APT / THREAT GROUP
Lyceum Golang HTTP Backdoor
2
aliases
Last seen:Mar 17, 2026
Intelligence Profile
This Golang written malware is used as backdoor using the http protocol by a state sponsored threat actor (TA). This backdoor is running in a loop of three stages:
- Check the connectivity
- Registration of the victim
- Retrieval and execution of commands
This TA is using also variants .NET backdoors utilizing HTTP and DNS.
Threat Analysis
Lyceum Golang HTTP Backdoor is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases2
Also Known As
Lyceum Golang HTTP Backdoorwin.lyceum_http_backdoor_golang
External Intelligence
Malpedia: win.lyceum_http_backdoor_golangResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.