GotoHTTP
GotoHTTP is a cross-platform remote access and remote monitoring/management (RMM) tool used by threat actors to obtain persistent remote control of compromised systems. Reported capabilities include establishing persistence, file transfer, and screen viewing, and it is described as using a browser-to-client architecture over common ports 80/443. In the provided reporting, GotoHTTP was repeatedly deployed post-compromise via web shells, PowerShell, and VBScript. Cisco Talos reported UAT-8099 using web shells and PowerShell on vulnerable Microsoft IIS servers across Asia, especially in Thailand and Vietnam, to download and execute GotoHTTP, save it as "xixixi.exe," and exfiltrate the generated "gotohttp.ini" configuration file to a C2 server so the actor could recover the connection ID and password needed to control the infected server. Talos also noted GotoHTTP was used for persistence and to support delivery of updated BadIIS malware variants in an SEO-fraud campaign overlapping with WEBJACK. Elastic and TAMUS separately observed a Chinese-speaking intrusion cluster tracked as REF3927 upload and execute the legitimate GotoHTTP RMM tool on compromised Windows IIS/ASP.NET servers to maintain access after ViewState-based exploitation. SentinelLABS also reported DragonSpark, assessed as a Chinese-speaking actor targeting organizations in East Asia, using GotoHTTP alongside other Chinese-developed tooling. In ransomware-related reporting, investigators found GotoHTTP on victim machines the day after Reynolds ransomware deployment, and multiple reports state attackers deployed it after encryption to maintain persistent access for further exploitation or negotiation. High-confidence artifacts directly mentioned include the filename "xixixi.exe" and the configuration file "gotohttp.ini".
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GotoHTTP: a cross-platform remote access tool that implements a wide array of features, such as establishing persistence, file transfer, and screen view.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Collection
1 techniqueCommand and Control
1 technique“deployment of malware and tools hosted at attacker-controlled infrastructure.” / staging URLs for py.exe, m6699.exe, c.exe, go.exe
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access tool observed post-compromise, likely used to maintain access before/after ransomware deployment.
Remote access tool deployed post-encryption in some Reynolds incidents to maintain persistence and enable follow-on activity (e.g., further exploitation, negotiation, potential data access/exfiltration).
Remote access tool used to maintain persistent access on compromised hosts following ransomware deployment.
Remote access tool executed via PowerShell on compromised IIS servers to provide persistence and enable follow-on payload delivery.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.