{ "id": "67f657eb-512a-4e19-8ae8-63bf4e76479c", "created_at": "2026-04-06T00:09:49.822324Z", "updated_at": "2026-04-10T13:12:45.680197Z", "deleted_at": null, "sha1_hash": "7a7ab98f401cb4a50772eef64812702cb1e4b124", "title": "What does Go-written malware look like? Here's a sample under the microscope", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48248, "plain_text": "What does Go-written malware look like? Here's a sample under\r\nthe microscope\r\nBy Jeff Burt\r\nPublished: 2022-03-22 · Archived: 2026-04-05 16:52:36 UTC\r\nThe folks at Deep Instinct say they have studied a Go-written variant of the malware used by the Arid Viper cyber-crime ring.\r\nDeep Instinct, founded in 2015, says it uses deep learning to detect and block malware. While training a deep-learning model that's focused on identifying software nasties written in Go, the researchers uncovered an\r\nexecutable file built using the programming language, submitted it to the VirusTotal website, and found only six\r\nsecurity vendors had the binary flagged as malicious.\r\nFurther investigation uncovered two similar Go-written binaries. From these programs, we're told, it became clear\r\nthe team were looking at a variant of Micropsia. This malware was identified in 2017 and is used exclusively by\r\nArid Viper, an advanced persistent threat (APT) group believed to be based in Gaza and known as APT-C-23.\r\nDeep Instinct named the Go-written malware Arid Gopher.\r\n\"This new variant is still being developed; all the three files share a common baseline, but each file contains\r\nunique code which is not present in the other files,\" Deep Instinct researchers Simon Kenin and Asaf Gilboa wrote\r\nin an analysis this Monday. \"Beside the main implant, our investigation revealed a 'helper' malware, also written in\r\nGo, and a second-stage malware which was downloaded from the C2 [command-and-control] server.\"\r\nEssentially, Arid Gopher has the same functionality of Arid Viper; it is simply written in the Go language.\r\n\"This is also how we related it to Arid Viper,\" Moshe Hayun, Deep Instinct's threat intelligence team leader, told\r\nThe Register. \"We used code similarities and functionality similarities. This is how we found out it's the same\r\nactor, using the decompiler, reverse engineering, and looking into the functionalities and how it does things.\"\r\nKenin told The Register that writing the code in Go was likely a way to bypass detection. It's not unusual to see\r\nthreat groups shift the programming language they use to keep malware under the radar. In its 2022 Cyber Threat\r\nLandscape Report released in February, Deep Instinct said that in 2021 it saw a shift by gangs away from older\r\nlanguages like C and C++ to newer ones, including Python and Go, which are easy to learn.\r\nAntivirus engines may be unfamiliar with the structure or identities of executables produced from these newer\r\nlanguages; a binary built from C++ may be in a malware database, but the binary of a rewrite in Go may not be,\r\nbuying its creators some extra time to avoid detection. It could also be cyber-crooks are just keeping up with\r\nsoftware development trends, tools, and libraries.\r\nIn Arid Viper's case, its masterminds have used a range of programming languages, jumping from Pascal and\r\nDelphi to C++, Python, and now Go. What hasn't changed is how the malware works or what it is designed to do.\r\nhttps://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/\r\nPage 1 of 3\n\n\"APTs, their sole purpose is to infiltrate important assets,\" Hayun said. \"I don't know if I have seen an APT\r\ntransposing from so many languages, like Delphi [and] Pascal, but Go malware is kind of a trend now because it's\r\na new language, it has a lot of open-source libraries, a lot of libraries like helper functions to collect information\r\nfrom the victim's computers and stuff like that. I don't know how unique it is. APTs do that. Their models are out\r\nthere in several languages. I don't recall anyone APT using these exact languages or transposing it to Go.\"\r\nAccording to Deep Instinct, Arid Viper's malware targets computers running Microsoft Windows, and has been\r\nused primarily in the Middle East, with a specific focus on Palestinian targets. It has been linked in the past to\r\nHamas, according to the researchers. There also is an Android strain apparently used against Israeli targets, and\r\nlast year Facebook-owner Meta issued a report [PDF] that identified an iOS nasty developed by Arid Viper.\r\nMicrosoft investigates after Lapsus$ gang brags of Bing, Cortana code heist\r\nWestern Digital tells EdgeRover users to patch app again\r\nAvosLocker group is targeting US critical infrastructure, FBI says\r\nTake this $715,000 and find security gaps in quantum computers, says NSF\r\nDeep Instinct outlined the Arid Gopher variants it uncovered. Arid Gopher V1 is written in Go 1.16.5gs and\r\nincludes code from libraries available from GitHub, which the researchers noted \"saves the author time by not\r\nneeding to write some features from scratch. It also adds some degree of legitimacy because those libraries are not\r\nmalicious, but the malware author abuses the libraries' capabilities for malicious purposes.\"\r\nThere are two versions of the Arid Gopher V2 variant that have been used since the beginning of the year. Both\r\nsamples were written in Go 1.17.4 and use some of the public libraries from GitHub that are in V1. A key\r\ndifference between the two is the content of the benign documents they save on a victim's desktop, the team wrote.\r\nThe variants are emailed to targets in .xz RAR archives, and unpack with a long filename to hopefully push their\r\n.exe extension out of sight. When successfully run, they infect the host Windows PC, open a backdoor to a\r\ncommand-and-control server to receive further instructions, and drop a decoy document on the desktop and\r\ndisplay it so that the victim thinks they've simply saved and opened an attached Word file and not malware.\r\nThe variants also continue Arid Viper's use of names of characters in popular TV shows in their domain names. In\r\nV1, the name Grace Fraser is used in a domain name. Grace Fraser is a character in the HBO series The Undoing.\r\nIn V2, a name used is Pam Beesly, a character from the sitcom The Office.\r\nGilboa and Kenin claim deep learning gives them an edge over rival cybersecurity vendors in finding malicious\r\ncode. The researchers wrote that some competitors rely on manually tuned heuristics, or manually selected\r\nfeatures that are fed into classical machine-learning models, to determine if a file is malicious or legitimate. Other\r\nmethods include running programs in a sandbox to get more information.\r\nDeep Instinct instead trains models to learn as they go.\r\n\"Researchers are manually going over samples and then are updating their signature mechanism,\" Hayun said.\r\n\"We do it a bit differently. We take huge amounts of data, so there is a really high probability that our deep\r\nlearning models already saw something similar.\r\n\"They say, 'I saw something similar. I know that this and this and this will increase the probability of something\r\nbeing malicious,' so the next time something a bit similar comes into the model, it will say, 'I saw something\r\nhttps://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/\r\nPage 2 of 3\n\nsimilar like this. I will give it the highest quality to be this as malicious.'\" ®\r\nSource: https://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/\r\nhttps://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/" ], "report_names": [ "arid-gopher-malware-deep-instinct" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434189, "ts_updated_at": 1775826765, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a7ab98f401cb4a50772eef64812702cb1e4b124.pdf", "text": "https://archive.orkl.eu/7a7ab98f401cb4a50772eef64812702cb1e4b124.txt", "img": "https://archive.orkl.eu/7a7ab98f401cb4a50772eef64812702cb1e4b124.jpg" } }