GoLoader LaaS: A Two-Year-Old Go-Based Loader-as-a-Service Framework Delivering 7+ Malware Families via DLL Sideloading
Published: 2026-03-08 | Author: Breakglass Intelligence | Tags: malware, loader, Vidar, StealC, SmokeLoader, DLL-sideloading, Go, reflective-PE-loading, LaaS
TL;DR
A Go-based loader-as-a-service framework has been operating for over two years, delivering at least seven malware families -- Vidar, StealC, SmokeLoader, Rhadamanthys, LummaStealer, RemcosRAT, and ValleyRAT -- through DLL sideloading of signed VMware and Microsoft Edge binaries. We reverse-engineered its custom three-layer encryption scheme, recovered the decrypted native Vidar payload, identified 126+ samples across two framework versions, and discovered a lure specifically targeting security researchers with fake "Carbanak source code."
From Vidar Loader to Multi-Family Platform
This investigation began with a tagged Vidar sample on MalwareBazaar: a Go-compiled DLL named intl.dll that sideloads through a renamed VMware Tools binary disguised as a Roblox game cheat. What looked like a single-campaign Vidar dropper turned out to be much larger.
Import hash pivoting across MalwareBazaar uncovered 126+ samples spanning two years of active development, multiple framework versions, and at least seven distinct final payloads. The operator (or operators -- the multi-family delivery pattern strongly suggests a loader-as-a-service model) has evolved the framework through three major versions, progressively stripping detection signatures while adding capabilities.
The framework's lineage traces back to March 2024, when Malwarebytes documented "Dropper 1.3" -- a Go binary delivered via Google Ads malvertising impersonating PuTTY, dropping Rhadamanthys stealer. That same SFTP staging server (192.121.16.228:22, credentials root / XNSK6Vz5w4bF) and IP validation domain (zodiacrealm[.]info) link directly to the current campaign.
The DLL Sideloading Chain
The primary delivery package arrives as a password-protected ZIP (password: 2026) containing a directory named Executor_x64/. The victim sees what appears to be a Roblox game cheat installer. The actual execution chain abuses a signed VMware binary:
Executor_x64/
|-- Roblox Executor.exe <-- Legitimate VMware vmtoolsd.exe v12.1.5 (renamed)
|-- intl.dll <-- MALICIOUS Go DLL (internal name: "Crypt.dll")
|-- vmtools.dll <-- Legitimate VMware Tools runtime (signed)
|-- glib-2.0.dll <-- Legitimate GLib 2.0 (signed)
|-- gobject-2.0.dll <-- Legitimate GObject 2.0 (signed)
|-- gmodule-2.0.dll <-- Legitimate GModule 2.0 (signed)
|-- pcre.dll <-- Legitimate PCRE (signed)
|-- VCRUNTIME140.dll <-- Legitimate MS VC Runtime (signed)
|-- VCRUNTIME140_1.dll <-- Legitimate MS VC Runtime (signed)
|-- config.vdf <-- Decoy Steam client config
|-- cacert.pem <-- DigiCert root CA cert
+-- workspace/ <-- Empty directory
The sideloading mechanism is straightforward: vmtoolsd.exe imports intl.dll and calls libintl_gettext at startup. The malicious DLL exports 36 functions matching the legitimate GNU libintl API surface. When libintl_gettext is called, the Go runtime initializes and the loader's decryption routine fires.
The key detection artifact here is the DLL's internal export name: Crypt.dll. This mismatch between the file on disk (intl.dll) and the PE export directory name is a reliable indicator.
A second sideloading vector was discovered using msedge_elf.dll targeting Microsoft Edge. Ten samples appeared in a concentrated 5-day burst (January 9-14, 2026), suggesting a test campaign that may have been abandoned.
| DLL Name | Sideloading Host | Campaign Period | Samples |
|---|---|---|---|
intl.dll | VMware vmtoolsd.exe (renamed) | Nov 2025 -- Mar 2026 | 12+ |
msedge_elf.dll | Microsoft Edge binary | Jan 9-14, 2026 | 10 |
Framework Architecture: Two Stages, Three Versions
The GoLoader framework operates as a two-stage system. Stage 1 handles encrypted payload storage/retrieval and decryption. Stage 2 is a reflective PE loader that maps the decrypted stealer into memory without touching disk.
Version Matrix
| Attribute | v0 (Mar 2024) | v1 (2025-2026) | v2 (2026) |
|---|---|---|---|
| Go Version | 1.21.0 | 1.20.1 | 1.20.5 |
| Raft noise types | Unknown | Present | Stripped |
| Video codec noise | Unknown | Present | Stripped |
| PE Loader | Unknown | Custom parsePE/resolveImports | Full debug/pe reimplementation |
| DLL sideloading | No (EXE only) | intl.dll + msedge_elf.dll | intl.dll |
| Delivery | SFTP dropper | Embedded encrypted blob | Embedded encrypted blob |
| Families delivered | Rhadamanthys | Vidar, StealC, RemcosRAT, ValleyRAT | SmokeLoader, StealC |
Note that the Go version decreased from 1.21.0 to 1.20.1/1.20.5. The developer intentionally downgraded, likely to maintain a specific compilation output profile or avoid runtime behavioral changes introduced in newer Go releases.
Stage 1: Encrypted Payload Loader
Every Stage 1 sample shares a common obfuscation pattern:
Randomized module paths -- each build uses a different single English word:
consecutive, undefined, jewellery, greetings, insurance, furnished, executives, subsequent
English word function names -- functions are named with innocuous words, randomized per-build:
| Sample | Module | Obfuscated Functions |
|---|---|---|
| intl.dll | undefined | Automotive, Commander, Concluded, Mainstream, Partition, Productivity |
| GoLoader | consecutive | Beautiful, Beautifully, Examining, Forbidden, Housewives, Workstation |
| StealC | greetings | Amendment, Containers, Contributing, Mathematical, Packaging, Traditional |
| SmokeLoader | executives | Bibliographic, Centuries, Commercial, Compromise, Effectiveness, Widespread |
Compound-word identifiers -- two English words concatenated as type or variable names:
Defendantstructures, Pharmacologyinstitutes, Constitutionalprojected,
Involvementpreservation, Lafayettedemocracy, Applicablecomplicated,
Cardiovasculardevelopment, Securitiessubmissions, Sublimedirectory
These naming conventions serve dual purposes: they defeat simple string-based YARA rules that look for suspicious function names, and they make casual static analysis produce a wall of English words that looks plausibly benign.
Fake Raft Consensus Types (v1 Only)
The v1 framework embeds Go struct definitions mimicking the Raft distributed consensus protocol:
// These types exist in the binary but have NO implementation
main.AppendEntries // Raft log replication RPC
main.VoteRequest // Raft leader election RPC
main.VoteResponse // Raft election response
main.LogEntry // Raft log entry
main.LogIndex // Raft log position
main.NodeID // Raft cluster node identifier
main.Term // Raft election term number
Struct fields include PrevLogIndex, PrevLogTerm, LastLogIndex, and LastLogTerm -- all correct Raft terminology. But there are no associated function implementations. No HandleAppendEntries, no StartElection, no heartbeat logic. These are pure noise types designed to make the binary appear to be a legitimate distributed systems application in tools like go tool objdump or IDA.
Additionally, v1 includes fake video codec types (Bitstream, MacroBlock, MotionVector) creating a secondary false impression that the binary is a media processing tool.
In v2, all of this noise is stripped. The developer is monitoring detection signatures and adapting.
The Custom Encryption Scheme (Cracked)
The framework uses no standard cryptographic libraries. The encryption is entirely hand-rolled in Go, combining three layers. We fully reverse-engineered this from disassembly at RVA 0x68bc0-0x698c5 and successfully decrypted the native Vidar payload from the prototype "Dropper 1.3" sample.
Layer 1: Data Interleaving
The encrypted blob is prefixed with a per-sample 8-byte constant. The data (minus this prefix) is split in half: the first half is kept in order, the second half is reversed. The two halves are then interleaved -- even-indexed bytes from the first half, odd-indexed bytes from the reversed second half.
Layer 2: Arithmetic Transform
Each byte undergoes: result = NOT(byte - key_byte) where key_byte = key_value & 0xFF.
Layer 3: Fibonacci-like Keystream XOR
A keystream is generated:
ks[0] = key_byte
ks[1] = (7 * key_value) & 0xFF
ks[i] = (ks[i-1] + ks[i-2] + i) & 0xFF for i >= 2
The output of Layer 2 is XOR'd with this keystream to produce the final ciphertext.
Per-Sample Constants
| Sample | 8-Byte Prefix | Key Value | Key Byte |
|---|---|---|---|
| intl.dll (cb4e2e) | 0x33b026fd21a7afb2 | 0xe86b2 | 0xB2 |
| GoLoader (74aadf) | 0xbc7a041ee50f6834 | 0x184f73 | 0x73 |
| StealC (0f0337) | (identified) | 0x2d8863 | 0x63 |
Decrypted Vidar Payload
Applying the decryption to the prototype sample's blob yielded a clean PE32+ AMD64 executable:
| Field | Value |
|---|---|
| SHA256 | 6886ec9cde3c277c49a8e0c052bdf084a9334439e4081137f83e4dd45a132c34 |
| Size | 629,958 bytes |
| Compile Time | 2026-02-27 11:26:42 UTC |
| Imports | KERNEL32.dll (88 funcs), USER32.dll (7), ADVAPI32.dll (7) |
| Indicators | ChromeBuildTools paths, Cookies paths, registry/credential functions |
The current campaign's intl.dll samples use a stronger variant of this scheme. Entropy analysis (7.94-7.99 uniformly across all 16KB blocks) and exhaustive testing of all 256 single-byte XOR values, multiple RC4 keys, and known module path strings failed to produce an MZ header. The key derivation for the current samples likely uses runtime computation from constants dispersed through the Go binary, requiring dynamic analysis or full Go decompilation.
Reflective PE Loader: Two Generations
v1 Loader (module: jewellery)
The classic reflective loading pattern, implemented entirely in Go:
main.parsePE -- Parse PE headers from memory buffer
main.resolveImports -- Walk IAT, call LoadLibraryA/GetProcAddress
main.processRelocations -- Apply base relocation fixups
main.getExportByOrdinal -- Resolve exports by ordinal number
main.Virtual_Alloc -- VirtualAlloc wrapper
main.cStringAt -- Read null-terminated C string from offset
main.modKernel32 -- Cached kernel32.dll handle
main.procGetProcAddress -- Cached GetProcAddress pointer
main.Trick -- Entry point invocation (anti-analysis?)
This handles PE32+ binaries with full IAT resolution, base relocations (IMAGE_REL_BASED_DIR64), and export table by ordinal. No TLS callback support, no delay-load imports, no .NET CLR bootstrap.
v2 Loader (module: subsequent)
A significant evolution. The v2 loader reimplements the entire Go debug/pe package in custom code:
main.ParseFuncAddress -- Resolve function addresses from exports
main.ParseOrdinal -- Resolve by ordinal
main.readDataDirectories -- Parse PE data directories
main.readOptionalHeader -- Parse PE optional header (64-bit)
main.readRelocs -- Parse relocation table
main.DropProc -- Process creation (CreateProcess)
main.NewFile / main.NewReader -- File/reader initialization
main.File / main.Section -- Custom PE type definitions
main.FileHeader / main.SectionHeader / main.SectionHeader32
main.OptionalHeader64 / main.DataDirectory / main.Reloc
main.StringTable / main.IndexByte / main.cstring
By reimplementing debug/pe from scratch, the v2 loader parses PE files entirely in user-mode Go code without calling any Windows API PE parsing functions. This makes API hooking and behavioral detection significantly harder. The addition of main.DropProc also suggests v2 can spawn new processes rather than relying solely on reflective injection.
Social Engineering: From Gamers to Security Researchers
The framework's lure diversity is unusual for a commodity loader:
| Lure | Target | Example Filename |
|---|---|---|
| Roblox Executor | Children/gamers | Roblox Executor.exe, Executor_x64.zip (pw: 2026) |
| Roblox Bootstrapper | Children/gamers | Bootstrappper-9.991.zip (pw: ryos) |
| TON Crypto Wallet | Crypto users | Version info: "Your desktop wallet on The Open Network" |
| Recuva Data Recovery | Software pirates | recuva_professional__technician_(2024)_full_español_[mega].exe |
| PuTTY SSH Client | IT admins | Google Ads malvertising (2024 campaign) |
| Instagram Bot | Social media users | InstagramBot2025.109INSTALL.exe |
| Software Cracks | Pirates | Pro Setup.exe, downloadsetup.exe |
| Carbanak Source Code | Security researchers | source code of carbanak backdoor discovered.exe |
The Carbanak lure warrants attention. Targeting security researchers and threat analysts with fake malware source code is a tactic previously associated with North Korean operations (Lazarus Group), though it is also used by sophisticated cybercrime groups. Anyone who received or downloaded a file matching this description should treat their analysis environment as compromised.
C2 Infrastructure
Active Servers
| IP | Role | Hosting | Status |
|---|---|---|---|
95.85.239.146 | Vidar C2/staging | MHost LLC (AS200823), Georgia | LIVE -- Apache/2.4.58 default page |
80.97.160.190 | StealC C2 panel | AlexHost SRL (AS48753), Moldova | LIVE -- nginx 403, /config.php returns 200 (auth-gated) |
217.156.66.135 | StealC C2 | goodwin.unison-uwe.org.uk | OFFLINE -- botnet ID 11111 |
Both MHost LLC and AlexHost SRL are known bulletproof-adjacent hosting providers frequently used for malicious infrastructure.
The third C2 at 217.156.66.135 is notable for its hostname: goodwin.unison-uwe.org.uk. This pattern suggests either compromised infrastructure at the University of the West of England (UWE Bristol) or domain impersonation. The StealC botnet ID 11111 was extracted via Triage sandbox config analysis.
Historical Infrastructure (Dropper 1.3, 2024)
| Indicator | Role |
|---|---|
puttyconnect[.]info | Malvertising redirect |
astrosphere[.]world | Payload delivery |
zodiacrealm[.]info | Victim IP validation (/api.php?action=check_ip&ip=) |
192.121.16[.]228:22 | SFTP payload staging (EDIS GmbH, Netherlands) |
The SFTP server at 192.121.16.228 was used with hardcoded credentials (root / XNSK6Vz5w4bF) and InsecureIgnoreHostKey -- no host key verification. The server remains alive but credentials have been rotated.
MalwareBazaar Hunting Results
EXE Import Hash: f0ea7b7844bbc5bfa9bb32efdcea957c
100 samples returned (API limit). After filtering out legitimate Go red team tools (Sliver, CobaltStrike loaders, Ligolo) that share the same stdlib import surface:
| Family | Count | Date Range | Notes |
|---|---|---|---|
| Vidar | ~18 | Aug 2025 -- Mar 2026 | Primary payload, continuous |
| StealC | ~10 | Dec 2025 -- Mar 2026 | Growing market share |
| SmokeLoader | ~5 | Mar 2026 | Newest addition |
| Rhadamanthys | 1 | Jul 2025 | Original payload family |
| LummaStealer | 1 | Jul 2025 | Single sample |
| RemcosRAT | 2 | Jan 2026 | Larger builds (8-11MB) |
| ValleyRAT | 3 | Nov-Dec 2025 | Chinese RAT (SilverFox?) |
DLL Import Hash: 7ecc3b9e18c31c23f5275a91f6c533d1
26 samples total: 12 intl.dll (Nov 2025 -- Mar 2026), 10 msedge_elf.dll (Jan 2026 burst), 4 older samples (likely unrelated Meterpreter/ReverseSSH).
MITRE ATT&CK Mapping
| Technique | ID | Usage |
|---|---|---|
| User Execution: Malicious File | T1204.002 | Password-protected ZIP lures |
| DLL Side-Loading | T1574.002 | intl.dll via VMware vmtoolsd.exe, msedge_elf.dll via Edge |
| Obfuscated Files or Information | T1027 | Custom 3-layer encryption, fake Raft types, English word obfuscation |
| Reflective Code Loading | T1620 | Go-based reflective PE loader (both v1 and v2) |
| Ingress Tool Transfer | T1105 | SFTP dropper variant downloads payload from hardcoded server |
| Masquerading: Match Legitimate Name or Location | T1036.005 | intl.dll impersonating GNU libintl |
| Credentials from Password Stores | T1555 | Vidar stealer targets browser credentials |
| Steal Web Session Cookie | T1539 | Vidar targets browser cookies |
| System Information Discovery | T1082 | IP enumeration via api.ipify.org |
YARA Rules
rule GoLoader_Framework_v1 {
meta:
description = "Go Loader-as-a-Service framework v1 with Raft consensus noise types"
author = "Breakglass Intelligence"
date = "2026-03-08"
family = "GoLoader LaaS"
reference = "MalwareBazaar imphash:f0ea7b7844bbc5bfa9bb32efdcea957c"
strings:
$raft1 = "main.AppendEntries" ascii
$raft2 = "main.VoteRequest" ascii
$raft3 = "main.VoteResponse" ascii
$raft4 = "main.LogEntry" ascii
$raft5 = "main.NodeID" ascii
$codec1 = "main.Bitstream" ascii
$codec2 = "main.MacroBlock" ascii
$codec3 = "main.MotionVector" ascii
$go_ver = "go1.20.1" ascii
$func1 = "main.func1" ascii
$func2 = "main.func2" ascii
condition:
uint16(0) == 0x5A4D and
filesize < 15MB and
3 of ($raft*) and
2 of ($codec*) and
$go_ver and
$func1 and $func2
}
rule GoLoader_Framework_v2 {
meta:
description = "Go Loader-as-a-Service framework v2 (stripped noise variant)"
author = "Breakglass Intelligence"
date = "2026-03-08"
family = "GoLoader LaaS"
strings:
$go_ver = "go1.20.5" ascii
$func1 = "main.func1" ascii
$func2 = "main.func2" ascii
$trick = "main.Trick" ascii
$valloc = "main.Virtual_Alloc" ascii
$ton1 = "Ton Apps Group" ascii
$ton2 = "The Open Network" ascii
$pe1 = "main.ParseFuncAddress" ascii
$pe2 = "main.ParseOrdinal" ascii
$pe3 = "main.readDataDirectories" ascii
condition:
uint16(0) == 0x5A4D and
filesize < 15MB and
$go_ver and $func1 and $func2 and
(($trick and $valloc) or (1 of ($ton*)) or (2 of ($pe*)))
}
rule GoLoader_PE_Reflector {
meta:
description = "Go-based reflective PE loader component (both framework versions)"
author = "Breakglass Intelligence"
date = "2026-03-08"
family = "GoLoader LaaS"
strings:
$trick = "main.Trick" ascii
$valloc = "main.Virtual_Alloc" ascii
$pe_v1_1 = "main.parsePE" ascii
$pe_v1_2 = "main.resolveImports" ascii
$pe_v1_3 = "main.processRelocations" ascii
$pe_v2_1 = "main.ParseFuncAddress" ascii
$pe_v2_2 = "main.readRelocs" ascii
$pe_v2_3 = "main.readOptionalHeader" ascii
$go = "Go build" ascii
condition:
uint16(0) == 0x5A4D and
$go and $trick and $valloc and
(($pe_v1_1 and $pe_v1_2 and $pe_v1_3) or
($pe_v2_1 and $pe_v2_2 and $pe_v2_3))
}
rule GoLoader_DLL_Sideload {
meta:
description = "Go DLL sideloading component (intl.dll / msedge_elf.dll)"
author = "Breakglass Intelligence"
date = "2026-03-08"
family = "GoLoader LaaS"
strings:
$export1 = "libintl_gettext" ascii
$export2 = "libintl_bindtextdomain" ascii
$export3 = "libintl_dcgettext" ascii
$crypt = "Crypt.dll" ascii
$cgo = "_cgo_dummy_export" ascii
$go = "Go build" ascii
condition:
uint16(0) == 0x5A4D and
$go and $cgo and
(2 of ($export*) or $crypt)
}
IOCs
SHA256 Hashes
# DLL Sideloading Components (intl.dll)
cb4e2eb1535211460c39c9a6437c0f38bd3580c9550934567c8cbf690d4f9acf intl.dll (variant 1)
951203b59712cb39ce4f35fdef0db671a82b1267df286f31ca93bb9b45e2c1b7 intl.dll (variant 2)
# GoLoader Stage 1 EXE
74aadf8374a2b3be8c275179a68d9cb2e4623197d87b3a7b61da1d4a0511adad Pro Setup.exe
# Reflective PE Loader (Stage 2)
f6801c00bde63f0297059a68eff299705fa6642138c1165eb4ede5c61c4898dd WbhOF98odbzI16YdMnI3qgjE.exe
# StealC Variants
0f033735da6f1724e690a790dc9e53c399a1b64e67bcc892e1ad59d12ed7e40a downloadsetup_patched.exe
640d3f034e41cb7ee11e60742dd19b7049de6161ec62272821a21fa4dad5f3a5 StealC (unpumped)
0c189c41e94658eea3482f30109656d3c911f683698ce5ad531e396d64596542 StealC v2 PE Loader
# SmokeLoader Variant
61bf4833dc24be291e3a21803a8b47a397fbd8d706267e64ac0b7aa24a5d5fad SmokeLoader (Go 1.20.5)
# Decrypted Native Vidar Payload
6886ec9cde3c277c49a8e0c052bdf084a9334439e4081137f83e4dd45a132c34 decrypted_payload.bin
# Historical Dropper 1.3 (2024)
0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d PuTTy.exe (GoLoader)
# Researcher-Targeting Lure
bac70244b93a4a92b7e7bae77a60e12e3a5f8f39a25a2d12f98b5098dbb6e103 "source code of carbanak backdoor discovered.exe"
# Delivery Archives
072e30bbf2bb844cb0b93d460581f1a80fa8fac75fded6d80802a8b0dbbe52f5 Executor_x64.zip
62b0303d06a6c3be5cef2d8205d93f79d991ae7823a6d6a458bee1a095847f3b Bootstrappper-9.991.zip
# msedge_elf.dll Sideloading Variants
391a75420ecc2587b5a74dbf8f84e375dfcbc2a4b7f1fa6925be0c26b27fd0ea msedge_elf.dll
08d7d5bba97c81e549e0a38844cabb4a8bd9441a60fb72ad182337f93983dbfc msedge_elf.dll
73b26a3db8f3c6af48f2ed41e5a18b1f9e1c4eab1e3fa5be36db1a3c7b31b0ae msedge_elf.dll
ede41efbc1f4da05a0a67ef6c4e1c7e83dac3e2fe45f0f14ecec4a0c0e6f5b78 msedge_elf.dll
# Additional Vidar Samples
1107b0f7d0c91d82cf71ed1c8c0d1708f0668b5067cf79d7a6d10ab0e31882f4 Vidar
cc5bfb4f338833480f14f82e3f3ba50adce8ab5d07c66e99d2b5b6ef14d3e8a2 Vidar
726d59fa03667955d455deeb70c66acc35ff2e4cbcb7e7b6927b6bc5f4e6a11a Vidar
# Legitimate Binary (Abused for Sideloading)
2803b74d5466845e4dc9063bd516f3679aa2a3f70a30d9e93976c212e87f6e87 vmtoolsd.exe (VMware Tools, signed)
Import Hashes
f0ea7b7844bbc5bfa9bb32efdcea957c GoLoader EXE variants (100+ samples)
7ecc3b9e18c31c23f5275a91f6c533d1 Go DLL sideloading variants (26 samples)
Network Indicators
95.85.239[.]146 Vidar C2/staging (MHost LLC, AS200823, Georgia) -- LIVE
80.97.160[.]190 StealC C2 panel (AlexHost SRL, AS48753, Moldova) -- LIVE
217.156.66[.]135 StealC C2 (goodwin.unison-uwe.org.uk) -- OFFLINE
192.121.16[.]228 SFTP payload staging (EDIS GmbH, Netherlands)
zodiacrealm[.]info Victim IP validation C2
puttyconnect[.]info Malvertising redirect (2024)
astrosphere[.]world Payload delivery (2024)
Go Build IDs
YNTrAH_XUFyphyYyg71Q/WoB_6ngaw0ANVsDfqqU5/PD5zXKDXtMheLZpdefM0/ZS0P5i6rxnFlWxOw0BYk intl.dll
YjfpyfuwPCvVY97jOjyn/6rX3aQ_N6plh3POYwwCO/KexdVp0xp-yxLoti70vq/YH8pot4f7Kq4apr8-NR_ GoLoader
JDujzgB3ybIaGiUWfIm6/YuTIxs6JUw4SamNkTw5k/_ZmHTu0r2L-HlQaGO9DV/iVviQ6Wu8YQkrHknW8Nh Dropped Vidar
PmeiZpTeIgfK2KsVkTis/fTAkT2lTi405OaKVilkr/JbKcPxWEb4itIyFxn240/Uk9sbdi5GYX6dBEf2G0Q StealC
Detection Guidance
- DLL sideloading: Alert on
vmtoolsd.exeexecuting outsideC:\Program Files\VMware\or renamed to non-VMware filenames - Export name mismatch: DLL named
intl.dllwith PE export directory nameCrypt.dll - Go DLL anomaly: PE DLL with 19 sections, Go runtime strings, and a zeroed PE timestamp
- Import hash hunting: Pivot on
f0ea7b7844bbc5bfa9bb32efdcea957c(EXE) and7ecc3b9e18c31c23f5275a91f6c533d1(DLL) - SFTP dropper behavior: Go binary with
golang.org/x/crypto/sshandgithub.com/pkg/sftpimports downloading files via hardcoded credentials - C2 check-in pattern: HTTP GET to
/api.php?action=check_ip&ip=with the victim's external IP - Archive lure context: Password-protected archives with Roblox executor/bootstrapper themes distributed via gaming forums and Discord