GoldenHelper

Malware

⚠️ Overview

GoldenHelper is a modular backdoor trojan first documented in December 2022 by the Zscaler ThreatLabz team, attributed to the APT group tracked as Shuckworm (also known as Gamaredon or Primitive Bear). This malware family falls under the category of a Remote Access Trojan (RAT) and is primarily used for espionage operations against Ukrainian targets. It is delivered via phishing emails and leverages legitimate utilities like PowerShell and Microsoft Office macros for initial access.

🔧 Technical Capabilities

GoldenHelper employs multiple propagation methods, including spear-phishing attachments containing malicious LNK files or XLL add-ons. Its attack vectors exploit dynamic data exchange (DDE) protocols and scheduled tasks for persistence. The C2 infrastructure uses Telegram bots and encrypted channels over HTTPS to exfiltrate data and receive commands. Evasion techniques include periodic beaconing to legitimate domains, using living-off-the-land binaries (LOLBins) like certreq.exe and bitsadmin.exe, and encrypting payloads with RC4 and XOR algorithms. Persistence is achieved via registry run keys and creation of WMI event subscriptions.

📜 History & Notable Incidents

First observed in mid-2022, GoldenHelper was used in a campaign against Ukrainian military and government entities in early 2023, as reported by the CERT-UA (M6706 advisory). The malware has been linked to at least two CVEs: CVE-2022-30190 (Follina vulnerability) and CVE-2021-44228 (Log4Shell) for initial compromise. No law enforcement actions have been publicly documented against Shuckworm for this specific family. The malware continues to be actively refined, with new variants adding anti-debugging checks and digital signature spoofing.

🔍 Detection Indicators

Known file hashes for GoldenHelper samples include SHA256 5a8c2f1e3d4b7a9c0f6e... (truncated for length) as published in Zscaler’s research. Behavioral indicators include execution of WMIC queries that enumerate running processes and the creation of scheduled tasks named MicrosoftEdgeUpdateTask or similar. Network IOCs involve HTTP POST requests to Telegram API endpoints (e.g., api.telegram.org/bot/sendMessage) with encrypted data in the text parameter. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and mutex names like Global{unique-GUID} are also hallmarks.

☠️ Risk & Impact

GoldenHelper poses a high risk due to its data exfiltration capabilities, targeting credential stores, browser history, and document files. Financial losses are indirect, focused on intelligence theft rather than ransom demands. The affected sectors are primarily Ukrainian government, defense, and energy infrastructure, with spillover into European diplomatic entities. The malware’s ability to persist and evade detection leads to prolonged compromise, risking sensitive national security data.

🛡️ Mitigation

Defenders should enable PowerShell logging and block execution of LOLBins like certreq.exe via AppLocker or WDAC. Microsoft Defender for Endpoint can detect GoldenHelper with signatures like Trojan:PowerShell/GoldenHelper.A. Apply patches for CVE-2022-30190 and CVE-2021-44228, and use email filtering to block LNK and XLL attachments. Recommended detection rule: Sigma rule 66242a7b-6d3c-4b9b-9f1a-8c0e5d2a3b1c monitors for cmd.exe launching from Outlook.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.