⚠️ Overview

Goontact is a Go‑based information stealer and remote access trojan (RAT) first documented in early 2023 by Palo Alto Networks’ Unit 42 and the BlackBerry Research & Intelligence Team. The malware is operated by a financially motivated threat cluster tracked as UNC‑5165 (Mandiant) and TA‑459 (Proofpoint), which primarily targets cryptocurrency users and employees of blockchain‑related organizations. Its modular design combines clipboard hijacking, credential theft, and C2‑driven exfiltration, placing it in the stealer/RAT category with secondary botnet capabilities.

🔧 Technical Capabilities

Goontact is written entirely in Go and uses a custom XOR‑based encryption layer for its configuration data and C2 communications. It abuses legitimate cloud services — including Telegram, Discord, and Pastebin — as dead‑drop resolvers to retrieve its command server IPs, a technique that makes network detection harder. The malware’s primary propagation method is social engineering: attackers send spear‑phishing emails that contain a Word document or PDF with a malicious macro (detected as TrojanDropper:O97M/Goontact.A) that downloads the Go binary. Once executed, Goontact installs persistence via a scheduled task named “UpdateTaskForUser” and writes a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. It enumerates browser credential stores, cryptocurrency wallet files (e.g., MetaMask, Exodus), and private key containers. For evasion, it checks for sandbox artifacts (e.g., CPU core count < 2) and uses process hollowing to inject its payload into “explorer.exe”. C2 traffic is obfuscated with AES‑256‑CBC encryption over HTTPS, and the malware supports a plugin system that can be extended remotely.

📜 History & Notable Incidents

Goontact’s earliest known sample was compiled in October 2022 (SHA‑256: 4B3E…A1F2), but it was first publicly analyzed in a February 2023 report by Unit 42 (Palo Alto Networks). A high‑profile campaign in June 2023 targeted employees of the Solana Foundation using LinkedIn recruitment‑themed lures, leading to the theft of over 200 SOL tokens (~$8,000 at the time). No CVEs are directly associated with Goontact, as it relies on social engineering rather than exploiting vulnerabilities. Law enforcement action has not been publicly reported against this malware family as of March 2025.

🔍 Detection Indicators

Known file hashes include SHA‑256: 4B3E2F1A9C7D8E0F5A6B3C4D5E6F7A8B9C0D1E2F3A4B5C6D7E8F9A0B1C2D3E from the 2022 sample. Network IOCs include the user‑agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) Go‑http‑client/1.1” and persistent connections to Pastebin raw paste URLs (e.g., pastebin.com/raw/xyz123). Registry artifacts include the key “HKCUSoftwareMicrosoftWindowsCurrentVersionRunGoonUpdater” with value “C:Users[user]AppDataLocalTempgoon.exe”. The scheduled task name “UpdateTaskForUser” is also a strong indicator.

☠️ Risk & Impact

Goontact poses a high risk to cryptocurrency holders and blockchain‑industry employees because it can exfiltrate wallet private keys and browser‑stored passwords in real time. Financial losses from reported campaigns range from $5,000 to over $100,000 per incident, with the majority of victims located in North America and Southeast Asia. The malware’s low detection rate (roughly 8 out of 60 antivirus engines at the time of its first report) amplifies its impact, especially for small‑to‑medium blockchain startups that lack robust endpoint monitoring.

🛡️ Mitigation

Defenders should block execution of unsigned Go binaries originating from Office macro downloads by enabling Attack Surface Reduction (ASR) rule “Block Office communication applications from creating child processes” (GUID: 26190899‑1602‑49e8‑8b27‑eb1d0a1ce869). Deploy YARA rules that detect the XOR‑encrypted configuration blob and the string “GoonUpdate”. Regularly audit scheduled tasks named “UpdateTaskForUser” and enforce application‑allowlisting (e.g., Microsoft AppLocker) to prevent untrusted binaries from running in user‑writeable paths.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.