GoLoader

GoLoader is a Go-based malware loader and loader-as-a-service framework documented in multiple distinct contexts. Cisco Talos described a Golang loader referred to as GOLoader in a phishing campaign targeting Russian-speaking users. In that activity, malicious HTML/JavaScript led to an archive that launched GOLoader, which modified Microsoft Defender Antivirus settings by adding exclusions for C:\ and C:\Users$user\Desktop, then downloaded Dark Crystal RAT (DCRAT) from a hardcoded remote URL, including an inaccessible GitHub repository path observed during analysis. That campaign used attacker-controlled .ru infrastructure and VK-themed lures.

Separate reporting from Breakglass Intelligence described GoLoader as a Go-based loader-as-a-service framework active for over two years and used to deliver at least seven malware families: Vidar, StealC, SmokeLoader, Rhadamanthys, LummaStealer, RemcosRAT, and ValleyRAT. The framework primarily abuses DLL sideloading with signed VMware vmtoolsd.exe and, in a shorter campaign, Microsoft Edge binaries via msedge_elf.dll. Its architecture consists of a Stage 1 loader that decrypts or retrieves payloads and a Stage 2 reflective PE loader that loads payloads in memory. Researchers identified more than 126 samples across versions v0, v1, and v2, and documented a custom three-layer encryption scheme composed of data interleaving, an arithmetic transform, and a Fibonacci-like keystream XOR. Social-engineering lures included Roblox cheats, software cracks, TON crypto wallets, Recuva, PuTTY, Instagram bots, and a fake "source code of carbanak backdoor discovered.exe" sample aimed at researchers. Reported infrastructure included 95.85.239.146 as Vidar C2 or staging, 80.97.160.190 as a StealC C2 panel, 217.156.66.135 as an offline StealC C2, historical staging at 192.121.16.228:22 with hardcoded credentials root / XNSK6Vz5w4bF, and zodiacrealm[.]info for IP validation. Detection-relevant details included vmtoolsd.exe SHA256 2803b74d5466845e4dc9063bd516f3679aa2a3f70a30d9e93976c212e87f6e87, EXE import hash f0ea7b7844bbc5bfa9bb32efdcea957c, DLL import hash 7ecc3b9e18c31c23f5275a91f6c533d1, and the fact that malicious intl.dll samples exported 36 functions while using the internal export name Crypt.dll.

Breakglass Intelligence also reported publicly exposed unauthenticated GoLoader builder panels at 121.127.246.86:8081 and 118.107.6.148:8081. Those panels, identified as version v2.1 - 2026/01/12 07:22, exposed full API access over HTTP, showed 71 active malware-generation tasks, and had produced 468,349 unique polymorphic Windows malware samples. The exposed API returned Alibaba Cloud OSS credentials for the publicly listable jpginfo bucket in Hong Kong, used via oss-cn-hongkong.aliyuncs.com and custom domain c.fi3.me. The bucket hosted steganographic carriers, LNK droppers, VBS scripts, .NET loader components, and RAT payloads. Researchers reconstructed a chain from malicious LNK files to polymorphic VBS droppers, steganographic PNG/JPEG carriers, a .NET loader called Fiber, and final-stage njRAT injected into RegAsm.exe via process hollowing. The operation used Simplified Chinese cryptocurrency-themed lures and was assessed with moderate confidence as operated by a Chinese-speaking actor using the handle "laohe."