> Family · NeuralpulseCore5SBS_

~/packetpursuit $ cat /intel/families/neuralpulsecore5sbs.md

typeentityconfidencehighcreated2026-05-29updated2026-05-29infostealermalware-familygolangsigningobfuscation

NeuralpulseCore5SBS

Go-based infostealer family compiled as PE32+ (x86-64), labelled neuralpulsecore5-sbs by OpenCTI / MalwareBazaar. First documented in the PacketPursuit corpus on 2026-05-29. It shares the same Go 1.26.2 build pipeline as the acrstealer / lummastealer / orderreshop cluster, but is distinguished by its 64-bit architecture, a Sectigo DV Authenticode certificate for sedo.com, and the complete absence of hardcoded C2 strings (runtime-decoded or DGA).

Build Stack

  • Compiler: Go 1.26.2 (GOARCH=amd64, GOOS=windows, CGO_ENABLED=0, -trimpath=true) ^[/intel/analyses/47a2204dd5a0c8e9540373dee70d74dbdb73bac49eb26091c0722589013239a3.html]
  • Signing: Authenticode-signed PE with a Sectigo Domain Validation certificate (CN=sedo.com, issuer Sectigo Public Server Authentication CA DV R36) ^[/intel/analyses/47a2204dd5a0c8e9540373dee70d74dbdb73bac49eb26091c0722589013239a3.html]
  • Obfuscation: Randomized Go module path; randomized main.* function names (10–18 chars); no external packer ^[/intel/analyses/47a2204dd5a0c8e9540373dee70d74dbdb73bac49eb26091c0722589013239a3.html]
  • Resources: No .rsrc section — stripped icon masquerade (same as lummastealer) ^[/intel/analyses/47a2204dd5a0c8e9540373dee70d74dbdb73bac49eb26091c0722589013239a3.html]

See golang-stealer-build-pattern for the shared build-pattern concept.

Deploy / TTPs

  • Execution: Standard Go runtime._rt0_amd64 entry point; Windows GUI subsystem. ^[/intel/analyses/47a2204dd5a0c8e9540373dee70d74dbdb73bac49eb26091c0722589013239a3.html]
  • Network: net/http + crypto/tls statically linked. No hardcoded C2 URLs; runtime-decoded or DGA (inferred from sibling behaviour). ^[/intel/analyses/47a2204dd5a0c8e9540373dee70d74dbdb73bac49eb26091c0722589013239a3.html]
  • Collection: Targets browser credential stores, cryptocurrency wallets, FTP/SSH credentials, and system information (family naming convention; consistent with sibling cluster).
  • Evasion: Absence of .rsrc and hardcoded strings reduces static detection surface; Sectigo DV certificate reduces trust-alert friction.

Capabilities

  • go-static-binary-no-cgo
  • trimpath-source-stripping
  • go-symbol-name-obfuscation
  • signed-pe-masquerade
  • sectigo-dv-code-signing
  • runtime-decoded-c2-urls
  • tls-https-c2-client
  • no-icon-stripped-variant
  • browser-credential-dumping
  • cryptocurrency-wallet-targeting
  • system-info-enumeration
  • prng-seeded-string-decode

Variants / Aliases

  • OpenCTI labels: neuralpulsecore5-sbs, exe, signed
  • MalwareBazaar family: neuralpulsecore5sbs
  • Likely sibling or evolution of the acrstealer / lummastealer / orderreshop cluster (same toolchain, different platform/arch target)

Notable Analyses

  • /intel/analyses/47a2204dd5a0c8e9540373dee70d74dbdb73bac49eb26091c0722589013239a3.html — First observed sample: Go 1.26.2 PE32+, module path randomized, Sectigo DV cert sedo.com, no static C2

Related

  • golang-stealer-build-pattern — shared Go infostealer build artefacts
  • acrstealer — sibling cluster (x86 builds, same toolchain, self-signed certs)
  • lummastealer — sibling cluster (x86 builds, no .rsrc, self-signed certs)
  • orderreshop — sibling cluster (x86 builds, custom PE parser + multi-pass decoder)