2026-04-17 –, Amphitheater
This proposal describes the discovery and analysis of Izanagi RAT, a low-prevalence Go-based backdoor, which likely originates from a China-Nexus threat actor. The malware was discovered recently during an incident response engagement and was active in the victim’s environment since June 2021. Exceptionally long dwell time and initial lack of intelligence about this malware strain sparked our interest and led to further analysis and reverse engineering.
Although Izanagi RAT may overlap with the malware family Zingdoor previously described by Trend Micro, technical details about this malware have, to the best of our knowledge, never been published before. As of December 2025, none of the samples we analyzed have meaningful detections or signature matches in VirusTotal, other analysis engines or OSINT indicators and signatures. Furthermore, our work shows that the origins of this malware family can be traced back further than previously reported by Trend Micro.
The talk we intend to give at Botconf will not only provide a detailed insight into the technical details of Izanagi RAT, such as for example various anti-analysis techniques and a multi-protocol C2 communication scheme, but also showcase the methodology and tools used to derive these results.
Fabian is a Threat Intelligence Analyst at Deutsche Telekom Security with a focus on Cybercrime. He has multiple years of experience in tracking threat actors, malware analysis, threat hunting and similar activities. He has spoken at multiple international Cybersecurity conferences and has a strong background in computer networks and IT security research due to his former role as a researcher at the University of Bonn. He enjoys exchanging ideas with other analysts and is constantly striving to expand his network in order to better respond to cyber threats.