Malware

GoFlateLoader

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Privilege Escalation

1 technique

T1055Process InjectionEvidence1

Allocate an RWX memory region using VirtualAlloc with MEM_COMMIT | MEM_RESERVE and PAGE_EXECUTE_READWRITE flags... Map the decoded payload into the allocated memory region... Transfer execution to the final payload using Go’s syscall.Syscall.

Stealth

4 techniques

T1036MasqueradingEvidence1

As for how GoFlateLoader binaries are distributed, we have observed at least two notable delivery paths. The first is through supposedly cracked software.

T1055Process InjectionEvidence1

T1140Deobfuscate/Decode Files or InformationEvidence1

Decode the payload using a small, multi-stage, custom byte-level transformation into a valid PE.

T1620Reflective Code LoadingEvidence1

This is essentially a textbook example of manual PE loading with the payload reconstructed and executed entirely in memory so that it never touches the disk.

Collection

1 technique

T1560.001Archive via UtilityEvidence1

The second involves the payload being served via the malicious TDS... which redirects users to a landing page that offers a downloadable archive and separately displays the password required to extract it... because the archive password is displayed separately on the landing page, it makes it harder for AV and EDR solutions to obtain it and decrypt the archive.

INDICATORS OF COMPROMISE

IOCs tracked for this family

11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

11 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in apptoday

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

gendigitalNews

Jun 10, 2026

Gen Blogs | GoFlateLoader: A Widespread Golang Loader Delivering Multiple Infostealers

A Go-based in-memory PE loader that decodes an embedded payload, manually maps it into RWX memory, resolves imports and relocations, and transfers execution to the payload. Its main evasion feature is a massive appended PE overlay that inflates file size to hinder scanning and sandbox submission.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching11

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.