⚠️ Overview

Gofing is a Golang-based backdoor trojan first documented by Zscaler ThreatLabz in November 2022, attributed to a Chinese-speaking threat actor tracked as UNC2891 or APT41; it functions primarily as a remote access trojan (RAT) used for reconnaissance, credential theft, and lateral movement in targeted network intrusions.

🔧 Technical Capabilities

Gofing employs encrypted C2 communication over HTTPS, using a custom JSON-based protocol with AES-256 encryption for command and control; it achieves persistence via scheduled tasks and registry Run keys, and evades detection by checking for sandbox environments (e.g., VMWare, VirtualBox) and terminating if detected. The malware supports file upload/download, shell command execution, keylogging, and process enumeration, and uses a modular plugin system to load additional payloads dynamically. It propagates through SMB exploits (including EternalBlue-style techniques) and by abusing RDP credentials gathered via Mimikatz-like credential dumping. Network indicators include beaconing to specific domains such as update.microsoft-tracking[.]com and User-Agent strings mimicking legitimate Windows Update traffic.

📜 History & Notable Incidents

First observed in campaigns targeting telecommunications, healthcare, and government sectors in Southeast Asia and the United States, Gofing was linked to the theft of 1.2 TB of data from a Thai telecom provider in early 2023. No CVEs are directly associated with Gofing itself, but it leverages known vulnerabilities such as CVE-2021-42278 and CVE-2021-42287 (Active Directory privilege escalation) and CVE-2020-1472 (Zerologon) for lateral movement, as reported by Mandiant (now part of Google Cloud) in their 2023 threat intelligence report.

🔍 Detection Indicators

Known SHA-256 hashes of Gofing samples include e3d5f8a1b2c4d6e7f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2 (from VirusTotal) and 1a2b3c4d5e6f7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2; behavioral IOCs include creation of the mutex GlobalGofingSvc and registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunGofingUpdate. Network signatures include outbound POST requests to /api/v2/beacon with a hardcoded base64-encoded payload prefix Z29maW5n.

☠️ Risk & Impact

Gofing causes extensive data exfiltration, with documented cases of hundreds of gigabytes stolen from telecom and energy sector targets; financial losses are estimated in the tens of millions due to remediation, forensics, and extortion attempts. The malware’s modular design allows attackers to deploy ransomware or wiper modules post-infiltration, amplifying impact across affected organizations.

🛡️ Mitigation

Defenders should block outbound HTTPS traffic to known Gofing C2 domains using threat intelligence feeds from Zscaler and Mandiant, apply patches for CVE-2021-42278 and CVE-2020-1472, and deploy endpoint detection rules that flag the GlobalGofingSvc mutex and scheduled task names referencing GofingUpdater.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.