Skip to content

S0597 GoldFinder

GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldFinder was discovered in early 2021 during an investigation into the SolarWinds Compromise by APT29.1

Item Value
ID S0597
Associated Names
Version 1.1
Created 26 March 2021
Last Modified 27 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols GoldFinder has used HTTP for C2.1
enterprise T1119 Automated Collection GoldFinder logged and stored information related to the route or hops a packet took from a compromised machine to a hardcoded C2 server, including the target C2 URL, HTTP response/status code, HTTP response headers and values, and data received from the C2 node.1
enterprise T1016 System Network Configuration Discovery -
enterprise T1016.001 Internet Connection Discovery GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.1

Groups That Use This Software

ID Name References
G0016 APT29 1234675