Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Elastic Security Labs identified an active, organized campaign (REF3864) targeting Chinese-language users with trojanized installers that use a custom loader named SADBRIDGE to side-load malicious DLLs and inject a new Golang-based Quasar reimplementation called GOSAR. The report details multi-stage injection, UAC/task-scheduler privilege escalation, persistence via services and scheduled tasks, extensive anti-analysis and AV-evasion techniques, GOSAR’s multi-platform features (keylogging, HVNC, plugins, logging, firewall/hosts modifications), and provides IOCs and defensive recommendations.