HealthKick
HealthKick is a custom backdoor malware family, also tracked by Volexity as an early variant of GOVERSHELL and described as a predecessor/successor-related C++ family within that lineage. It was first observed in April 2025 and has been linked to China-aligned espionage activity, including campaigns attributed or connected to UNK_DropPitch and overlap noted with UTA0388. Reporting states it was delivered through spear-phishing campaigns using malicious ZIP or RAR archives that contained vulnerable legitimate executables and rogue DLLs, enabling DLL sideloading/search-order hijacking. In some campaigns, attackers impersonated fictitious investment firms; in others, HealthKick delivery was observed alongside broader China-linked phishing activity targeting civil society and journalists.
Documented capabilities include executing commands on infected systems, specifically via cmd.exe in the earliest variant, capturing command output, and exfiltrating results to command-and-control infrastructure. Proofpoint reported that HealthKick established persistence via a scheduled task named SystemHealthMonitor configured to run every five minutes. Network communications included attempts to create a web socket to actor-controlled IP 82.118.16[.]72 over TCP port 465, using a FakeTLS protocol; payloads were XOR-encoded with the key "mysecretkey," and Proofpoint noted the use of TLSv1.2-like header bytes and a double FakeTLS header requirement for command parsing.
Victimology directly mentioned in the reporting includes large investment banks and financial investment professionals specializing in Taiwan’s semiconductor and technology sectors, rather than semiconductor manufacturers themselves in some observed campaigns. Related reporting also ties HealthKick/GOVERSHELL activity to targeting across North America, Europe, and Asia, with lures sent in English, Chinese, Japanese, French, and German. High-confidence indicators mentioned in the content include C2 IP 82.118.16[.]72, TCP port 465, the XOR key "mysecretkey," and the scheduled task name SystemHealthMonitor.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Volexity tracks the deployed payload as GOVERSHELL and has observed five distinct variants of this malware family.
Volexity tracks the deployed payload as GOVERSHELL and has observed five distinct variants of this malware family.
If the downloaded file was opened and executed, the user’s device would be infected with a custom backdoor. The backdoor is tracked by the security vendor Proofpoint as “HealthKick,” and by the security vendor Volexity as an early variant of “GOVERSHELL.”
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques"exploiting two then-zero-day security flaws in Cisco ISE and Citrix NetScaler"; "WSUS... RCE"; "Cisco IOS XE... CVE-2023-20198"; "SharePoint ToolShell"; "VMware Tools... exploited as a zero-day"
The disclosure comes as the Citizen Lab flagged a new phishing campaign undertaken by two distinct China-affiliated threat actors targeting and impersonating journalists and civil society...
Chinese state-aligned hackers have ramped up espionage efforts against Taiwan's semiconductor ecosystem through spear-phishing campaigns... UNK_FistBump used job-themed lures, posing as graduate students applying for positions. The attackers sent phishing emails from compromised Taiwanese university email accounts to HR and recruiting teams at semiconductor companies. Attached documents led to malware-laced ZIP or PDF files hosted on file-sharing platforms such as Zendesk and Filemail.
Starting in June 2025, Volexity detected a series of spear phishing campaigns... The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload.
Execution
6 techniquesAll variants observed by Volexity make use of a scheduled task for persistence... Each variant of GOVERSHELL sets up persistence via a scheduled task on its first execution.
Variant 2... Can execute commands directly via a PowerShell reverse shell... Variant 3... Data that follows is passed to powershell.exe -NoProfile -Command <command>.
GOVERSHELL Variant 1 (Early) Capabilities: Can execute commands directly on the Windows command prompt (cmd.exe /c <command>).
“Execution of the… LNK file… runs a VBS script… [and] opens a decoy document…” / “Upon execution… scheduled task… created…”
Users would then need to open and execute the executable file within the archive in order to become infected.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
2 techniques“...decrypts the RC4-encrypted Cobalt Strike Beacon payload from the rc4.log file using the key qwxsfvdtv…” / “...Base64-encoded and RC4-encrypted… using… CiscoCollabHost.exe as the RC4 key…” / “...payload which is XOR encoded with the key mysecretkey.”
Discovery
1 techniquesysinfo Retrieve the following information about the victim’s machine: OS, CPU Architecture, Number of CPU cores, Hostname
Command and Control
8 techniquesGOVERSHELL Variant 4 (WebSocket)... The malware connects to the C2 over WebSocket and communicates with the C2 using JSON encoded data...
Variant 3... The malware polls the C2 over HTTPS... Variant 5... HTTPS GET, B64 encoded, Jitter, Sleep.
“...communicates with… C2 IP address 166.88.61[.]35 over… 443.” / “...web socket to… 82.118.16[.]72…” / “...reverse shell… 45.141.139[.]222…”
The attackers impersonated fictitious investment firms and sent malicious ZIP files containing vulnerable executables and DLLs, resulting in the delivery of backdoors such as HealthKick or a simple raw TCP reverse shell. The malware communicated with C2 servers over TCP port 465 using FakeTLS and XOR encryption.
...provided operators with the ability to remotely execute commands on infected devices.
“...create a web socket to… 82.118.16[.]72 over TCP port 465.” / “...reverse shell… 45.141.139[.]222 again over TCP port 465”
“HealthKick employs a FakeTLS protocol and expects a response… starting with… TLSv1.2… This… followed by a payload which is XOR encoded…”
The malware communicated with C2 servers over TCP port 465 using FakeTLS and XOR encryption.
IOCs tracked for this family
29 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named malware/tool delivered in phishing activity by a separate China-aligned group, though the article does not provide technical functionality details.
Custom backdoor delivered via phishing lures disguised as research reports or attachments. It was used against Uyghur and Tibetan targets and described as an early GOVERSHELL variant.
A developing backdoor delivered via spear-phishing emails that link to ZIP/RAR archives; it has multiple variants and is used to establish access on victim systems.
C++ malware family assessed as the predecessor to GOVERSHELL; supports remote command execution (cmd.exe) and is referenced as an early/related variant in the same campaign lineage.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.