A Lua-based backdoor malware capable of targeting both Linux and Windows users while securing its communication channels via DNS over HTTPS (DoH) was discovered by researchers at Network Security Research Lab of Qihoo 360.
By using DoH to encapsulate the communication channels between command-and-control servers, the infected machines, and the attacker-controlled servers within HTTPS requests, the malware dubbed Godlua manages to block researchers from analyzing its traffic.
Godlua's main function seems to be that of a DDoS bot and it was already seen in action when its masters launched an HTTP flood attack against the liuxiaobei[.]com domain, as observed by the Qihoo 360 researchers.