PortStarter

PortStarter is a Go-based backdoor used by the ransomware affiliate cluster TAC5279, which Sophos says overlaps with Microsoft’s Vanilla Tempest/DEV-0832 tracking, and IBM also notes possible associations between Hive0163 and developers behind PortStarter. It was observed in enterprise intrusions spanning November 2022 to June 2023, including cases involving Vice Society and later Rhysida ransomware, targeting organizations in government/logistics, logistics, education, and manufacturing. In the reported intrusions, initial access commonly involved valid VPN credentials on accounts without MFA, followed by discovery, lateral movement, credential theft, data exfiltration, and ransomware deployment. PortStarter was used for command-and-control and persistence; Sophos describes it as modifying firewall settings, opening ports, and connecting to configured C2 servers. Persistence was established via scheduled tasks such as 'System' and 'SystemCheck' that executed DLLs with rundll32. Observed PortStarter file paths included C:\Windows\System32\config\main.dll, c:\users\public\main.dll, and C:\ProgramData\schk.dll. Reported PortStarter C2 IPs in these cases were 156.96.62[.]58, 146.70.104[.]249, 51.77.102[.]106, 108.62.141[.]161, and 157.154.194[.]6. Sophos noted PortStarter was common in earlier Vice Society-linked cases and was not observed after TAC5279 transitioned to Rhysida, where SystemBC became the primary C2 method.