KEY TAKEAWAYS Go language (Golang) is increasing in popularity with developers of both legitimate and malicious tooling. Volexity frequently encounters malware samples written in Golang that apply obfuscators to hinder analysis. Obfuscated Golang malware samples are significantly harder to statically analyze for reverse engineers. Volexity has developed an open-source tool, GoResolver, to retrieve obfuscated functions names. GoResolver’s control-flow graph similarity techniques offer a significant advantage in recovering symbol information. In the course of its investigations, Volexity frequently encounters malware samples written in Golang. Binaries written in Golang are often challenging to analyze because of the embedded libraries and the sheer size of the resulting binaries. This issue is amplified when samples are obfuscated using tools such as Garble, an open-source Golang obfuscation tool. The popularity of Golang amongst malware developers, and the use of obfuscators to make reverse-engineering harder, raised the need for better tooling to assist in reverse-engineering efforts. […]
Golang
-
GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically
April 1, 2025
by Killian Raimbaud, Paul Rascagneres
-
DISGOMOJI Malware Used to Target Indian Government
June 13, 2024
by Volexity Threat Research
Note: Volexity has reported the activity described in this blog and details of the impacted systems to CERT at the National Informatics Centre (NIC) in India. In 2024, Volexity identified a cyber-espionage campaign undertaken by a suspected Pakistan-based threat actor that Volexity currently tracks under the alias UTA0137. The malware used in these recent campaigns, which Volexity tracks as DISGOMOJI, is written in Golang and compiled for Linux systems. Volexity assesses with high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful. DISGOMOJI appears to be exclusively used by UTA0137. It is a modified version of the public project discord-c2, which uses the messaging service Discord for command and control (C2), making use of emojis for its C2 communication. The use of Linux malware for initial access paired with decoy documents (suggesting a […]