mediumStealer

EssentialAcquisition: A Custom Go Financial Trojan Running Raft Consensus C2 on Kubernetes

InvestigatedMarch 15, 2026PublishedMarch 15, 2026

stealervidarstealccountloadersmokeloaderdll-sideloadingsocial-engineeringcredential-theftc2malware-analysis

A Go binary filed under "Vidar" on MalwareBazaar implements a full Raft distributed consensus protocol for command-and-control, runs on Kubernetes infrastructure spanning US-West and US-East regions, and targets Ethereum transactions and trading platform positions. It has zero VirusTotal detections. The filename -- source code of carbanak backdoor discovered.exe -- is social engineering aimed at the people who would analyze it.

MalwareBazaar Got This One Wrong

Sample ae8152a8 was uploaded to MalwareBazaar and tagged as Vidar. It is not Vidar. It shares a surface similarity with the GoLoader LaaS framework we documented in a prior investigation -- Go compilation, the same Carbanak filename lure, single-word module naming. But the internals are entirely different.

The GoLoader framework uses Go 1.20.x, has fake Raft struct definitions with no implementation, and delivers commodity stealers (Vidar, StealC, SmokeLoader) via DLL sideloading. EssentialAcquisition is compiled with Go 1.26.1, implements a working Raft consensus protocol with leader election and log replication, contains no known stealer payload, and targets financial infrastructure -- cryptocurrency wallets, Ethereum transactions, and trading positions.

This is a custom tool. Someone built it from scratch.

Property	GoLoader LaaS (Vidar)	EssentialAcquisition
Go version	1.20.1 / 1.20.5	1.26.1
Module	`undefined`, `consecutive`, etc.	`essentialacquisition`
Raft types	Noise only (no implementation)	Full protocol implementation
Obfuscation	English word function names	Garble compiler obfuscation
PE timestamp	Zeroed	Zeroed
Build flags	Standard	`-trimpath`
Dependencies	External (crypto/ssh, sftp)	Zero external dependencies
Payload delivery	Reflective PE loader	Self-contained
Target	Credential theft (browser/wallet)	Financial infrastructure

The only overlap is the filename lure and the use of Go. Everything else diverges.

Binary Profile

Field	Value
SHA256	`ae8152a859ae5c8324c1bf55378eb8acd6055d50da4e76c41c5bc688b92336dc`
Build ID	`mnREDc2-iW29OXGUPPbs/sMUx5N2rdWtBXfgF0SVU/Mv73d7Jcq3mVcJJXQdWa/sP5RTJGxSQlo3r3TGjJw`
Compiler	Go 1.26.1
Module	`essentialacquisition`
Obfuscator	Garble (symbol stripping)
PE timestamp	Zeroed (0x00000000)
Build flags	`-trimpath` (removes local path info)
External deps	None (single-module, stdlib only)
VT detections	0/70+ at discovery

The OPSEC discipline is notable. Garble strips all symbol names that would normally survive in Go binaries. The PE timestamp is zeroed to prevent compilation timeline analysis. The -trimpath flag removes the developer's filesystem paths from the binary. Zero external dependencies means no go.sum fingerprint to pivot on. This is someone who knows how forensic analysis works and built the binary to resist it.

Cloud-Native C2: Raft on Kubernetes

This is where EssentialAcquisition diverges from everything else using this filename lure. The binary implements the Raft distributed consensus protocol -- not as decorative noise types, but as a working C2 coordination layer.

Raft Protocol Implementation

The goroutine architecture reveals the full protocol:

Goroutine Groups (~50+ total):
  Dangerous.*  --> Raft consensus operations
  Collectors.* --> Data harvesting
  Indicating.* --> Beacon/heartbeat

Recovered Raft structures:

AppendEntries {
    Term         uint64
    LeaderID     string
    PrevLogIndex uint64
    PrevLogTerm  uint64
    Entries      []LogEntry
    LeaderCommit uint64
}

VoteRequest {
    Term         uint64
    CandidateID  string
    LastLogIndex uint64
    LastLogTerm  uint64
}

This is textbook Raft. AppendEntries handles log replication from leader to followers. VoteRequest and VoteResponse handle leader election. Heartbeats maintain cluster health. If the leader node goes down, the remaining nodes elect a new leader and continue operating.

For C2, this means: there is no single server to take down. The C2 infrastructure is a distributed cluster that survives node loss through automatic leader election and state replication. Killing one C2 node triggers an election, a new leader emerges, and implants reconnect without operator intervention.

Kubernetes Orchestration

The binary contains Kubernetes-native identifiers embedded in its configuration:

Artifact	Value	Implication
Pod names	`web-pod-1`	Kubernetes pod naming convention
Deployments	`web-deployment`	Kubernetes Deployment resource
Node labels	`node-01us-west`	US-West region
Node labels	`node-02us-east`	US-East region
DNS resolution	Dynamic (no hardcoded IPs)	Kubernetes DNS service discovery

No hardcoded C2 IP addresses or domains exist in the binary. C2 resolution is entirely dynamic, using what appears to be Kubernetes internal DNS (<service>.<namespace>.svc.cluster.local pattern). This makes traditional IOC-based blocking ineffective -- there are no IPs to blacklist, no domains to sinkhole. The C2 nodes discover each other through Kubernetes service discovery, and implants resolve their C2 endpoints the same way.

The multi-region deployment (us-west, us-east) provides geographic redundancy. If the US-West cluster is disrupted, US-East continues operating independently.

Financial Targeting

The binary's data structures reveal its purpose. This is not a general-purpose stealer. It targets financial infrastructure with surgical precision.

Cryptocurrency Operations

WalletID    string
Transaction {
    BlockNum  uint64
    GasLimit  uint64
    PrevHash  string
}

The GasLimit and PrevHash fields are Ethereum-specific. GasLimit sets the maximum computational work a transaction can consume. PrevHash links to the previous block. This is not credential theft -- it is transaction-level manipulation. The binary can construct, modify, or intercept Ethereum transactions.

Trading Platform Integration

Order {
    // Trading order management
}

Trade {
    // Executed trade records
}

Position {
    // Open position tracking
}

PnLRecord {
    // Profit and loss accounting
}

Transaction error codes provide further insight into the operational model:

Error Code	Purpose
`PENDING`	Transaction queued
`LOW_FEE`	Gas price insufficient
`INSUFFICIENT_FUNDS`	Wallet balance check
`SENDER_NOT_FOUND`	Wallet validation

These error codes handle edge cases in automated transaction submission. The operator is not just stealing wallet credentials -- they are building infrastructure to execute trades and move funds programmatically.

The Carbanak Angle

The filename source code of carbanak backdoor discovered.exe is doing double duty.

First, it is social engineering targeting security researchers. Carbanak (aka Anunak) is one of the most studied financial APT toolkits in history, attributed to FIN7/Carbanak Group, responsible for an estimated $1B+ in losses from financial institutions. A file claiming to be Carbanak source code is irresistible bait for anyone in threat intelligence or malware analysis. The operator knows their audience.

Second, the financial targeting TTPs create a legitimate question about attribution proximity. Carbanak/FIN7 specialized in financial institution compromise, POS system attacks, and later pivoted to cryptocurrency theft. EssentialAcquisition targets cryptocurrency transactions and trading platforms. The Raft consensus C2 architecture is a sophistication level consistent with APT-grade operations. The Kubernetes multi-region deployment mirrors enterprise infrastructure practices associated with well-resourced groups.

This could be coincidence. The Carbanak filename is used by multiple unrelated campaigns (we have documented it attached to CountLoader, SmokeLoader, and the GoLoader LaaS framework). But the combination of financial targeting, APT-grade C2 architecture, and researcher-focused social engineering warrants monitoring for further correlation.

MITRE ATT&CK Mapping

Technique	ID	Implementation
User Execution: Malicious File	T1204.002	Carbanak source code lure targets researchers
Obfuscated Files or Information: Software Packing	T1027.002	Garble compiler obfuscation
Obfuscated Files or Information: Indicator Removal from Tools	T1027.005	Zeroed PE timestamp, `-trimpath`
Application Layer Protocol: Web Protocols	T1071.001	Kubernetes DNS-based C2 resolution
Dynamic Resolution	T1568	No hardcoded C2 -- Kubernetes service discovery
Fallback Channels	T1008	Raft consensus provides automatic C2 failover
Data from Financial Systems	T1005	Ethereum transaction structures, trading platform types
Multi-Stage Channels	T1104	Raft log replication across distributed C2 nodes
Resource Development: Acquire Infrastructure	T1583.003	Multi-region Kubernetes cluster (us-west, us-east)
Software Discovery	T1518	Goroutine-based collector architecture

Indicators of Compromise

Sample

ae8152a859ae5c8324c1bf55378eb8acd6055d50da4e76c41c5bc688b92336dc  "source code of carbanak backdoor discovered.exe"

Build Artifacts

Build ID:  mnREDc2-iW29OXGUPPbs/sMUx5N2rdWtBXfgF0SVU/Mv73d7Jcq3mVcJJXQdWa/sP5RTJGxSQlo3r3TGjJw
Module:    essentialacquisition
Compiler:  go1.26.1
Obfuscator: garble

Kubernetes Infrastructure Indicators

web-pod-1            Kubernetes pod name
web-deployment       Kubernetes Deployment name
node-01us-west       Kubernetes node label (US-West)
node-02us-east       Kubernetes node label (US-East)

Goroutine Function Groups

Dangerous.*          Raft consensus operations
Collectors.*         Data harvesting/exfiltration
Indicating.*         Beacon and heartbeat functions

Detection Guidance

Hunt for Go 1.26.1 binaries with garble obfuscation -- garble strips main.* symbols but leaves Go version strings and Build IDs intact
Monitor for Raft protocol traffic on non-standard ports -- AppendEntries RPCs contain Term, LeaderID, and PrevLogIndex fields
Kubernetes DNS anomalies -- workstations resolving *.svc.cluster.local patterns externally is a high-fidelity signal
Ethereum RPC monitoring -- watch for programmatic transaction construction with manipulated GasLimit values from unexpected sources
Carbanak filename lure -- alert on any executable containing carbanak and source code in the filename. Multiple unrelated campaigns use this lure

YARA

rule EssentialAcquisition_Raft_C2 {
    meta:
        description = "EssentialAcquisition Go financial trojan with Raft C2"
        author = "Breakglass Intelligence"
        date = "2026-03-14"
        hash = "ae8152a859ae5c8324c1bf55378eb8acd6055d50da4e76c41c5bc688b92336dc"

    strings:
        $module = "essentialacquisition" ascii
        $go_ver = "go1.26.1" ascii
        $build_id = "mnREDc2-iW29OXGUPPbs" ascii

        $raft1 = "AppendEntries" ascii
        $raft2 = "VoteRequest" ascii
        $raft3 = "VoteResponse" ascii
        $raft4 = "LeaderCommit" ascii

        $k8s1 = "web-pod-1" ascii
        $k8s2 = "web-deployment" ascii
        $k8s3 = "us-west" ascii
        $k8s4 = "us-east" ascii

        $fin1 = "WalletID" ascii
        $fin2 = "GasLimit" ascii
        $fin3 = "PrevHash" ascii
        $fin4 = "BlockNum" ascii

    condition:
        uint16(0) == 0x5A4D and
        filesize < 20MB and
        $module and
        (2 of ($raft*) or 2 of ($k8s*) or 3 of ($fin*))
}

Reported via @abuse_ch MalwareBazaar. Originally classified as Vidar -- it is not.

Breakglass Intelligence | 2026-03-14