Golang-Powered KTLVdoor Backdoor Targets Windows and Linux

Trend Micro specialists have uncovered a new cross-platform backdoor named KTLVdoor, developed by the Chinese group Earth Lusca. KTLVdoor is written in Golang and has versions for both Windows and Linux.

This previously unknown malware is significantly more complex than the tools Earth Lusca typically employs. It features a high level of obfuscation and is distributed under names resembling system utilities, such as sshd, java, sqlite, bash, and others. The primary purpose of KTLVdoor is to provide full control over an infected system. In addition to executing commands, it enables file manipulation, collection of system and network information, file upload and download, and remote port scanning.

Researchers identified over 50 command-and-control (C2) servers interacting with various versions of KTLVdoor. All servers are hosted on the Chinese Alibaba platform. While several KTLVdoor samples are clearly linked to Earth Lusca, it is possible that the infrastructure is also being utilized by other Chinese-speaking cybercriminals.

So far, one victim has been identified—a trading company in China. This is not the first instance of Chinese hackers targeting companies within their own country. Similar incidents have been observed involving other well-known groups, such as Iron Tiger and Void Arachne.

Most KTLVdoor samples are heavily obfuscated: strings and symbols are encoded and unreadable in their raw form. The malware is deliberately designed to be convoluted, making analysis more difficult. The virus configuration is stored in a special TLV format, listing parameters and values, including operation mode, C2 server data, proxy servers, and the protocols used (HTTP, TCP, etc.).

Upon activation, the malware begins communicating with C2 servers, sending and receiving encrypted messages. Depending on the configuration, communication may occur in simplex mode (one-way data transmission) or duplex mode (two-way transmission).

Among the discovered functions of the malware are file upload and download, port scanning, system information gathering, process management, and interaction with proxy servers. The malicious program not only allows full control over infected devices but also enables the execution of various commands on them.

Researchers noted that, despite clear indications of a connection to Earth Lusca, not all virus samples can be definitively tied to the group. The scale of the infrastructure and the number of servers involved are atypical for such attacks. This may be part of a new toolset’s testing phase or its distribution among other hacker groups.