Gen Threat Labs tracked GoFlateLoader, a widespread Golang loader that uses inflated PE overlays and manual in-memory execution to deliver infostealers such as Amatera, Remus, Lumma, Vidar, StealC, and SvitStealer. Its operators distribute it through cracked software and a malicious TDS, while its oversized binaries appear designed to evade size-limited scanning and analysis systems. #GoFlateLoader #Amatera #Remus #Lumma #Vidar #StealC #SvitStealer #CheckPointResearch
Keypoints
- Gen Threat Labs identified GoFlateLoader as a simple Golang loader used to decode and execute payloads entirely in memory.
- The loader is delivered in both x86 and x86-64 variants, matched to the architecture of the payload it launches.
- Its main evasion tactic is a massive PE overlay that inflates samples to roughly 700-950 MB.
- GoFlateLoader lacks common anti-analysis features such as anti-debugging, anti-VM checks, sandbox evasion, API hashing, and CFG obfuscation.
- The observed delivery paths include cracked software and a malicious TDS documented by Check Point Research.
- The most common final payloads are information stealers, especially Amatera, Remus, and Lumma, with additional deliveries including Vidar, StealC, and SvitStealer.
- Gen reports protecting more than 33,000 unique users since April, with notable impact in Brazil, India, Argentina, Mexico, Turkey, and Spain.
MITRE Techniques
- [T1055 ] Process Injection – The loader reconstructs the payload in memory and transfers execution without writing it to disk (‘decode and execute the payload in memory’ and ‘reconstructed and executed entirely in memory’).
- [T1106 ] Native API – It rebuilds the import table using standard Windows APIs such as LoadLibrary and GetProcAddress (‘Resolve imports by walking the standard IMAGE_IMPORT_DESCRIPTOR table and rebuild the IAT in place via LoadLibrary and GetProcAddress’).
- [T1027 ] Obfuscated Files or Information – It hides the payload behind a custom encoded blob and added junk/decoy code (‘Decode the payload using a small, multi-stage, custom byte-level transformation’ and ‘junk/decoy code’).
- [T1027.001 ] Binary Padding – It appends a massive PE overlay to inflate the file size and hinder analysis (‘it appends a massive PE overlay at the end of the file’ and ‘massive size (typically 700-950 MB)’).
- [T1055.002 ] Portable Executable Injection – The loader manually maps a decoded PE into allocated memory (‘Map the decoded payload into the allocated memory region by copying the PE headers first, then walking the section table’).
- [T1105 ] Ingress Tool Transfer – The payload is delivered via archives and cracked software download paths (‘supposedly cracked software’ and ‘password-protected archives containing GoFlateLoader’).
Indicators of Compromise
- [SHA-256 hashes ] archive/sample identifiers – b88c5744975d2abb447aecc6c090fee9f8580413f4612eecdc6ed1973e8a1739, ed5ae7f36453c5a23e9868a5729d67e0549a11f6dea54f5f52d654a8f51d4902, and 8 more hashes
- [Archive password ] password-protected archive context – 1234
- [File size ] oversized sample context – 700-950 MB, over 650 MB
- [Payload names ] final payloads delivered by GoFlateLoader – Amatera, Remus, Lumma, Vidar, StealC, and SvitStealer
- [Platform architectures ] loader variants observed – x86 (32-bit), x86-64 (64-bit)
- [Delivery channel ] malicious distribution path – cracked software, malicious TDS
Read more: https://www.gendigital.com/blog/insights/research/goflateloader-delivers-multiple-infostealers