EXT)
 - ).SetBytesWithClamping (PEHSTR_EXT)
YARA Rule:
rule Trojan_Win32_SuspGolang_AG_2147915794_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/SuspGolang.AG"
        threat_id = "2147915794"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "SuspGolang"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "11"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "WGSocksStopReq)." ascii //weight: 1
        $x_1_2 = "WGTCPForwardersReq)." ascii //weight: 1
        $x_1_3 = "WGSocksServersReq)." ascii //weight: 1
        $x_1_4 = "WGTCPForwarder)." ascii //weight: 1
        $x_1_5 = "ServiceInfoReq)." ascii //weight: 1
        $x_1_6 = "StopServiceReq)." ascii //weight: 1
        $x_1_7 = "RemoveServiceReq)." ascii //weight: 1
        $x_1_8 = "BackdoorReq)." ascii //weight: 1
        $x_1_9 = ").SetUniformBytes" ascii //weight: 1
        $x_1_10 = ").SetCanonicalBytes" ascii //weight: 1
        $x_1_11 = ").SetBytesWithClamping" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: lapland.exe
00f799dc6756579035e233ae0212704407dc30cfba938152baea9e2cfc21edf7
10/12/2025
VirusTotalDownload Sample
Filename: n-psk-ru.exe
783117155dbdff7084c24de5a887cb322ea83a5d054fb033b30f735e12348c43
10/12/2025
VirusTotalDownload Sample
Filename: oootl_ru.exe
a316f54c1e2d594757554fcdb4b66d6fdd399eaea0328491fccab16b701ef033
10/12/2025
VirusTotalDownload Sample
Filename: svchost.exe
f3064e852a2dd178aeb950c914f42689bf075ccaddf881938c4f7ff6b418d0f4
18/11/2025
VirusTotalDownload Sample
Filename: SecuriteInfo.com.BackDoor.Silver.36.23609.4243
71db4999013e7987e10ca2374d9a101591ffbd31befd4f0bc2bffc47f57a8317
11/11/2025
VirusTotalDownload Sample
Remediation Steps:
1. Isolate the affected machine from the network immediately to prevent lateral movement. 2. Use Windows Defender to perform a full system scan and remove the detected threat. 3. Due to the backdoor capability, investigate for persistence, reset all user credentials on the machine, and consider reimaging the system to ensure complete removal.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 08/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$