GSOCKET backdoor was discovered in a malicious Bash script that installs the GSocket tool on the victim’s machine, enabling a C2 channel via a global relay network. The script downloads a GSocket client, starts it, and stores the shared secret in a fake SSH key file, with persistence achieved through a cron job that restarts the disguised gs-netcat every top-hour and by embedding the code into the victim’s .profile.
The malware also copies itself into .ssh/putty and uses the ELF id_rsa (SHA256: d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa) as the gs-netcat tool downloaded from the G-Socket CDN. It employs anti-forensic timestamp techniques, including a bespoke file-tracking system to restore file timestamps, and is fully Bash-based, meaning it can infect all UNIX flavours, including MacOS.
The sample with SHA256 6ce69f0a0db6c5e1479d2b05fb361846957f5ad8170f5e43c7d66928a43f3286 was detected by only 17 antivirus solutions on VirusTotal, leading to speculation about its testing origins, according to SANS ISC. Published on 20 March 2026, the write-up notes the tool’s real-time behaviour and references to anti-forensic techniques and the “G-Socket Bypass Stealth” label observed in sandbox runs.