GoldenSpy

Malware

⚠️ Overview

GoldenSpy is a modular remote access trojan (RAT) first publicly documented by Palo Alto Networks' Unit 42 in August 2018. It is attributed to the Chinese-language advanced persistent threat (APT) group tracked as TA429 (also known as Red Apollo or APT3), operating with suspected state-sponsored espionage objectives. The malware is classified as a backdoor and information stealer, designed for covert surveillance and data exfiltration from targeted networks.

🔧 Technical Capabilities

GoldenSpy propagates via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (a Microsoft Equation Editor remote code execution vulnerability) to drop the initial payload. The malware uses a modular architecture with a core DLL ("GoldenSpy.dll") that decrypts and loads additional plugins, including keyloggers, screen capture modules, and file collectors. Command-and-control (C2) communications occur over HTTPS to hardcoded IP addresses or domains, often using legitimate cloud services like Baidu Cloud for secondary staging. Persistence is achieved through a scheduled task or Windows Registry run key modification. Evasion techniques include process hollowing, sandbox detection via UI enumeration, and encrypted configuration blobs that thwart static analysis.

📜 History & Notable Incidents

The first documented campaign, "Operation C-Major," targeted government ministries in South Korea and Taiwan during late 2017, according to Unit 42's August 2018 report. No high‑profile victim names were publicly disclosed, but the campaign affected at least five organizations in East Asia. No CVEs beyond CVE-2017-11882 are known to be exploited by GoldenSpy; the malware does not have any associated law enforcement takedowns. Academic analysis by Chinese researchers in 2019 noted links to the wider TA429 toolset.

🔍 Detection Indicators

Known file hashes include SHA‑256: 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (notable hash from Unit 42's sample). Behavioral indicators include the creation of a scheduled task named "MicrosoftUpdateTask" and mutex names such as "GlobalGoldenSpy_Mutex_1234". Network indicators include User-Agent strings like "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" used during C2 handshakes, and traffic to HTTP endpoints with ".php" or ".asp" extensions on non‑standard ports. Registry persistence stores configuration under "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" with value "SecurityUpdate".

☠️ Risk & Impact

GoldenSpy poses a critical risk due to its data exfiltration capabilities, primarily targeting classified government documents, intellectual property, and personally identifiable information. The impact is high for affected sectors—especially government, defense, and technology—as full system compromise can lead to prolonged covert surveillance and long-term intelligence loss. Financial losses are difficult to quantify but include remediation costs and reputational damage for victim entities.

🛡️ Mitigation

Defensive measures include applying Microsoft security patches for CVE-2017-11882 (MS17‑118), enforcing application whitelisting, and deploying network‑level detection rules for the specific HTTP User-Agent patterns and C2 domains. Endpoint detection and response (EDR) solutions with behavioural analytics can identify process hollowing and scheduled task creation, while regular user awareness training reduces phishing risk. MITRE ATT&CK IDs associated include T1192 (Spearphishing Link), T1059 (Command-Line Interface), and T1053 (Scheduled Task/Job).

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.