Campaign Identifier: Houselet-PlayStation-Remote-Play-Masquerade

Last Updated: November 17, 2025

Go-based Stealer / Loader / RAT

Analyst: Joseph Harrison Date: November 2025 Environment: Windows 10 x64 (Userland / Kernel interaction observed) Classification: Go-based Stealer / Loader / Remote Access Trojan (RAT)

Table of Contents

Quick Reference

Detections & IOCs:

BLUF (Bottom Line Up Front)

Executive Summary

Business Impact Summary

Houselet.exe represents a sophisticated Go-based malware threat masquerading as legitimate PlayStation software. The malware establishes persistent access, exfiltrates sensitive data, and provides remote control capabilities. Containment and forensic investigation are recommended.

Key Risk Factors

Risk Factor Score Business Impact
Data Exfiltration 8/10 High-value data theft including credentials, financial information, and sensitive business data
Persistence 9/10 Long-term unauthorized access with multiple persistence mechanisms
Remote Control 8/10 Full system control and capability to deploy additional malware
Detection Evasion 7/10 Advanced anti-analysis techniques complicate detection and removal
  1. ISOLATE affected systems from network immediately
  2. IDENTIFY all potentially compromised endpoints (6.68MB PS Remote Play installers)
  3. COLLECT forensic evidence before remediation
  4. NOTIFY security team and legal/compliance departments
  5. ASSESS data exposure scope and regulatory notification requirements

Organizational Guidance

For Executive Leadership

  • Resource Allocation: Assess incident response team deployment and system rebuild requirements
  • Business Continuity: Evaluate potential disruption during remediation activities
  • Compliance Obligations: Review regulatory reporting requirements if data breach confirmed
  • Stakeholder Communication: Plan internal and external notification strategies
  • Strategic Security: Consider long-term security investments for prevention

For Technical Teams

Recommended Actions:

  • Deploy Detection Signatures: Check detections page for hunting rules and deploy across environment
  • Hunt for IOCs: Search systems for indicators of compromise using provided hashes and patterns
  • Network Analysis: Review logs for connections to malicious infrastructure
  • System Isolation: Isolate any confirmed compromised systems from network
  • Evidence Preservation: Collect forensic data before system remediation
  • Threat Hunting: Conduct environment-wide hunt for additional compromised systems

For Detailed Technical Procedures:

  • Malware capabilities: See Section 4 (Technical Capabilities Deep-Dive)
  • Detection methods: See Section 5 (Evasion & Anti-Analysis Techniques)
  • Incident response procedures: See Section 6 (Incident Response Procedures)
  • Long-term defensive strategy: See Section 7 (Long-term Defensive Strategy)

1. Executive Summary

houselet.exe is a Go 1.15-compiled 64-bit Windows binary that masquerades as the PlayStation Remote Play installer. The sample is characterized by multiple layers of obfuscation, dynamic loading, and in-memory execution, aligning it with modular loader-stealer families such as STEALC or derivative Go-based frameworks. It primarily operates from the user’s temporary directory, communicates with a remote PHP-based C2 endpoint, and modifies registry/network configurations to maintain persistence and evade detection.

2. File & Build Characteristics

Attribute Value Confidence Level
Malware Type Go-based Stealer/Loader/RAT CONFIRMED
File Type PE32+ (x86-64) Windows Executable CONFIRMED
Compiler / Runtime Go 1.15 (static-linked) CONFIRMED
Packaging Method InstallShield-style stub (drops or runs child payloads) LIKELY
Language English CONFIRMED
File Size ~6.68 MB (6,683,840 bytes) CONFIRMED
Entropy 6.6 bits / byte (packed/compressed) CONFIRMED
Digital Signature Untrusted / self-signed CONFIRMED
Impersonation Target Sony Interactive Entertainment Inc. ("PS Remote Play Installer 8.5.0.08070_x64.exe") CONFIRMED

Hash Information

Hash Type Value
MD5 6f8351ff0adfd7b724bf34cab7c6052b
SHA1 a803fa85b84e363604975a5682b279a69739a78e
SHA256 6fbaa2637e7c8773695dcf07a85dc830112da3d8dab5dbe277dfa96111470920

3. Portable Executable (PE) Structure

Section Purpose Security Relevance
.text Executable code (main logic) HIGH - Contains malicious execution logic
.rdata Go runtime metadata / strings MEDIUM - May contain C2 URLs and encrypted data
.data Global variables MEDIUM - Configuration and state data
.pdata Exception directory LOW - Standard exception handling
.xdata Unwind metadata LOW - Exception unwind information
.idata Import table HIGH - Reveals API usage and capabilities
.reloc Relocations LOW - Standard relocations
.symtab Symbol table with Go names MEDIUM - Function names reveal capabilities
.rsrc Installer resources / icons HIGH - Contains fake PlayStation icons for deception

4. Static Analysis

4.1 Capability Detection

  • Network: UDP/TCP sockets, DNS queries
  • System Access: Registry read/write, token manipulation, file ops
  • Privilege Management: Escalates/impersonates tokens
  • Anti-Analysis: Anti-VM checks, TLS allocation
  • Installer Stub: May unpack/drop payloads

4.2 Cryptographic & Encoding Routines

  • Base64 (326 matches)
  • XOR (18 matches)
  • AES (4 matches)
  • RC4/Salsa20/ChaCha20 detected
  • Hashing: FNV (20), Murmur3 (5)

4.3 Embedded Go Modules

Recovered paths: sunless/anesthetist/*.go, sunless/main.go
Functions: anesthetist.Nonprobableproagrarian, anesthetist.OverdevotedlyFrederick, etc. → in-memory decryption and RWX allocation.

4.4 In-Memory Execution Evidence

  • Calls to VirtualAlloc, VirtualProtect
  • Nested goroutines for payload staging
  • Thread-safe memory ops via sync.Mutex, sync.Once
  • Synthetic structs in .rdata as decoys

4.5 System & OS-Level Functions

  • os.Executable, os.getModuleFileName
  • syscall.NewLazyDLL, LazyProc.Call
  • Reflective DLL loading and privilege manipulation

4.6 Go Runtime Behavior

  • Threads & Goroutines: runtime.mstart, runtime.main
  • Synchronization: sync/once, sync/mutex
  • String processing: unicode/utf8, encoding/binary

5. Dynamic Analysis (Any.Run Sandbox)

5.1 Execution Chain

  • Parent: explorer.exe
  • Child: houselet.exe (self-spawned)
  • Path: %TEMP%\houselet.exe
  • Detection Label: STEALC variant

5.2 Registry & Config Mods

  • Alters IE settings (cache, proxy bypass)
  • Adds ZoneMap entry under HKCU

5.3 Network Communication

  • HTTP POST → http://45.155.69[.]25/b8380e89dabaee4a.php
  • Destination: 45.155.69[.]25:80
  • Purpose: Exfiltration / C2

5.4 System Reconnaissance

  • Queries computer name, locale, IE settings

5.5 Memory & Thread Activity

  • Multiple goroutines for concurrent tasks
  • RWX memory allocations
  • Hidden threads via sync.Once

5.6 Observed Artifacts

  • Executable: %TEMP%\houselet.exe
  • Network IP: 45.155.69[.]25
  • C2 Endpoint: /b8380e89dabaee4a.php
  • Certificate: Untrusted/self-signed

6. Behavioral Summary

  • Execution: Runs from Temp, self-spawns, registry persistence
  • Memory Loading: Decrypts payloads into RWX pages
  • Network: HTTP POST to C2, exfiltrates data
  • Registry Mods: Alters IE ZoneMap/proxy keys
  • Privilege Ops: Token manipulation
  • Evasion: Anti-VM, fake Sony metadata
  • Crypto: Base64, AES, RC4, ChaCha
  • Concurrency: Nested goroutines

8. Threat Assessment

Assessment Category Finding Confidence Level
Primary Objective Data exfiltration / secondary payload deployment CONFIRMED
Technical Capabilities In-memory execution, encrypted C2, registry manipulation, anti-VM CONFIRMED
Malware Family STEALC or related Go-based RAT/loader LIKELY
Business Impact High - Data theft, system compromise, persistence CONFIRMED
Detection Difficulty Medium-High - Uses legitimate software disguise LIKELY
Remediation Complexity High - Multiple persistence mechanisms LIKELY

Confidence Levels Summary

CONFIRMED (Highest Confidence):

  • File hash identifiers and technical characteristics
  • Go runtime metadata and compilation details
  • Static analysis findings (capabilities, obfuscation techniques)
  • Network infrastructure analysis and C2 endpoints
  • Installer packaging and persistence mechanisms

LIKELY (Strong Evidence):

  • STEALC family attribution (based on code patterns and behavior)
  • Detection difficulty assessment (legitimate software disguise effectiveness)
  • Remediation complexity (multiple persistence mechanisms)

POSSIBLE (Analytical Judgment):

  • Specific threat actor attribution (requires additional intelligence)
  • Exact infection vector distribution method
  • Broader campaign context and scope

9. Incident Response Procedures

Priority 1: Initial Response

  1. ISOLATE affected systems from network immediately
  2. IDENTIFY all potentially compromised endpoints (6.68MB PS Remote Play installers)
  3. COLLECT forensic evidence before remediation
  4. NOTIFY security team and legal/compliance departments
  5. ASSESS data exposure scope and regulatory notification requirements

Priority 2: Investigation & Analysis

  1. FORENSIC ANALYSIS of collected memory dumps and disk images
  2. LOG ANALYSIS for lateral movement and data exfiltration
  3. REGISTRY ANALYSIS for persistence mechanisms
  4. NETWORK ANALYSIS for connections to C2 infrastructure
  5. USER INTERVIEWS to determine infection vector and timeline

Priority 3: Remediation & Recovery

  1. REBUILD affected systems from known-good images
  2. RESET all credentials for potentially compromised accounts
  3. UPDATE endpoint detection and response signatures
  4. DEPLOY enhanced monitoring for Go-based malware
  5. IMPLEMENT application whitelisting for temporary directories

10. Mitigation & Detection Recommendations

Network Security Controls

Control Implementation Priority
Firewall Rules Block 45.155.69[.]25:80 and similar suspicious IPs CRITICAL
Proxy Filtering Block HTTP POST to PHP paths without User-Agent headers HIGH
DNS Filtering Block known malicious domains and implement category filtering MEDIUM

Endpoint Detection & Response

Detection Method Implementation Effectiveness
YARA Rules Deploy rules for sunless/anesthetist strings and Go runtime patterns HIGH
Behavioral Monitoring Monitor executions from Temp/AppData named houselet.exe HIGH
Registry Monitoring Alert on IE ZoneMap/proxy configuration changes MEDIUM
File Analysis Scan for high-entropy Go binaries with Sony metadata MEDIUM

Long-term Defensive Strategy

  1. Application Whitelisting for temporary directories
  2. User Awareness Training on software installation risks
  3. Enhanced Code Signing verification for all executables
  4. Regular Security Assessments of Go-based applications
  5. Threat Intelligence Integration for emerging Go malware families

11. Operational Impact Assessment

Impact Scenarios

Impact Category Severity Level Recovery Time
Data Compromise HIGH extended period
System Compromise HIGH several weeks
Operational Disruption MEDIUM several weeks
Compliance Impact HIGH extended period

Operational Impact Timeline

  • Immediate Response: System isolation, service disruption
  • Investigation Phase: Forensic analysis and remediation planning
  • Recovery Phase: System recovery and enhanced monitoring
  • Long-term Phase: Process improvements and compliance activities

12. Long-term Defensive Strategy

Technology Enhancements

  1. Endpoint Protection Platform (EPP) with Go malware detection capabilities
  2. Extended Detection and Response (XDR) for comprehensive visibility
  3. Application Control to prevent unauthorized software execution
  4. Network Segmentation to limit lateral movement
  5. Cloud Security Posture Management for hybrid environments

Process Improvements

  1. Software Installation Policies requiring approval and verification
  2. Incident Response Playbooks specific to Go-based malware
  3. Regular Security Awareness Training on social engineering tactics
  4. Vendor Risk Management for third-party software suppliers
  5. Continuous Monitoring of emerging Go malware families

Organizational Measures

  1. Security Champions Program to promote security culture
  2. Regular Security Assessments including penetration testing
  3. Threat Intelligence Subscription for early warning capabilities
  4. Executive Security Briefings on emerging threats
  5. Investment in Security Tools and personnel training

13. Frequently Asked Questions

Technical Questions

Q: Why is Go-based malware particularly dangerous?
A: Go malware is cross-platform, statically linked (fewer dependencies), and harder to analyze due to Go’s runtime complexity and obfuscation capabilities.

Q: How can we detect similar threats in the future?
A: Implement behavioral analysis for unusual process execution, monitor for high-entropy Go binaries, and deploy YARA rules specific to Go malware patterns.

Q: What makes the PlayStation disguise effective?
A: Legitimate software branding reduces user suspicion, and PlayStation’s popularity among gamers makes it an attractive lure.

Business Questions

Q: Should we rebuild or clean infected systems?
A: REBUILD is strongly recommended due to multiple persistence mechanisms and potential for undiscovered malware components.

Q: What regulatory obligations might we have?
A: Depends on data types compromised. Consult legal counsel for GDPR, CCPA, HIPAA, or industry-specific requirements.

Q: How long will recovery take?
A: Full recovery typically several weeks for technical remediation, extended period including process improvements and compliance activities.

14. Conclusion

houselet.exe is a sophisticated Go-based loader/stealer employing in-memory payload deployment, encrypted C2 communication, and environment-aware evasion. Its combination of fake installer disguise, registry persistence, HTTP POST exfiltration, and runtime function obfuscation (via the sunless/anesthetist package) marks it as an evolving threat in the Go malware landscape.

Key Takeaways:

  • Immediate containment and forensic investigation are critical
  • System rebuilding is strongly recommended over cleaning
  • Long-term defensive strategy requires technology, process, and organizational improvements
  • Business impact can be significant without proper response planning

IOCs

Detections

License

© 2025 Joseph. All rights reserved.
Free to read, but reuse requires written permission.