{"id":"20260603-28ad8bea-PE-Mozi-CN","title":"PE-Mozi-CN — Mozi / Revolution RAT (GitHub: nosyliam/revolution)","md5":"a5ba73839257796a04cce3266cb96b9c","sha256":"28ad8bea01712d33febdb547e2602d6097e22aad29b35d40059c7ae2f2e05f03","family":"Mozi / Revolution RAT (GitHub: nosyliam/revolution)","verdict":"malicious","lang":"Go + C++","file_format":"PE32+","published_at":"2026-06-02T16:00:00.000Z","summary":"基于 GitHub 开源项目 nosyliam/revolution 编译的 Windows 远程访问木马 (RAT)。集成 Direct3D11 GPU 屏幕捕获、WireGuard VPN 隧道、Protobuf 序列化 C2 协议。74MB 内嵌资源包含完整 Web UI 和多种字体。编译自 Visual Studio 2010 (构建者: Macro 4)，PDB 路径意外暴露完整项目结构和构建环境。暂未发现反调试/反VM 技术 — 依赖 VPN 隧道和合法外观规避检测。","url":"https://zseceye.com/report/20260603-28ad8bea-PE-Mozi-CN","json_url":"https://zseceye.com/report/20260603-28ad8bea-PE-Mozi-CN.json","html_url":"https://zseceye.com/report/20260603-28ad8bea-PE-Mozi-CN","hash_urls":{"md5":"https://zseceye.com/hash/a5ba73839257796a04cce3266cb96b9c","sha256":"https://zseceye.com/hash/28ad8bea01712d33febdb547e2602d6097e22aad29b35d40059c7ae2f2e05f03"},"search_urls":{"md5":"https://zseceye.com/?q=a5ba73839257796a04cce3266cb96b9c","sha256":"https://zseceye.com/?q=28ad8bea01712d33febdb547e2602d6097e22aad29b35d40059c7ae2f2e05f03"},"sample_download_url":"https://zseceye.com/report/20260603-28ad8bea-PE-Mozi-CN/sample","sample_filename":"28ad8bea.zip","iocs":[{"type":"md5","value":"a5ba73839257796a04cce3266cb96b9c","description":"Sample MD5"},{"type":"pdb路径","value":"C:\\Users\\Macro 4\\go\\src\\github.com\\nosyliam\\revolution","description":"PDB路径"},{"type":"pdb项目","value":"github.com/nosyliam/revolution","description":"PDB项目"},{"type":"sha256","value":"28ad8bea01712d33febdb547e2602d6097e22aad29b35d40059c7ae2f2e05f03","description":"Sample SHA256"},{"type":"wintun驱动","value":"WireGuard VPN TUN (Jason A. Donenfeld)","description":"Wintun驱动"},{"type":"编译时间","value":"2025-05-10 (timestamp 1746891233)","description":"编译时间"},{"type":"证书","value":"DigiCert EV Code Signing (可能用于TLS)","description":"证书"}],"ips":[]}