MalwareUsed by 2 actors

Goldbackdoor

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT37

Stairwell found a new malware sample named “Goldbackdoor,” which was assessed as a successor of “Bluelight.”

via bleeping computerbleepingcomputer.com

RedEyes

For example, the threat actors targeted EU-based organizations with a new version of their mobile backdoor named 'Dolphin,' deployed a custom RAT (remote access trojan) called 'Konni,' and targeted U.S. journalists with a highly-customizable malware named 'Goldbackdoor.'

via bleeping computerbleepingcomputer.com

MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1133External Remote ServicesEvidence1

The second script downloads and executes a shellcode payload stored on Microsoft OneDrive, a legitimate cloud-based file hosting service... The malware utilizes legitimate cloud services for the exfiltration of files, with Stairwell noticing the abuse of both Google Drive and Microsoft OneDrive.

T1566PhishingEvidence1

The malware is distributed through a phishing attack... The phishing emails originated from the account of the former director of South Korea’s National Intelligence Service (NIS), who APT37 previously compromised.

Execution

4 techniques

T1059Command and Scripting InterpreterEvidence1

Upon execution, a PowerShell script launches... The second script downloads and executes a shellcode payload stored on Microsoft OneDrive

T1059.001PowerShellEvidence1

Upon execution, a PowerShell script launches and opens a decoy document (doc) for distraction while decoding a second script in the background.

T1204User ExecutionEvidence1

Upon execution, a PowerShell script launches and opens a decoy document (doc) for distraction while decoding a second script in the background.

T1204.002Malicious FileEvidence1

The emails sent to the journalists contained a link to download ZIP archives that had LNK files... The LNK file (Windows shortcut) is masqueraded with a document icon... Upon execution, a PowerShell script launches

Persistence

1 technique

T1133External Remote ServicesEvidence1

Privilege Escalation

1 technique

T1055Process InjectionEvidence1

This payload is called “Fantasy,” and according to Stairwell, it’s the first of the two deploying mechanisms of Goldbackdoor, both relying on stealthy process injection.

Stealth

3 techniques

T1036MasqueradingEvidence1

The LNK file (Windows shortcut) is masqueraded with a document icon and uses padding to artificially increase its size to 282.7 MB

T1036.005Match Legitimate Resource Name or LocationEvidence1

Upon execution, a PowerShell script launches and opens a decoy document (doc) for distraction while decoding a second script in the background.

T1055Process InjectionEvidence1

This payload is called “Fantasy,” and according to Stairwell, it’s the first of the two deploying mechanisms of Goldbackdoor, both relying on stealthy process injection.

Credential Access

1 technique

T1056.001KeyloggingEvidence1

These commands are related to keylogging, file operations, basic RCE, and the ability to uninstall itself.

Discovery

1 technique

T1083File and Directory DiscoveryEvidence1

The files targeted by Goldbackdoor are mainly documents and media, like PDF, DOCX, MP3, TXT, M4A, JPC, XLS, PPT, BIN, 3GP, and MSG.

Collection

1 technique

T1056.001KeyloggingEvidence1

These commands are related to keylogging, file operations, basic RCE, and the ability to uninstall itself.

Exfiltration

1 technique

T1567.002Exfiltration to Cloud StorageEvidence1

The malware utilizes legitimate cloud services for the exfiltration of files, with Stairwell noticing the abuse of both Google Drive and Microsoft OneDrive.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

bleeping computerNews

Feb 14, 2023

RedEyes hackers use new malware to steal data from Windows, phones

A highly customizable backdoor malware used by APT37 to target U.S. journalists.

sekoia blogNews

Dec 16, 2022

The DPRK delicate sound of cyber - Sekoia.io Blog

Backdoor used in targeted surveillance operations by DPRK-linked actors.

bleeping computerNews

Apr 25, 2022

North Korean hackers targeting journalists with novel malware

A backdoor used in a highly targeted APT37 phishing campaign against journalists. It is executed as a PE file, accepts remote commands, performs keylogging, file operations, basic remote code execution, can uninstall itself, and exfiltrates data via legitimate cloud services including Google Drive and Microsoft OneDrive.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.