Executive Summary

On February 11, 2026, security researchers from the ANY.RUN sandbox service reported the discovery of two potent new malware families developed in the Go programming language. The first, GREENBLOOD, is a ransomware variant optimized for speed and stealth, capable of rapid encryption and self-deletion to hinder forensic analysis. The second, Moonrise RAT, is a full-featured remote access trojan that, at the time of its discovery, was completely undetected by all antivirus engines on VirusTotal. Moonrise RAT is equipped with extensive capabilities to steal credentials, authentication tokens, and browser data. The use of Go, a cross-platform and statically-linked language, allows these threats to be packaged into a single executable that is more difficult to analyze and detect with traditional signature-based methods. This represents a growing challenge for security teams, as attackers increasingly adopt modern programming languages to bypass established defenses.

Threat Overview

GREENBLOOD Ransomware

• Type: Ransomware
• Language: Go
• Key Features:
  • High-speed encryption: Built to encrypt files as quickly as possible to maximize impact before it can be stopped.
  • Anti-forensics: Includes functionality to remove evidence of its execution, complicating incident response.
  • Evasion: The use of Go helps it evade static analysis and signature-based AV.

Moonrise RAT

• Type: Remote Access Trojan (RAT)
• Language: Go
• Key Features:
  • Zero Detection: At the time of analysis, it had a 0/70 detection rate on VirusTotal, making it effectively invisible to most endpoint protection.
  • Full-Featured: Not a simple dropper, but a comprehensive RAT.
  • Credential Theft: Capable of stealing stored passwords, browser cookies, and authentication tokens from various applications.
  • Stealthy C2: Maintains active command-and-control communications while remaining undetected.

Technical Analysis

The choice of the Go language is a deliberate and strategic decision by the malware authors. Go programs are compiled into a single, static binary that includes all necessary libraries. This has several advantages for attackers:

1. Evasion (T1027 - Obfuscated Files or Information): The large file size and unique structure of Go binaries can challenge traditional scanners and reverse engineers. It makes signature-based detection less reliable.
2. Cross-Platform Capability: Go can be easily compiled for Windows, Linux, and macOS, allowing attackers to target multiple operating systems with the same codebase.
3. Concurrency: Go's built-in support for concurrency (goroutines) is ideal for tasks like ransomware, where multiple files can be encrypted simultaneously, dramatically increasing the speed of the attack as seen with GREENBLOOD.

Moonrise RAT's zero-detection status is particularly concerning. It indicates that the attackers are using modern development practices and testing their creations against public security tools to ensure evasion. Its focus on credential theft (T1555 - Credentials from Password Stores) makes it a perfect initial access tool, allowing attackers to steal legitimate credentials and then return later to move laterally or deploy secondary payloads like ransomware.

MITRE ATT&CK Mapping (Moonrise RAT & GREENBLOOD)

• T1486 - Data Encrypted for Impact: Core function of GREENBLOOD ransomware.
• T1083 - File and Directory Discovery: Both malware families need to find target files or data.
• T1555.003 - Credentials from Web Browsers: A key feature of Moonrise RAT.
• T1071.001 - Web Protocols: Likely used by Moonrise RAT for C2 communication.
• T1027 - Obfuscated Files or Information: The use of Go itself is a form of obfuscation against traditional tools.
• T1485 - Data Destruction: Evidence removal capabilities of GREENBLOOD.

Impact Assessment

The emergence of these tools has a significant impact on the defensive landscape:

• Shrinking Detection Window: Fast-encrypting ransomware like GREENBLOOD reduces the time from initial infection to catastrophic impact, making automated, real-time detection and response critical.
• Failure of Static Defenses: The ineffectiveness of signature-based AV against threats like Moonrise RAT means organizations relying solely on traditional antivirus are completely exposed.
• Commodification of Stealth: The discovery of these tools suggests that highly evasive malware is becoming more accessible, not just limited to top-tier APT groups. A successful infection with Moonrise RAT could lead to a complete compromise of user and system credentials, paving the way for a follow-on ransomware attack by GREENBLOOD or another family.

Detection & Response

Detecting Go-based malware requires a shift from static signatures to behavioral analysis.

• Behavioral-Based EDR: Deploy an Endpoint Detection and Response (EDR) solution that focuses on behavior. For GREENBLOOD, this would mean detecting rapid, high-volume file modification/encryption activity. For Moonrise RAT, it would mean detecting processes that access credential stores, browser data files, and then make external network connections.
• Memory Analysis: Since the malware may be packed or obfuscated on disk, memory analysis and scanning can be more effective at identifying the malicious code after it has been unpacked in memory.
• Network Analysis: Monitor for anomalous outbound connections, especially from processes that do not typically access the internet. Use threat intelligence to block known C2 domains associated with these new malware families as they become available.
• YARA Rules for Go Binaries: Security teams can develop custom YARA rules that look for specific strings, functions, or structural properties common to malicious Go binaries.

Mitigation

1. Advanced Endpoint Protection: Rely on modern EDR and Next-Gen Antivirus (NGAV) solutions that use machine learning and behavioral analysis rather than just static signatures.
2. Principle of Least Privilege: Restrict user permissions to prevent malware from accessing critical system files or running with administrative privileges.
3. Credential Protection: Use tools like Windows Defender Credential Guard to protect stored credentials (e.g., LSASS) from being dumped by malware like Moonrise RAT.
4. Backup and Recovery: For the ransomware threat, maintain offline, immutable backups that cannot be deleted or encrypted by an attacker. Regularly test your recovery process.