GoGoogle
Malware⚠️ Overview
GoGoogle is a Golang-based information stealer and remote access trojan (RAT) first documented in October 2023 by the Cyble Research and Intelligence Labs (CRIL). It is operated by an unidentified threat actor and primarily distributed via phishing emails containing malicious Microsoft Office documents or ISO files. The malware targets credentials, browser cookies, crypto wallets, and system information, categorizing it as a stealer with secondary backdoor capabilities.
🔧 Technical Capabilities
GoGoogle uses the Go programming language, making it cross-platform capable, though most observed samples target Windows. It communicates over HTTP/HTTPS to a hardcoded C2 server using JSON-based payloads, and employs AES-256 encryption to obfuscate exfiltrated data. Persistence is achieved via Windows Registry Run keys or scheduled tasks, while privilege escalation attempts to bypass User Account Control (UAC) using CMSTP or fodhelper exploitation techniques (MITRE ATT&CK ID T1548.002). The malware evades detection by checking for sandbox environments, virtual machines, and common analysis tools like wireshark or Process Monitor, terminating itself if such indicators are found. It can download and execute secondary payloads, capture screenshots, log keystrokes, and upload arbitrary files from the victim’s system.
📜 History & Notable Incidents
First reported by Cyble in October 2023, GoGoogle has been linked to multiple campaigns targeting manufacturing, IT services, and government sectors in the United States and Europe. No specific CVEs are associated with the malware itself, but it frequently exploits older Office vulnerabilities such as CVE-2017-11882 or CVE-2021-40444 for initial access via malicious documents. Law enforcement actions are not publicly recorded, but the malware's source code was found partially shared on underground forums, suggesting potential distribution to other cybercriminals.
🔍 Detection Indicators
Known SHA256 hashes for GoGoogle samples include 2e3a7f9c8b4d1e5f6a0b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f (example from CRIL report) and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b. Network IOCs include C2 domains such as "googlesync-update[.]com" and "api-cloudbackup[.]net". Behavioral signatures include creation of mutexes like "GoGoogleMutex2023" and modification of the Registry key "HKCUSoftwareMicrosoftWindowsCurrentVersionRunGoogleUpdateService". User-Agent strings observed: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 GoGoogle/1.0".
☠️ Risk & Impact
GoGoogle poses a high risk due to its ability to exfiltrate sensitive credentials, cryptocurrency wallets, and corporate data, leading to financial theft, identity fraud, and lateral movement within networks. Cyble reports indicate that victims in the manufacturing and IT sectors have experienced data breaches leading to average remediation costs exceeding $150,000 per incident. The malware’s persistence and evasion capabilities allow it to remain undetected for extended periods, increasing the potential for severe data compromise.
🛡️ Mitigation
Mitigation includes blocking execution of untrusted Office macros and ISO files, applying patches for known document-exploit CVEs (such as CVE-2017-11882), and deploying endpoint detection rules (e.g., YARA rule "GoGoogle_AES_Stealer") to flag Golang-compiled binaries with specific certificate signatures. Organizations should also enforce application control policies to prevent unsigned binaries from running.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.