In February 2026, ANYRUN revealed a previously undocumented Windows implant they labelled Moonrise. This Moonrise remote access trojan analysis examines the malware’s WebSocket command-and-control architecture, JSON-based tasking model, and surveillance capabilities to understand its operational risk. Moonrise appears to be a remote-control malware tool that lets an attacker keep a live connection to an infected Windows computer, send commands, collect information, and return results in real time. The code and telemetry reviewed in this analysis also suggest surveillance-related features (such as keylogging/clipboard monitoring) and crypto-focused data handling, which increases the risk of credential theft and financial loss. This blog breaks down Moonrise from static reverse engineering in Ghidra, string analysis using FLOSS, and behavioural correlation with ANYRUN telemetry. The result is a clear picture of a lightweight but operationally dangerous surveillance trojan designed for persistent remote control and financial theft. Table of Contents Toggle Moonrise remote access Trojan technical overview File name Moonrise-client.exe Architecture PE32+ (x86-64) Language Golang SHA256 ED5471D42BEF6B32253E9C1ABA49B01B8282FD096AD0957ABCF1A1E27E8F7551 The analysed sample was confirmed in ANYRUN as a 64-bit Windows GUI binary compiled with Go 1.18. Static inspection shows no obvious packing layer. FLOSS extraction reveals over 73,000 static ASCII strings and nearly 5,000 Go language-specific strings. The build flags embedded in the binary include: -ldflags “-s -w -H windowsgui” These flags are common in Golang malware: -s -w strips debugging symbols. -H windowsgui suppresses the console window. This ensures the executable launches silently without a visible terminal, improving stealth. Because Go statically links most dependencies, the final binary is self-contained and large. That inherent complexity often serves as a natural barrier to reverse engineering without requiring additional packing or obfuscation. Ghidra’s import summary confirms: Compiler: Golang Architecture: x86_64 Endianness: Little Entry point: 0x64060 Statically linked runtime Build ID and module metadata preserved WebSocket command and control architecture One of the most important discoveries appears immediately when reviewing symbol references. In Ghidra’s symbol tree, we see multiple references to: github.com/gorilla/websocket.(*Dialer).Dial The reference window shows: An unconditional CALL Runtime method references Method metadata entries This confirms Moonrise explicitly invokes the Gorilla WebSocket Dialer to initiate a connection. Gorilla WebSocket is a legitimate Go library used in production web applications. It handles HTTP upgrade handshakes and maintains persistent bidirectional sockets. In the code paths reviewed, Moonrise appears to favour a persistent WebSocket channel rather than simple periodic HTTP polling. The hard-coded C2 endpoint Within the raw data section labelled DAT_0073289d, ASCII decoding reveals: ws[:]//193[.]23[.]199.88[:]8765 This is a hard-coded WebSocket command-and-control (C2) endpoint embedded directly in the Moonrise binary. In practical terms, this gives us a concrete infrastructure indicator and also helps explain how the earlier Gorilla WebSocket dialer logic is intended to be used. Rather than dynamically generating destinations at runtime, the sample contains a fixed operator-controlled endpoint that the malware can dial immediately. Several observations can be made from this string alone. First, the sample uses ws:// rather than wss://, which indicates an unencrypted WebSocket channel in the code path analysed. That matters operationally because the WebSocket handshake and the traffic won’t be protected by TLS, making network inspection and protocol-aware detection easier than it would be with encrypted wss:// traffic. Second, the C2 appears to be statically embedded rather than resolved dynamically. In the functions reviewed, there is no evidence of domain generation (DGA), rotating domains, or obvious string obfuscation around this endpoint. This doesn’t make the malware unsophisticated overall, but it may indicate one of two things: either this sample reflects an earlier or rapidly-developed build, or the operator has prioritised functionality over infrastructure stealth in this stage of the campaign. This finding also lines up with the behaviour observed in analysis tooling. ANYRUN telemetry reportedly shows an HTTP 101 Switching Protocols response from this IP and port, which is consistent with a successful WebSocket upgrade handshake. Put together with the Gorilla WebSocket dialer references and decompiled Dial() call, the hard-coded ws[:]//193[.]23[.]199[.]88[:]8765 string provides a clear link between Moonrise’s code-level implementation and its live C2 communications model. Connection initialisation and global session handling The decompiled main_f2 function provides a clearer view of how Moonri...