Goldbackdoor
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Stairwell found a new malware sample named “Goldbackdoor,” which was assessed as a successor of “Bluelight.”
For example, the threat actors targeted EU-based organizations with a new version of their mobile backdoor named 'Dolphin,' deployed a custom RAT (remote access trojan) called 'Konni,' and targeted U.S. journalists with a highly-customizable malware named 'Goldbackdoor.'
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe second script downloads and executes a shellcode payload stored on Microsoft OneDrive, a legitimate cloud-based file hosting service... The malware utilizes legitimate cloud services for the exfiltration of files, with Stairwell noticing the abuse of both Google Drive and Microsoft OneDrive.
The malware is distributed through a phishing attack... The phishing emails originated from the account of the former director of South Korea’s National Intelligence Service (NIS), who APT37 previously compromised.
Execution
4 techniquesUpon execution, a PowerShell script launches... The second script downloads and executes a shellcode payload stored on Microsoft OneDrive
Upon execution, a PowerShell script launches and opens a decoy document (doc) for distraction while decoding a second script in the background.
Upon execution, a PowerShell script launches and opens a decoy document (doc) for distraction while decoding a second script in the background.
The emails sent to the journalists contained a link to download ZIP archives that had LNK files... The LNK file (Windows shortcut) is masqueraded with a document icon... Upon execution, a PowerShell script launches
Persistence
1 techniqueThe second script downloads and executes a shellcode payload stored on Microsoft OneDrive, a legitimate cloud-based file hosting service... The malware utilizes legitimate cloud services for the exfiltration of files, with Stairwell noticing the abuse of both Google Drive and Microsoft OneDrive.
Privilege Escalation
1 techniqueStealth
3 techniquesThe LNK file (Windows shortcut) is masqueraded with a document icon and uses padding to artificially increase its size to 282.7 MB
Upon execution, a PowerShell script launches and opens a decoy document (doc) for distraction while decoding a second script in the background.
Credential Access
1 techniqueDiscovery
1 techniqueThe files targeted by Goldbackdoor are mainly documents and media, like PDF, DOCX, MP3, TXT, M4A, JPC, XLS, PPT, BIN, 3GP, and MSG.
Collection
1 techniqueExfiltration
1 techniqueThe malware utilizes legitimate cloud services for the exfiltration of files, with Stairwell noticing the abuse of both Google Drive and Microsoft OneDrive.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A highly customizable backdoor malware used by APT37 to target U.S. journalists.
Backdoor used in targeted surveillance operations by DPRK-linked actors.
A backdoor used in a highly targeted APT37 phishing campaign against journalists. It is executed as a PE file, accepts remote commands, performs keylogging, file operations, basic remote code execution, can uninstall itself, and exfiltrates data via legitimate cloud services including Google Drive and Microsoft OneDrive.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.