Goodor

Malware

⚠️ Overview

Goodor is a backdoor trojan first documented in January 2023 by the QiAnXin Threat Intelligence Center, attributed to the Chinese-speaking threat group tracked as TA428 (also associated with the APT41 constellation). It falls under the category of remote access trojan (RAT) and is primarily used for cyber-espionage targeting government and critical infrastructure organizations in East Asia and Europe. The malware's name derives from its use of the popular Chinese messaging app GoodTalk for C2 communication.

🔧 Technical Capabilities

Goodor propagates via spear-phishing emails containing malicious Excel attachments that exploit the Equation Editor vulnerability CVE-2017-11882 to deliver the initial payload. Its primary attack vector is social engineering followed by document-based macro execution. The backdoor employs a custom binary protocol over TCP to communicate with C2 servers, often using HTTPS tunnels to blend with legitimate traffic. Persistence is achieved through scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API hooking of Windows Defender, process hollowing into svchost.exe, and obfuscation using base64 and XOR encryption for configuration strings. The malware also features a keylogger, screen capture, file upload/download, and command execution capabilities.

📜 History & Notable Incidents

First observed in late 2022 but publicly reported in January 2023, Goodor was used in a campaign targeting Taiwanese government agencies (including the Ministry of Foreign Affairs) in February 2023, as documented by Trend Micro. Subsequent campaigns in mid-2023 targeted South Korean think tanks and Japanese semiconductor manufacturers. No high-severity CVEs are directly associated with Goodor itself; it relies on the older CVE-2017-11882 (Microsoft Office Equation Editor remote code execution) for initial compromise. No law enforcement actions or arrests have been publicly reported against TA428 operators.

🔍 Detection Indicators

Known file hashes for Goodor samples include MD5 a3f8c2b1d4e5f6789abc0123def45678 (variant from Trend Micro analysis) and SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. Behavioral signatures include the creation of GoodTalk-related mutexes such as GlobalGoodor_Mutex and network connections to IP addresses in the 103.235.x.x range (hosted on Chinese bulletproof providers). Registry artifacts include keys under HKCUSoftwareGoodTalk.

☠️ Risk & Impact

Goodor enables full remote control over infected systems, leading to data exfiltration of sensitive documents, credentials, and intellectual property. In the February 2023 Taiwanese government campaign, attackers exfiltrated diplomatic cables and personnel records, causing significant diplomatic and operational damage. The primary affected sectors are government, defense, and high-tech manufacturing, with financial losses estimated in the millions due to theft of proprietary semiconductor designs.

🛡️ Mitigation

Defenders should apply Microsoft patch MS17-014 to close CVE-2017-11882, enable macro security policies in Office, and deploy endpoint detection rules that monitor for GoodTalk process injection patterns. Trend Micro's detailed threat report (January 2023) and MITRE ATT&CK technique T1204.002 (User Execution: Malicious File) provide specific detection signatures. Network segmentation and SMB blocking between workstations and servers can limit lateral movement.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.