Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 15:41:35 UTC
Home > List all groups > List all tools > List all groups using tool GoldMax
 Tool: GoldMax
Names
GoldMax
SUNSHUTTLE
Category Malware
Type Backdoor
Description
(Microsoft) The GoldMax malware was discovered persisting on networks as a
scheduled task impersonating systems management software. In the instances it was
encountered, the scheduled task was named after software that existed in the
environment, and pointed to a subfolder in ProgramData named after that software, with
a similar executable name. The executable, however, was the GoldMax implant.
Written in Go, GoldMax acts as command-and-control backdoor for the actor. It uses
several different techniques to obfuscate its actions and evade detection. The malware
writes an encrypted configuration file to disk, where the file name and AES-256 cipher
keys are unique per implant and based on environmental variables and information
about the network where it is running.
Information
MITRE ATT&CK Malpedia Last change to this tool card: 30 December 2022
Download this tool card in JSON format
All groups using tool GoldMax
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=38cc1123-27b7-4e33-ab64-93a5236e01b7
Page 1 of 2

Changed Name Country Observed
APT groups
  APT 29, Cozy Bear, The Dukes 2008-Feb 2025
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=38cc1123-27b7-4e33-ab64-93a5236e01b7
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=38cc1123-27b7-4e33-ab64-93a5236e01b7
Page 2 of 2