Home > List all groups > List all tools > List all groups using tool Godlua

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Godlua

TypeBackdoor, Downloader
Description(Qihoo 360) The file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua byte-code file loaded by this sample has a magic number of “God”.

Godlua Backdoor has a redundant communication mechanism for C2 connection, a combination of hardcoded dns name,, as well as DNS TXT are used to store the C2 address, which is not something we see often. At the same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2.

We noticed that there are already 2 versions of Godlua Backdoor and there are ongoing updates. We also observed that attackers has been using Lua command to run Lua code dynamically and initiate HTTP Flood attacks targeting some websites.

Last change to this tool card: 23 April 2021

Download this tool card in JSON format

Previous: GoBuster
Next: Godzilla

All groups using tool Godlua


Other groups

 Rocke, Iron GroupChina2018-Apr 2021 

1 group listed (0 APT, 1 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key