diff --git a/clusters/backdoor.json b/clusters/backdoor.json
new file mode 100644
index 0000000..c0d2adb
--- /dev/null
+++ b/clusters/backdoor.json
@@ -0,0 +1,24 @@
+{
+  "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
+  "description": "A list of backdoor malware.",
+  "source": "Open Sources",
+  "version": 1,
+  "values": [
+    {
+      "meta": {
+        "date": "July 2018.",
+        "refs": [
+          "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html"
+        ]
+      },
+      "description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.",
+      "value": "WellMess",
+      "uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd"
+    }
+  ],
+  "authors": [
+    "raw-data"
+  ],
+  "type": "backdoor",
+  "name": "Backdoor"
+}
diff --git a/galaxies/backdoor.json b/galaxies/backdoor.json
new file mode 100644
index 0000000..6504c9c
--- /dev/null
+++ b/galaxies/backdoor.json
@@ -0,0 +1,9 @@
+{
+  "description": "Malware Backdoor galaxy.",
+  "type": "backdoor",
+  "version": 1,
+  "name": "Backdoor",
+  "icon": "door-open",
+  "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
+  "namespace": "misp"
+}