{
	"id": "89c6a6f7-78f1-41cd-ac05-3a15f0b11090",
	"created_at": "2026-04-06T00:06:56.701933Z",
	"updated_at": "2026-04-10T13:11:58.896945Z",
	"deleted_at": null,
	"sha1_hash": "5c7b376343908fdb8f598432bfd61ed131667c20",
	"title": "New Golang Ransomware Agenda Customizes Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1528714,
	"plain_text": "New Golang Ransomware Agenda Customizes Attacks\r\nPublished: 2022-08-25 · Archived: 2026-04-05 16:47:15 UTC\r\nWe recently discovered a new piece of targeted ransomware that was created in the Go programming language and\r\nthat explicitly targeted one of our customers. This was evidenced by the specific email addresses and credentials\r\nthe ransomware used. Malware written in the Go language (aka Golang) has become common among threat\r\nactors. One possible reason for this uptick in popularity is that Go statically compiles necessary libraries, making\r\nsecurity analysis much harder.\r\nOur investigation revealed that the new ransomware in question targeted enterprises in Asia and Africa. Based on\r\ndark web posts by a user named “Qilin” (who seems to be connected to the ransomware distributors) and through\r\nransom notes, the ransomware is called “Agenda.” \r\nAgenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has\r\nmultiple modes to run. The samples of the ransomware that we collected were customized for each victim, and\r\nthey included unique company IDs and leaked account details.\r\nTargets\r\nAll collected samples were 64-bit Windows PE (Portable Executable) files written in Go, and they were aimed at\r\nWindows-based systems. The group distributing the malware was targeting healthcare and education organizations\r\nin Indonesia, Saudi Arabia, South Africa, and Thailand. Every ransomware sample was customized for the\r\nintended victim. Our investigation showed that the samples had leaked accounts, customer passwords, and unique\r\ncompany IDs used as extensions of encrypted files.\r\nWe believe that Qilin (or the Agenda ransomware group) offers affiliates options to customize configurable binary\r\npayloads for each victim, including details such as company ID, RSA key, and processes and services to kill\r\nbefore the data encryption. Also, the ransom amount requested is different per company, ranging from US$50,000\r\nto US$800,000.\r\nFigure 1. An example of Qilin’s ransom negotiations\r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 1 of 13\n\nFigure 2. An example of ransom amount requested by Qilin\r\nSimilarities with other ransomware\r\nWe noticed some similarities between Agenda and the Black Basta, Black Matter, and REvil (aka Sodinokibi)\r\nransomware.\r\nIn terms of payment sites and the implementation of user verification on a Tor site,  Agenda is very similar to\r\nBlack Basta and Black Matter. Meanwhile, Agenda shares with Black Basta and REvil the same functionality of\r\nchanging Windows passwords and rebooting in safe mode using this command:\r\nC:\\windows\\system32\\bcdedit.exe  /set safeboot{current} network\r\nObserved kill chain\r\nInvestigating one incident involving this ransomware, we saw that the threat actor behind it used a public-facing\r\nCitrix server as a point of entry. We believe that the threat actor used a valid account to access this server and later\r\nmove inside the victim’s network. This was expected since the actor configured the ransomware with valid and\r\nprivileged accounts.\r\nThe threat actor used RDP on Active Directory using leaked accounts. The actor dropped scanning\r\ntools, Nmap.exe and Nping.exe, for scanning the network. Next, the scheduled task was pushed by the group\r\npolicy domain machine. \r\nFigure 3. The scheduled task pushed by the group policy\r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 2 of 13\n\nFigure 4. The scheduled task created on the machine\r\nWe observed that there was only a short period between accessing the Citrix server and the ransomware infection:\r\nless than two days. The threat actor seemed to have scanned the network on the first day, and then a Group Policy\r\nObject (GPO) was created and the ransomware was deployed on the machines.\r\nFigure 5. The Agenda ransomware’s kill chain\r\nAnalysis and notable features\r\nThe Agenda ransomware is a 64-bit Windows PE file written in Go. Go programs are cross-platform and\r\ncompletely standalone, meaning they will execute properly even without a Go interpreter installed on a system.\r\nThis is possible since Go statically compiles necessary libraries (packages).\r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 3 of 13\n\nUpon execution, this ransomware accepts various command-line arguments that define the malware flow and\r\nfunctionality, as listed in the table below.\r\nArgument  Description\r\n-alter {int}  Defines the port number for this child process\r\n-encryption\r\n{value} \r\nAllows for redefining the embed encryptor config to the customized choice \r\n-ips {IP Address}  Allows for providing IP addresses \r\n-min-size {value}  Defines the minimum file size to encrypt (e.g., 1 KB, 1 MB, 1 GB, 666 KB) \r\n-no-proc  Defines the processes that will not be killed \r\n-no-services  Defines the services that will not be killed \r\n-password\r\n{string}  \r\nDefines the password to enter landing\r\n-path {directory} \r\nDefines the path that parses directories; if this flag is used and left empty, all directories\r\nwill be scanned\r\n-safe  Boots in safe mode \r\n-stat \r\nMakes malware print its configuration (processes and services to be killed, encryption,\r\netc.)  \r\nTable 1. Command-line arguments accepted by Agenda\r\nAgenda builds a runtime configuration to define its behavior, including its public RSA key, encryption conditions,\r\nlist of processes and services to terminate, encryption extension, login credentials, and ransom note. \r\nRuntime configuration component  Description\r\npublic_rsa_pem  RSA public key\r\ndirectory_black_list  Directories excluded from encryption\r\nfile_black_list  File names excluded from encryption\r\nfile_pattern_black_list  File name extensions excluded from encryption\r\nprocess_black_list  Processes to terminate\r\nwin_services_black_list  Services to terminate\r\ncompany_id  Encryption extension\r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 4 of 13\n\naccounts  Login credentials\r\nnote  Ransom note\r\nTable 2. The runtime configuration components of Agenda\r\nAs part of its initial routine, Agenda determines if the machine is running in safe mode by checking the string\r\nsafeboot in the data of this registry value: \r\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control SystemStartOptions \r\nIf it detects that the machine is running in safe mode, it terminates execution. \r\nThe ransomware then removes shadow volume copies via execution of vssadmin.exe delete shadows /all /quiet, as\r\nwell as terminating specific processes and services indicated in its runtime configuration, some of which are\r\nantivirus-related processes and services. \r\nProcesses  Services\r\na2service.exe  acronis vss provider \r\na2start.exe  acronis vss provider \r\naawservice.exe  acronisagent \r\nashserv.exe  acronisagent \r\navengine.exe  acronisagentd\r\navkwctl.exe  avbackup \r\nblackd.exe  avbackupd\r\ncfp.exe  ccevtmgr\r\nfsav32.exe   macmnsvc\r\nfsdfwd.exe  macmnsvcd \r\nfsguiexe.exe   masvc\r\nkpf4gui.exe  masvcd\r\nmcods.exe  mcshield\r\nmcpalmcfg.exe  sentinelagent \r\nmcproxy.exe  sentinelagentd\r\nmcregwiz.exe  sentinelhelperservice \r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 5 of 13\n\nmcsacore.exe  sentinelhelperserviced \r\nmcshield.exe  sentinelstaticengine \r\nmpfagent.exe  sentinelstaticengined\r\nmpfservice.exe  shmonitor \r\nmsmpeng.exe  shmonitord\r\nmsscli.exe  smcinst\r\nnisum.exe  tmccsf \r\nntrtscan.exe  tmccsfd\r\npccpfw.exe  tmlisten \r\ntmntsrv.exe  tmlistend\r\nTable 3. Some of the antivirus-related processes and services terminated by Agenda\r\nAfter its initial routine, Agenda proceeds to create the runonce autostart entry *aster pointing to enc.exe, which is\r\na dropped copy of itself under the Public folder:  \r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce*aster =\r\n%Public%\\enc.exe\r\nChanging user passwords and rebooting in safe mode\r\nAgenda also deploys a detection evasion technique during encryption: It changes the default user’s password and\r\nenables automatic login with the new login credentials. This feature can be enabled using the -safe command-line\r\nargument. Similar to REvil, Agenda reboots the victim’s machine in safe mode and then proceeds with the\r\nencryption routine upon reboot. \r\nTo begin, Agenda lists all local users found on the device and then checks which one is set as the default user.  \r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 6 of 13\n\nFigure 6. The function used by Agenda to determine the default user from local users\r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 7 of 13\n\nUpon finding the default user, Agenda changes the user’s password to Y25VsIgRDr. \r\nFigure 7. The function used by Agenda to change the default user’s password\r\nIt then proceeds to configure the Winlogon registry entry, setting the data to each of these values: \r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ \r\nAutoAdminLogon value =1\r\nDefaultUserName = {username}\r\nDefaultDomainName ={domainname}\r\nDefaultPassword={ Y25VsIgRDr}\r\nFigure 8. The Winlogon registry entry configured by Agenda\r\nUpon changing the default user’s password and enabling automatic login, Agenda reboots the victim’s machine in\r\nsafe mode via this command: \r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 8 of 13\n\nC:\\windows\\system32\\bcdedit.exe  /set safeboot{current} network\r\nThe ransomware also reboots the machine in normal mode after the encryption using this command:\r\nC:\\Windows\\System32\\bcdedit.exe /set safeboot network bcdedit /deletevalue {default} safeboot\r\nImpersonation of legitimate accounts\r\nAnother feature of Agenda is its ability to abuse local account credentials to execute the ransomware binary, using\r\nthe embedded login credentials in its runtime configuration.\r\nFigure 9. Agenda’s embedded local account credentials\r\nAgenda begins the user impersonation by parsing the accounts in the runtime configuration and then separating\r\nthem into username, domain, and password. It will use this data to attempt logging a user on to the local computer\r\nvia the API LogonUserW.\r\nFigure 10. The function used by Agenda to parse the accounts field in the runtime configuration\r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 9 of 13\n\nFigure 11. Agenda performing logon using a parsed account\r\nAgenda then proceeds to generate a random port number, which it will use in the execution of the ransomware\r\nbinary through the API CreateProcessAsUserW in conjunction with the command-line argument -alter.\r\nFigure 12. Agenda creating a new process with the -alter argument\r\nAllowing network sharing\r\nAgenda is also associated with the compromise of an entire network and its shared drivers. It is not only about the\r\nencryption of data on one workstation. \r\nThe ransomware adds a registry and then restarts the LanmanWorkstation service. After adding a new registry, it\r\nuses key [EnableLinkedConnections = 1] in the Enabling Mapped Drives drivers and then in restarting the\r\nLanmanWorkstation service. This will allow Agenda to list network drives in elevated programs like cmd.\r\nFigure 13. Agenda changing the registry value of EnableLinkedConnection to 1\r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 10 of 13\n\nFigure 14. Agenda restarting the LanmanWorkstation service\r\nEncryption algorithm\r\nAgenda uses AES-256 for encrypting files and RSA-2048 for encrypting the generated key. To do so, it first\r\ngenerates the key and initialization vector (IV) that it will use for encryption by using the function generateKye,\r\nand then uses the API rand_read(). \r\nFigure 15. The function used by Agenda to generate a random key\r\nWith this randomly generated key, Agenda proceeds to use AES-256 to encrypt target files. Lastly, it encrypts the\r\nkey using RSA-2048 through the embedded public key from the runtime configuration.  \r\nAfter successful encryption, Agenda renames the encrypted files by appending the company ID indicated in the\r\nruntime configuration. It then drops the ransom note {company_id}-RECOVER-README.txt in each encrypted\r\ndirectory.  \r\nFigure 16. Agenda’s ransom note\r\nProcess injection\r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 11 of 13\n\nAgenda drops pwndll.dll, detected as Trojan.Win64.AGENDA.SVT, in the Public folder. The file pwndll.dll is a\r\npatched DLL from the legitimate DLL WICloader.dll written in C, not Go. Agenda injects this DLL into\r\nsvchost.exe to allow continuous execution of the ransomware binary.\r\nFigure 17. Agenda injecting pwndll.dll into svchost.exe\r\nFigure 18. Agenda using pwndll.dll to execute the ransomware sample\r\nConclusion and solutions\r\nRansomware continues to evolve, developing more sophisticated methods and techniques to trap organizations.\r\nOur investigation shows how the new targeted ransomware Agenda is written in the Go language, making it harder\r\nto detect and analyze. \r\nThis ransomware has techniques for evading detection by taking advantage of the “safe mode” feature of a device\r\nto proceed with its encryption routine unnoticed. The ransomware also takes advantage of local accounts to log on\r\nas spoofed users and execute the ransomware binary, further encrypting other machines if the logon attempt is\r\nsuccessful. It also terminates numerous processes and services, and ensures persistence by injecting a DLL into\r\nsvchost.exe. \r\nEnd users and organizations alike can mitigate the risk of infection from ransomware like Agenda by following\r\nthese security best practices:  \r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 12 of 13\n\nEnable multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a\r\nnetwork. \r\nAdhere to the 3-2-1 rule when backing up important files. This involves creating three backup copies on\r\ntwo different file formats, with one of the copies stored in a separate location.  \r\nPatch and update systems regularly. It’s important to keep operating systems and applications up to date,\r\npreventing malicious actors from exploiting any software vulnerabilities. \r\nOrganizations can also benefit from security solutions that offer multilayered detection and response, such as\r\nTrend Micro Vision One™, which has multilayered protection and behavior detection capabilities that help block\r\nsuspicious behavior and tools before ransomware can do any damage. Trend Micro Apex One™ also provides\r\nnext-level automated threat detection and response to protect endpoints against advanced issues, like fileless\r\nthreats and ransomware. \r\nAdditional insights provided by Eleazar Valles and Sherif Magdy.\r\nFor more information about the indicators of compromise, download this document. \r\nMITRE ATT\u0026CK tactics and techniques\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nhttps://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html"
	],
	"report_names": [
		"new-golang-ransomware-agenda-customizes-attacks.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434016,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5c7b376343908fdb8f598432bfd61ed131667c20.pdf",
		"text": "https://archive.orkl.eu/5c7b376343908fdb8f598432bfd61ed131667c20.txt",
		"img": "https://archive.orkl.eu/5c7b376343908fdb8f598432bfd61ed131667c20.jpg"
	}
}