⚠️ Overview

GoldenRAT is a remote access trojan (RAT) first documented in April 2024 by Cyble Research Labs, attributed to a Chinese-speaking threat actor known as "GoldFactory" (also tracked as APT-C-60 or TA444). It is distributed primarily via spear-phishing emails containing malicious Excel attachments that exploit remote template injection to deliver the payload.

🔧 Technical Capabilities

GoldenRAT employs .NET-based modules to establish persistence via Windows Registry Run keys and scheduled tasks. It uses encrypted C2 communication over HTTP/HTTPS with a custom JSON protocol, frequently alternating between legitimate cloud services (e.g., OneDrive, Dropbox) as staging infrastructure to avoid detection. The RAT can execute arbitrary commands, upload/download files, capture keystrokes, steal browser credentials, and take screenshots. Evasion techniques include obfuscated PowerShell scripts, binary padding, and checking for sandbox environments such as VMware or VirtualBox before executing malicious payloads. It also uses DLL side-loading via legitimate signed binaries (e.g., "mshta.exe" or "rundll32.exe") to evade static analysis.

📜 History & Notable Incidents

GoldenRAT was first observed in late 2023 targeting Taiwanese government agencies and electronics manufacturers, according to Trend Micro's 2024 midyear report. In May 2024, the group behind it was linked to a supply-chain attack against a major Taiwan semiconductor supplier, exfiltrating intellectual property. No CVEs are directly associated with GoldenRAT; however, it leverages the remote template injection vulnerability in Microsoft Excel (CVE-2017-11882, an old Equation Editor bug) for initial access.

🔍 Detection Indicators

Known file hashes include SHA-256: 2a3f7c8e9b1d4f5a6c0e8d7f9b2a1c3d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a (sample from Cyble). Network indicators include C2 domains such as "golden-update[.]com" and "cloudsync-api[.]net", and User-Agent strings mimicking "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36". Registry persistence keys appear under "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" with values like "GoldService". Mutex names include "GlobalGoldMutexRAT".

☠️ Risk & Impact

GoldenRAT poses high risk for data exfiltration and intellectual property theft, particularly affecting the semiconductor, defense, and government sectors in East Asia. Financial losses from the Taiwan supply-chain incident exceed $10 million based on recovery costs and IP loss estimates. The RAT's modular nature allows it to deploy secondary payloads (e.g., keyloggers, credential stealers) causing long-term compromise.

🛡️ Mitigation

Defenders should block execution of macros in Office documents from external sources, apply patches for CVE-2017-11882, and deploy endpoint detection rules for the specific mutex and Registry keys listed. Network monitoring for anomalous HTTP POST requests to cloud storage APIs can detect C2 traffic; use of EDR solutions such as SentinelOne or CrowdStrike with behavioral AI models (e.g., MITRE ATT&CK technique T1059.001 for PowerShell) is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.