Contents
Campaign Identifier: Houselet-PlayStation-Remote-Play-Masquerade
Last Updated: November 17, 2025
Threat Level: MEDIUM
Go-based Stealer / Loader / RAT
Analyst: Joseph Harrison Date: November 2025 Environment: Windows 10 x64 (Userland / Kernel interaction observed) Classification: Go-based Stealer / Loader / Remote Access Trojan (RAT)
BLUF (Bottom Line Up Front)
Houselet.exe is a Go-compiled implant disguised as the PlayStation Remote Play installer that combines credential theft, remote access, and payload staging in a single 6.68 MB binary. The sample establishes persistent access via registry modification, exfiltrates data to a PHP C2 endpoint at 45.155.69[.]25, and employs reflective loading, RWX memory allocation, and anti-VM checks to resist detection and analysis. Immediate isolation of affected hosts is warranted; the detection rules and IOC feed in the sidebar provide hunting coverage.
Key Risk Factors
| Risk Factor | Score | Business Impact |
|---|---|---|
| Data Exfiltration | 8/10 | High-value data theft including credentials, financial information, and sensitive business data |
| Persistence | 9/10 | Long-term unauthorized access with multiple persistence mechanisms |
| Remote Control | 8/10 | Full system control and capability to deploy additional malware |
| Detection Evasion | 7/10 | Anti-analysis techniques complicate detection and removal |
Recommended Actions
- ISOLATE affected systems from the network immediately
- IDENTIFY all potentially compromised endpoints (6.68 MB PS Remote Play installers)
- COLLECT forensic evidence before remediation
- ASSESS data exposure scope and applicable breach-notification obligations
1. Executive Summary
Houselet.exe is a Go 1.15-compiled 64-bit Windows binary that masquerades as the PlayStation Remote Play installer. The sample combines multiple obfuscation layers, dynamic loading, and in-memory execution, aligning it with modular loader-stealer families such as STEALC or derivative Go-based frameworks. It operates from the user’s temporary directory, communicates with a remote PHP-based C2 endpoint, and modifies registry and network configurations to maintain persistence and evade detection.
2. File & Build Characteristics
| Attribute | Value | Confidence Level |
|---|---|---|
| Malware Type | Go-based Stealer/Loader/RAT | CONFIRMED |
| File Type | PE32+ (x86-64) Windows Executable | CONFIRMED |
| Compiler / Runtime | Go 1.15 (static-linked) | CONFIRMED |
| Packaging Method | InstallShield-style stub (drops or runs child payloads) | HIGH |
| Language | English | CONFIRMED |
| File Size | ~6.68 MB (6,683,840 bytes) | CONFIRMED |
| Entropy | 6.6 bits / byte (packed/compressed) | CONFIRMED |
| Digital Signature | Untrusted / self-signed | CONFIRMED |
| Impersonation Target | Sony Interactive Entertainment Inc. ("PS Remote Play Installer 8.5.0.08070_x64.exe") | CONFIRMED |
Hash Information
| Hash Type | Value |
|---|---|
| MD5 | 6f8351ff0adfd7b724bf34cab7c6052b |
| SHA1 | a803fa85b84e363604975a5682b279a69739a78e |
| SHA256 | 6fbaa2637e7c8773695dcf07a85dc830112da3d8dab5dbe277dfa96111470920 |
3. Portable Executable (PE) Structure
Analyst note: The PE sections below are the internal compartments of the Windows executable file. The
.textsection holds the malicious code that runs when the file executes;.rsrccontains the fake PlayStation icons that make the file appear legitimate;.symtabpreserves Go function names that reveal the malware’s capabilities to an analyst.
| Section | Purpose | Security Relevance |
|---|---|---|
| .text | Executable code (main logic) | HIGH - Contains malicious execution logic |
| .rdata | Go runtime metadata / strings | MEDIUM - May contain C2 URLs and encrypted data |
| .data | Global variables | MEDIUM - Configuration and state data |
| .pdata | Exception directory | LOW - Standard exception handling |
| .xdata | Unwind metadata | LOW - Exception unwind information |
| .idata | Import table | HIGH - Reveals API usage and capabilities |
| .reloc | Relocations | LOW - Standard relocations |
| .symtab | Symbol table with Go names | MEDIUM - Function names reveal capabilities |
| .rsrc | Installer resources / icons | HIGH - Contains fake PlayStation icons for deception |
4. Static Analysis
Analyst note: Static analysis examines the binary without executing it — inspecting embedded strings, imported Windows API functions, cryptographic constants, and Go source path artifacts preserved in the binary. These findings establish what the malware is capable of before any code runs.
4.1 Capability Detection
- Network: UDP/TCP sockets, DNS queries
- System Access: Registry read/write, token manipulation, file ops
- Privilege Management: Escalates/impersonates tokens
- Anti-Analysis: Anti-VM checks, TLS allocation
- Installer Stub: May unpack/drop payloads
4.2 Cryptographic & Encoding Routines
- Base64 (326 matches)
- XOR (18 matches)
- AES (4 matches)
- RC4/Salsa20/ChaCha20 detected
- Hashing: FNV (20), Murmur3 (5)
4.3 Embedded Go Modules
Analyst note: Go binaries statically embed their full source-file path tree. The paths below survived compilation and name the internal packages; the obfuscated function names in those packages perform in-memory decryption and memory allocation for executing a secondary payload.
Recovered paths: sunless/anesthetist/*.go, sunless/main.go
Functions: anesthetist.Nonprobableproagrarian, anesthetist.OverdevotedlyFrederick, etc. → in-memory decryption and RWX allocation.
4.4 In-Memory Execution Evidence
- Calls to VirtualAlloc, VirtualProtect
- Nested goroutines for payload staging
- Thread-safe memory ops via sync.Mutex, sync.Once
- Synthetic structs in .rdata as decoys
4.5 System & OS-Level Functions
- os.Executable, os.getModuleFileName
- syscall.NewLazyDLL, LazyProc.Call
- Reflective DLL loading and privilege manipulation
4.6 Go Runtime Behavior
- Threads & Goroutines: runtime.mstart, runtime.main
- Synchronization: sync/once, sync/mutex
- String processing: unicode/utf8, encoding/binary
5. Dynamic Analysis (behavioral sandbox — Any.Run)
Analyst note: Dynamic analysis detonates the sample in an isolated environment and records every action it takes: processes spawned, registry keys written, network connections attempted, and memory operations. The sequence below is chronological — each step builds on the last to show how the malware progresses from initial execution to active C2 communication.
5.1 Execution Chain
- Parent: explorer.exe
- Child: houselet.exe (self-spawned)
- Path: %TEMP%\houselet.exe
- Detection Label: STEALC variant
5.2 Registry & Config Mods
- Alters IE settings (cache, proxy bypass)
- Adds ZoneMap entry under HKCU
5.3 Network Communication
- HTTP POST → http://45.155.69[.]25/b8380e89dabaee4a.php
- Destination: 45.155.69[.]25:80
- Purpose: Exfiltration / C2
5.4 System Reconnaissance
- Queries computer name, locale, IE settings
5.5 Memory & Thread Activity
- Multiple goroutines for concurrent tasks
- RWX memory allocations
- Hidden threads via sync.Once
5.6 Observed Artifacts
- Executable: %TEMP%\houselet.exe
- Network IP: 45.155.69[.]25
- C2 Endpoint: /b8380e89dabaee4a.php
- Certificate: Untrusted/self-signed
6. Behavioral Summary
- Execution: Runs from Temp, self-spawns, registry persistence
- Memory Loading: Decrypts payloads into RWX pages
- Network: HTTP POST to C2, exfiltrates data
- Registry Mods: Alters IE ZoneMap/proxy keys
- Privilege Ops: Token manipulation
- Evasion: Anti-VM, fake Sony metadata
- Crypto: Base64, AES, RC4, ChaCha
- Concurrency: Nested goroutines
8. Threat Assessment
| Assessment Category | Finding | Confidence Level |
|---|---|---|
| Primary Objective | Data exfiltration / secondary payload deployment | CONFIRMED |
| Technical Capabilities | In-memory execution, encrypted C2, registry manipulation, anti-VM | CONFIRMED |
| Malware Family | STEALC or related Go-based RAT/loader | HIGH |
| Business Impact | High - Data theft, system compromise, persistence | CONFIRMED |
| Detection Difficulty | Medium-High - Uses legitimate software disguise | HIGH |
| Remediation Complexity | High - Multiple persistence mechanisms | HIGH |
Confidence Levels Summary
CONFIRMED (Highest Confidence):
- File hash identifiers and technical characteristics
- Go runtime metadata and compilation details
- Static analysis findings (capabilities, obfuscation techniques)
- Network infrastructure analysis and C2 endpoints
- Installer packaging and persistence mechanisms
HIGH (Strong Evidence):
- STEALC family attribution (based on code patterns and behavior)
- Detection difficulty assessment (legitimate software disguise effectiveness)
- Remediation complexity (multiple persistence mechanisms)
LOW (Analytical Judgment):
- Specific threat actor attribution (requires additional intelligence)
- Exact infection vector distribution method
- Broader campaign context and scope
9. Incident Response Guidance
Responders should address this threat in three sequential phases:
Containment: Isolate affected systems from the network. Identify all endpoints running 6.68 MB PS Remote Play installers. Preserve forensic evidence — memory images, disk captures, and event logs — before any remediation action.
Investigation: Conduct forensic analysis of collected memory dumps and disk images. Review logs for lateral movement and data exfiltration activity. Examine registry entries for persistence mechanisms. Analyze network logs for connections to 45.155.69[.]25 and the /b8380e89dabaee4a.php endpoint.
Recovery: Rebuild affected systems from known-good images. Rotate all credentials on potentially compromised accounts. Deploy updated endpoint detection signatures. Implement behavioral monitoring for Go-based malware execution from temporary directories.
10. Mitigation & Detection Recommendations
Network Security Controls
| Control | Implementation | Priority |
|---|---|---|
| Firewall Rules | Block 45.155.69[.]25:80 and similar suspicious IPs | CRITICAL |
| Proxy Filtering | Block HTTP POST to PHP paths without User-Agent headers | HIGH |
| DNS Filtering | Block known malicious domains and implement category filtering | MEDIUM |
Endpoint Detection & Response
| Detection Method | Implementation | Effectiveness |
|---|---|---|
| YARA Rules | Deploy rules for sunless/anesthetist strings and Go runtime patterns | HIGH |
| Behavioral Monitoring | Monitor executions from Temp/AppData named houselet.exe | HIGH |
| Registry Monitoring | Alert on IE ZoneMap/proxy configuration changes | MEDIUM |
| File Analysis | Scan for high-entropy Go binaries with Sony metadata | MEDIUM |
Long-term Defensive Posture
- Application Whitelisting for temporary directories
- User Awareness on software installation risks
- Enhanced Code Signing verification for all executables
- Regular Security Assessments of Go-based applications
- Threat Intelligence Integration for emerging Go malware families
11. Operational Impact Assessment
Impact Scenarios
| Impact Category | Severity Level | Recovery Time |
|---|---|---|
| Data Compromise | HIGH | extended period |
| System Compromise | HIGH | several weeks |
| Operational Disruption | MEDIUM | several weeks |
| Compliance Impact | HIGH | extended period |
Operational Impact Timeline
- Immediate Response: System isolation, service disruption
- Investigation Phase: Forensic analysis and remediation planning
- Recovery Phase: System recovery and enhanced monitoring
- Long-term Phase: Process improvements and compliance activities
12. Long-term Defensive Strategy
Technology Enhancements
- Endpoint Protection Platform (EPP) with Go malware detection capabilities
- Extended Detection and Response (XDR) for comprehensive visibility
- Application Control to prevent unauthorized software execution
- Network Segmentation to limit lateral movement
- Cloud Security Posture Management for hybrid environments
Process Improvements
- Software Installation Policies requiring approval and verification
- Incident Response Playbooks specific to Go-based malware
- Security Awareness Training on social engineering tactics
- Vendor Risk Management for third-party software suppliers
- Continuous Monitoring of emerging Go malware families
13. Frequently Asked Questions
Technical Questions
Q: Why is Go-based malware particularly challenging to defend against?
A: Go malware is cross-platform, statically linked (fewer dependencies), and harder to analyze due to Go’s runtime complexity and obfuscation capabilities.
Q: How can similar threats be detected in the future?
A: Implement behavioral analysis for unusual process execution, monitor for high-entropy Go binaries, and deploy YARA rules specific to Go malware patterns.
Q: What makes the PlayStation disguise effective?
A: Legitimate software branding reduces user suspicion, and PlayStation’s popularity among gamers makes it an attractive lure.
Business Questions
Q: Should infected systems be rebuilt or cleaned?
A: REBUILD is strongly recommended due to multiple persistence mechanisms and the potential for undiscovered malware components.
Q: What regulatory obligations may apply?
A: Regulatory notification requirements depend on the data types compromised and the jurisdictions involved. Legal counsel should assess applicable obligations once the scope of data exposure is determined.
Q: How long will recovery take?
A: Full technical remediation typically spans several weeks; process improvements and compliance activities may extend the timeline further.
14. Conclusion
Houselet.exe is a Go-based loader/stealer employing in-memory payload deployment, encrypted C2 communication, and environment-aware evasion. Its combination of fake installer disguise, registry persistence, HTTP POST exfiltration, and runtime function obfuscation via the sunless/anesthetist package marks it as an active threat in the Go malware landscape.
Key Takeaways:
- Immediate containment and forensic investigation are critical
- System rebuilding is strongly recommended over cleaning
- Long-term defense requires technology, process, and monitoring improvements
- Multiple persistence mechanisms mean partial remediation leaves attacker access intact
License
© 2026 Joseph. All rights reserved. See LICENSE for terms.