GotoHTTP
GotoHTTP is a cross-platform remote access tool / remote monitoring and management (RMM) utility used to provide persistent remote control of compromised systems. Reported capabilities include establishing persistence, file transfer, and screen viewing. It has been observed on Windows IIS server intrusions and in post-ransomware activity, and in one report was described as using a browser-to-client architecture over common ports 80/443 via the GotoHTTP platform.
High-confidence reporting links GotoHTTP to multiple intrusion sets and campaigns. SentinelLABS reported its use by the DragonSpark cluster, assessed with high confidence as operated by a Chinese-speaking threat actor, alongside tools such as SparkRAT, SharpToken, and BadPotato after compromises of Internet-exposed web servers and MySQL servers. Cisco Talos reported UAT-8099 deploying GotoHTTP on vulnerable Microsoft IIS servers across Asia, especially Thailand and Vietnam, after web-shell access and PowerShell execution; Talos also described a VBScript that downloaded GotoHTTP as xixixi.exe, executed it hidden, and exfiltrated the generated gotohttp.ini configuration file to C2 so the actor could recover the connection ID and password. Elastic Security Labs and TAMUS also observed a Chinese-speaking actor cluster (REF3927) upload and execute the legitimate GotoHTTP RMM tool on compromised IIS/ASP.NET servers.
GotoHTTP has also been observed in ransomware-related incidents as a post-compromise persistence mechanism. Multiple reports on Reynolds ransomware state that investigators found GotoHTTP on victim machines after encryption, in some cases the day after ransomware deployment, suggesting the attackers intended to maintain access before and/or after the ransomware event for further exploitation or negotiation. Similar reporting also noted GotoHTTP artifacts in coverage discussing a Black Basta-linked BYOVD-enabled ransomware incident.
Observed infection and deployment vectors in the provided content include exploitation of vulnerable or exposed IIS/ASP.NET servers, web-shell deployment, PowerShell-based download-and-execute chains, and VBScript-based installation. Known artifacts directly mentioned in the content include the file gotohttp.ini, exfiltration of that configuration file to attacker infrastructure, and one observed dropped filename, xixixi.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GotoHTTP: a cross-platform remote access tool that implements a wide array of features, such as establishing persistence, file transfer, and screen view.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Collection
1 technique
Collection
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access tool observed post-compromise, likely used to maintain access before/after ransomware deployment.
Remote access tool deployed post-encryption in some Reynolds incidents to maintain persistence and enable follow-on activity (e.g., further exploitation, negotiation, potential data access/exfiltration).
Remote access tool used to maintain persistent access on compromised hosts following ransomware deployment.
Remote access tool executed via PowerShell on compromised IIS servers to provide persistence and enable follow-on payload delivery.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.