HealthKick
HealthKick is a custom Windows backdoor/backdoor family first observed in April 2025 and associated with China-aligned spear-phishing activity. Reporting links it to the threat clusters UNK_DropPitch and UTA0388, and Volexity characterizes it as an early C++ variant and predecessor of the GOVERSHELL malware family. Proofpoint tracks the malware as HealthKick, while Volexity tracks the same or related malware as an early GOVERSHELL variant.
Observed delivery relied on spear-phishing emails, including campaigns impersonating fictitious investment firms and other tailored personas. Victims were directed to malicious ZIP or RAR archives containing a legitimate executable and a malicious DLL; execution of the executable triggered DLL sideloading/search-order hijacking to load the backdoor. Campaigns targeted organizations and individuals in North America, Asia, and Europe, including large investment banks and financial analysts focused on Taiwan’s semiconductor and technology sectors. Citizen Lab also reported HealthKick delivery against civil society and journalist-related targets in activity aligned with broader China-linked targeting.
HealthKick is described as capable of executing commands, capturing command output, and exfiltrating results to a command-and-control server. The earliest variant could run commands via cmd.exe. Proofpoint reported persistence via a scheduled task named SystemHealthMonitor configured to run every five minutes. Network communications included a WebSocket connection to 82.118.16[.]72 over TCP port 465 using a FakeTLS protocol; payloads were XOR-encoded with the key "mysecretkey." Related reporting also describes fake TLS/TCP 465 communications for this malware family. High-confidence infrastructure and behavioral details directly mentioned in the content include the C2 IP 82.118.16[.]72, TCP port 465, the scheduled task name SystemHealthMonitor, and use of DLL sideloading/search-order hijacking for execution.
Aliases and naming overlap in the source material indicate that HealthKick is also referred to as an early GOVERSHELL variant, but HealthKick is the commonly used name for the specific backdoor described in the phishing campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GOVERSHELL: All implants were DLL files that were loaded via search order hijacking from the legitimate version of either the 32- or 64-bit version of an open-source project. ... GOVERSHELL is a stealthy Windows implant that communicates over HTTPS with a remote command and control server.
Volexity tracks the deployed payload as GOVERSHELL and has observed five distinct variants of this malware family.
Volexity tracks the deployed payload as GOVERSHELL and has observed five distinct variants of this malware family.
If the downloaded file was opened and executed, the user’s device would be infected with a custom backdoor. The backdoor is tracked by the security vendor Proofpoint as “HealthKick,” and by the security vendor Volexity as an early variant of “GOVERSHELL.”
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
"exploiting two then-zero-day security flaws in Cisco ISE and Citrix NetScaler"; "WSUS... RCE"; "Cisco IOS XE... CVE-2023-20198"; "SharePoint ToolShell"; "VMware Tools... exploited as a zero-day"
The disclosure comes as the Citizen Lab flagged a new phishing campaign undertaken by two distinct China-affiliated threat actors targeting and impersonating journalists and civil society...
Chinese state-aligned hackers have ramped up espionage efforts against Taiwan's semiconductor ecosystem through spear-phishing campaigns... UNK_FistBump used job-themed lures, posing as graduate students applying for positions. The attackers sent phishing emails from compromised Taiwanese university email accounts to HR and recruiting teams at semiconductor companies. Attached documents led to malware-laced ZIP or PDF files hosted on file-sharing platforms such as Zendesk and Filemail.
Silent Chollima primary and sole method for targeting organizations is by conducting spear phishing campaigns. Between June and August 2025, Silent Chollima sent phishing emails containing HTML that included an image to make it appear a document was attached to the email. If the image were clicked, it led to the download of a remotely hosted archive file.
Execution
6 techniques
Execution
Each variant of GOVERSHELL sets up persistence via a scheduled task on its first execution... This function creates a hidden scheduled task named "SystemHealthMonitor" using schtasks.exe... every 5 minutes at highest privileges.
PowerShell commands are properly escaped and run silently using powershell.exe -NoProfile -NonInteractive -Command, with full stdout/stderr capture.
When a command is received, it is first XOR decrypted, then checked for the "EP" prefix to determine if it should be executed via PowerShell or cmd.exe.
“Execution of the… LNK file… runs a VBS script… [and] opens a decoy document…” / “Upon execution… scheduled task… created…”
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
All network traffic, including check ins, task retrieval, and results, is protected using XOR encryption (key: 11) combined with Base64 encoding before transmission.
“...decrypts the RC4-encrypted Cobalt Strike Beacon payload from the rc4.log file using the key qwxsfvdtv…” / “...Base64-encoded and RC4-encrypted… using… CiscoCollabHost.exe as the RC4 key…” / “...payload which is XOR encoded with the key mysecretkey.”
Discovery
1 technique
Discovery
Command and Control
10 techniques
Command and Control
GOVERSHELL Variant 4 (WebSocket)... The malware connects to the C2 over WebSocket and communicates with the C2 using JSON encoded data...
GOVERSHELL is a stealthy Windows implant that communicates over HTTPS with a remote command and control server.
“...communicates with… C2 IP address 166.88.61[.]35 over… 443.” / “...web socket to… 82.118.16[.]72…” / “...reverse shell… 45.141.139[.]222…”
The attackers impersonated fictitious investment firms and sent malicious ZIP files containing vulnerable executables and DLLs, resulting in the delivery of backdoors such as HealthKick or a simple raw TCP reverse shell. The malware communicated with C2 servers over TCP port 465 using FakeTLS and XOR encryption.
If the image were clicked, it led to the download of a remotely hosted archive file.
It uses XOR encryption combined with Base64 to protect all network traffic and payloads from casual inspection.
...provided operators with the ability to remotely execute commands on infected devices.
“...create a web socket to… 82.118.16[.]72 over TCP port 465.” / “...reverse shell… 45.141.139[.]222 again over TCP port 465”
IOCs tracked for this family
29 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named malware/tool delivered in phishing activity by a separate China-aligned group, though the article does not provide technical functionality details.
Custom backdoor delivered via phishing lures disguised as research reports or attachments. It was used against Uyghur and Tibetan targets and described as an early GOVERSHELL variant.
Stealthy Windows implant/backdoor used by Silent Chollima. It is delivered as a DLL via search order hijacking, establishes persistence with a scheduled task, communicates with C2 over HTTPS, uses XOR plus Base64 to obfuscate traffic, executes arbitrary commands via cmd or PowerShell, and returns command output to the operator.
A developing backdoor delivered via spear-phishing emails that link to ZIP/RAR archives; it has multiple variants and is used to establish access on victim systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.