GOREshell
GoReShell is a Go-based backdoor/reverse shell malware cluster that includes custom variants and tooling derived from the open-source reverse_ssh project; GOREVERSE is described in the content as a variant/family member of GoReShell. It is used to establish reverse SSH connections to attacker-controlled infrastructure and, in some reporting, to function as a reverse proxy or SOCKS-style post-exploitation access tool. The malware has been observed on Windows and Linux systems, with some reports specifically describing a Windows backdoor written in Go and other reports describing ELF samples. Observed tradecraft includes use of SSH keys, WebSocket-based C2 communication, and obfuscation/packing with Garble and UPX.
The malware is associated with China-nexus intrusion activity. Multiple sources in the content link GoReShell/GOREVERSE to UNC5174, and SentinelOne/SentinelLABS reporting ties GoReShell or the broader GOREshell cluster to PurpleHaze activity with overlaps to APT15 and UNC5174. It has been used alongside ORB infrastructure, web shells, Neo-reGeorg, suo5, SNOWLIGHT, VShell, ShadowPad, and in some cases Cobalt Strike follow-on activity.
Observed infection and deployment contexts in the content include exploitation of SAP NetWeaver vulnerabilities, especially CVE-2025-31324, where attackers uploaded JSP web shells and then deployed GOREVERSE/GoReShell for persistent access and post-exploitation. It was also delivered via exploitation of GeoServer CVE-2024-36401, where Fortinet observed GOREVERSE as a reverse proxy payload. Additional reporting describes use after exploitation of Ivanti CSA vulnerabilities CVE-2024-8963 and CVE-2024-8190, and mentions targeting involving Check Point, Fortinet, Microsoft IIS, SonicWall, CrushFTP, ConnectWise ScreenConnect, Palo Alto Networks, and F5 BIG-IP in broader related campaigns.
Targeting linked to campaigns using this malware includes government, media, finance, telecommunications, manufacturing, research, IT services, and logistics organizations, as well as SAP NetWeaver and GeoServer internet-exposed systems. Specific victim geographies mentioned for GeoServer exploitation include India, the United States, Belgium, Thailand, and Brazil; broader PurpleHaze/UNC5174-related victimology spans South Asia, Europe, France, Southeast Asia, China, Hong Kong, Macau, and Western countries.
High-confidence indicators directly mentioned in the content include GOREVERSE connecting to 181[.]214[.]58[.]14:18201 in one GeoServer campaign, and a hard-coded C2 of 47.97.42[.]177:3232 in an SAP NetWeaver exploitation case. Related delivery infrastructure included hxxp://181[.]214[.]58[.]14:61231/remote.sh and ocr-freespace.oss-cn-beijing.aliyuncs[.]com hosting config.sh, with some attackers naming the deployed binary "config."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This vulnerability allows unauthenticated users to upload arbitrary files to an SAP NetWeaver application server, leading to potential remote code execution (RCE) and full system compromise. | We have also observed attackers deploying other reverse shell tools with the filename config. These include a publicly available tool that Google calls GOREVERSE.
"...drop a Go-based reverse shell dubbed GoReShell..." and "...deliver GOREVERSE, a variant of GoReShell."
"...they deployed publicly available backdoors that belong to the GOREVERSE family, which Mandiant has linked to UNC5174."
UNC5174 exploited vulnerable NetWeaver systems to deploy the Snowlight downloader, the VShell remote access trojan, and the SSH backdoor Goreverse.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...employing an operational relay box (ORB) network and a Windows backdoor dubbed GoReShell. The implant, written in the Go programming language, repurposes an open-source tool called reverse_ssh to set up reverse SSH connections...
"...drop a Go-based reverse shell dubbed GoReShell..." and "...deliver GOREVERSE, a variant of GoReShell."
...employing an operational relay box (ORB) network and a Windows backdoor dubbed GoReShell.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
1 technique
Stealth
Command and Control
3 techniques
Command and Control
We observed attackers deploying other reverse shell tools... GOREVERSE has the following capabilities: ... Dynamic, local and remote forwarding ... Multiple network transports... We observed an attacker execute ... a Base64-encoded PowerShell script... Uses ssh.exe to establish a remote tunnel to the C2 server.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
GOREVERSE is a backdoor malware that allows remote access and control of compromised systems. It was distributed via exploitation of the GeoServer vulnerability.
GOREVERSE is a reverse shell tool used by attackers to maintain persistent remote access to compromised systems.
GOREVERSE is a backdoor malware, a variant of GoReShell, used to maintain persistence and enable remote access on compromised systems. It is deployed after initial exploitation and lateral movement.
A family of publicly available backdoors used post-compromise; in this reporting it was deployed after initial access and is linked by Mandiant to UNC5174.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.