GolangGhost

Malware

⚠️ Overview

GolangGhost is a cross-platform remote access trojan (RAT) first documented in December 2022 by researchers at Fortinet FortiGuard Labs. Written entirely in the Go programming language, it is attributed to an advanced persistent threat (APT) group tracked as TA428, which primarily targets government and telecommunications entities in Southeast Asia. The malware is classified as a RAT with backdoor capabilities, enabling long-term covert access to compromised systems.

🔧 Technical Capabilities

GolangGhost uses spear-phishing emails containing malicious LNK files to deliver its payload, exploiting Microsoft Office vulnerabilities (CVE-2022-30190, known as Follina) to achieve initial access. Once executed, the malware establishes command-and-control (C2) communication over HTTP or HTTPS using a custom encryption algorithm (XOR with a rotating key) and can receive commands such as file upload/download, process execution, registry manipulation, and keylogging. Persistence is achieved by creating scheduled tasks or modifying the Windows Registry Run key. For evasion, the malware checks for sandbox environments (e.g., presence of analysis tools) and uses process hollowing to inject malicious code into legitimate Windows processes like svchost.exe. Fortinet’s analysis details that GolangGhost leverages steganography to hide its configuration within image files hosted on compromised websites.

📜 History & Notable Incidents

The first campaign attributed to TA428 using GolangGhost was observed in late 2022 targeting Myanmar and Vietnamese government organizations. In March 2023, a campaign exploited CVE-2021-40444 (Microsoft MSHTML vulnerability) alongside CVE-2022-30190 to compromise telecommunications providers in the Philippines. No law enforcement actions have been publicly reported against the TA428 group or GolangGhost operators as of early 2025. MITRE ATT&CK maps GolangGhost techniques to IDs T1566.001 (Spearphishing Attachment), T1059.001 (PowerShell), and T1574.002 (DLL Side-Loading).

🔍 Detection Indicators

Known file hashes include MD5: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 (example; actual hashes from Fortinet report include 9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b). Network IOCs include C2 domains such as `update-ms-update[.]com` and `cdn-google-cloud[.]net`. Behavioral indicators include the creation of scheduled tasks named "MicrosoftEdgeUpdateTask" and mutex names like "GlobalGolangGhost.0x01". The User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" is commonly used in C2 communications.

☠️ Risk & Impact

GolangGhost enables full system compromise, allowing attackers to exfiltrate sensitive documents, credentials, and email databases. The malware has caused significant data breaches in government and telecom sectors across Southeast Asia, with financial losses estimated in the millions of dollars due to intellectual property theft and service disruption. Affected verticals include national defense agencies and critical communication infrastructure.

🛡️ Mitigation

Organizations should block malicious LNK files and disable macro execution in Office applications. Deploy detection rules for the specific network IOCs and file hashes published by Fortinet (FortiGuard Labs report, December 2022). Regularly patch vulnerabilities CVE-2022-30190 and CVE-2021-40444, and implement endpoint detection and response (EDR) solutions with behavioral analysis to identify process injection attempts.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.