HOMETHREATSGAMYBEAR
MALWARE FAMILY

GAMYBEAR

Internal ID: win.gamybear
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

GAMYBEAR

A software tool developed using the Go programming language. Its main functionality is to receive (“listener”), execute (‘executor’) commands, and send (“sender”) results to the control server in BASE64-encoded form using the HTTP protocol.

When launched, it generates a unique identifier (UUID), receives basic information about the computer (“whoami”, “wmic nicconfig where IPEnabled=true get IPAddress”), creates a helper file %APPDATA%\ updater.json, where the URL of the control server is stored in JSON format (key “update_server”), as well as other listed data in BASE64-encoded form (keys: “uuid”, ‘hostname’, “ip”, respectively).

During operation, the software regularly sends requests to the control server (URI: “/c2/get_commands/”) and waits for a response in JSON format with the ‘command’ and “arguments” fields. If the “Nop” command is received, a 15-second pause is initiated. After the commands are executed, the result and other data are encoded using BASE64, stored in a JSON structure (keys: “uuid”, “command”, ‘output’) and sent to the control server with a request to the URI “/c2/command_out/”.

The consistency of the launch is ensured by another program (script) at the stage of the initial infection of the computer by creating a key in the “Run” branch of the operating system registry.

Threat Analysis

GAMYBEAR is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.gamybear

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.