Skip to content

S0588 GoldMax

GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.231

Item Value
ID S0588
Associated Names SUNSHUTTLE
Version 2.1
Created 12 March 2021
Last Modified 27 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.23
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell GoldMax can spawn a command shell, and execute native commands.23
enterprise T1001 Data Obfuscation -
enterprise T1001.001 Junk Data GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.2
enterprise T1140 Deobfuscate/Decode Files or Information GoldMax has decoded and decrypted the configuration file when executed.23
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography GoldMax has RSA-encrypted its communication with the C2 server.2
enterprise T1041 Exfiltration Over C2 Channel GoldMax can exfiltrate files over the existing C2 channel.23
enterprise T1105 Ingress Tool Transfer GoldMax can download and execute additional files.23
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service GoldMax has impersonated systems management software to avoid detection.2
enterprise T1036.005 Match Legitimate Name or Location GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.21
enterprise T1027 Obfuscated Files or Information GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.23
enterprise T1027.002 Software Packing GoldMax has been packed for obfuscation.3
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron The GoldMax Linux variant has used a crontab entry with a @reboot line to gain persistence.1
enterprise T1053.005 Scheduled Task GoldMax has used scheduled tasks to maintain persistence.2
enterprise T1016 System Network Configuration Discovery GoldMax retrieved a list of the system’s network interface after execution.2
enterprise T1124 System Time Discovery GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.23
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to c8:27:cc:c2:37:5a.23
enterprise T1497.003 Time Based Evasion GoldMax has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value.2

Groups That Use This Software

ID Name References
G0016 APT29 245679108