{
	"id": "56de71b4-b456-48c3-b12e-e5f5a6ef6b53",
	"created_at": "2026-04-06T00:12:29.699055Z",
	"updated_at": "2026-04-10T03:21:40.39791Z",
	"deleted_at": null,
	"sha1_hash": "99bb1a89d61d851567eb0e45b01b5ee0b6157b8a",
	"title": "The Golden Tax Department and the Emergence of GoldenSpy Malware | Trustwave",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57491,
	"plain_text": "The Golden Tax Department and the Emergence of GoldenSpy\r\nMalware | Trustwave\r\nBy Brian Hussey\r\nPublished: 2020-06-22 · Archived: 2026-04-05 14:29:20 UTC\r\nJune 22, 2020 3 Minute Read\r\nTrustwave SpiderLabs has discovered a new malware family, dubbed GoldenSpy, embedded in tax payment\r\nsoftware that a Chinese bank requires corporations to install to conduct business operations in China.\r\nIn April of 2020, the Trustwave SpiderLabs Threat Fusion Team engaged a customer to conduct a threat hunt. The\r\ncompany is a global technology vendor with significant government business in the US, Australia, UK, and\r\nrecently opened offices in China. Our threat hunt produced several key findings important to the long-term\r\nsecurity of their network, however, one key finding stood out as potentially impacting countless other businesses\r\nwho currently operate in China. A full analysis of our findings is available for download in this report in which\r\nTrustwave SpiderLabs threat hunting experts investigate a malware campaign targeting corporations operating in\r\nChina.\r\nInvestigation Details\r\nWe identified an executable file displaying highly unusual behavior and sending system information to a\r\nsuspicious Chinese domain. Discussions with our client revealed that this was part of their bank’s required tax\r\nsoftware. They informed us that upon opening operations in China, their local Chinese bank required that they\r\ninstall a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation,\r\nfor paying local taxes.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/\r\nPage 1 of 3\n\nAs we continued our investigation into the tax software, we found that it worked as advertised, but it also installed\r\na hidden backdoor on the system that enabled a remote adversary to execute Windows commands or to upload and\r\nexecute any binary (to include ransomware, trojans, or other malware). Basically, it was a wide-open door into the\r\nnetwork with SYSTEM level privileges and connected to a command and control server completely separate from\r\nthe tax software’s network infrastructure. Based on this, and several other factors (described below) we\r\ndetermined this file to have sufficient characteristics to be malware. We’ve since fully reverse-engineered the files\r\nand named the family GoldenSpy.\r\nGoldenSpy was digitally signed by a company called Chenkuo Network Technology and the signature used\r\nidentical text for both the product and description fields; 认证软件版本升级服务 – which translates to “certified\r\nsoftware version upgrade service”. This name may sound like legitimate software, however, in this situation the\r\ntax software already has its own updater service that functions well, and in a way completely unrelated to\r\nGoldenSpy.\r\nThere were several other unusual aspects of this file, to include:\r\nGoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops\r\nrunning, it will respawn its counterpart. Furthermore, it utilizes an exeprotector module that monitors for\r\nthe deletion of either iteration of itself. If deleted, it will download and execute a new version. Effectively,\r\nthis triple-layer protection makes it exceedingly difficult to remove this file from an infected system.\r\nThe Intelligent Tax software’s uninstall feature will not uninstall GoldenSpy. It leaves GoldenSpy running\r\nas an open backdoor into the environment, even after the tax software is fully removed.\r\nGoldenSpy is not downloaded and installed until a full two hours after the tax software installation process\r\nis completed. When it finally downloads and installs, it does so silently, with no notification on the system.\r\nThis long delay is highly unusual and a method to hide from the victim’s notice.\r\nGoldenSpy does not contact the tax software’s network infrastructure (i-xinnuo[.]com), rather it reaches out\r\nto ningzhidata[.]com, a domain known to host other variations of GoldenSpy malware. After the first three\r\nattempts to contact its command and control server, it randomizes beacon times. This is a known method to\r\navoid network security technologies designed to identify beaconing malware.\r\nGoldenSpy operates with SYSTEM level privileges, making it highly dangerous and capable of executing\r\nany software on the system. This includes additional malware or Windows administrative tools to conduct\r\nreconnaissance, create new users, escalate privileges, etc.\r\nThese factors have led us to the conclusion that GoldenSpy is a well-hidden and powerful backdoor that\r\nsurrenders full remote command and control of the victim system to an unknown adversary.\r\nThe diagram below shows the network communication patterns of GoldenSpy installation via Intelligent Tax\r\nsoftware.\r\nSvmdiagram\r\nThe scope of this campaign is not currently known. For our client, GoldenSpy was secretly embedded within the\r\nAisino Intelligent tax software, but we cannot determine if this was targeted because of their access to vital data,\r\nor if this campaign impacts every company doing business in China. We have identified similar activity at a global\r\nfinancial institution, but do not yet have further telemetry into this campaign.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/\r\nPage 2 of 3\n\nThe current GoldenSpy campaign began in April of 2020, however, our cyber threat intel analysts have discovered\r\nvariations of GoldenSpy that date back to December of 2016. It is of interest that Chenkuo Technology’s website\r\nannounced a partnership with Aisino in October of 2016, two months prior to the original emergence of the\r\nGoldenSpy malware family. Their partnership is for “big data cooperation”. GoldenSpy certainly could enable big\r\ndata access and collection. Trustwave SpiderLabs has no current knowledge if GoldenSpy was active in the wild\r\nsince 2016, our first identification of usage was April 2020. To be clear, we do not yet know the scope, purpose, or\r\nactors behind the threat. We do not know whether Chenkuo Technology or Aisino are active and/or willing\r\nparticipants or the extent of their involvement other than what is presented in the report. \r\nPartnership\r\nRecommendations\r\nWe believe that every corporation operating in China or using the Aisino Intelligent Tax Software should consider\r\nthis incident a potential threat and should engage in threat hunting, containment, and remediation\r\ncountermeasures, as outlined in our technical report (download link below).\r\nTrustwave SpiderLabs is still actively investigating and seeking out more telemetry on the GoldenSpy campaign.\r\nIf you have any information about this activity or feel you may have been victimized by this attack, please reach\r\nout to the Trustwave SpiderLabs Threat Fusion Team at GoldenSpy@trustwave.com.  \r\nWe are available for advice, information exchange, or to engage threat hunting / forensic investigation services.\r\nAisino Corporation and Nanjing Chenkuo Network Technology were contacted and briefed on these findings, as\r\npart of Trustwave's documented vulnerability disclosure process. At time of publication of this report, neither have\r\nresponded.\r\nStay Informed\r\nSign up to receive the latest security news and trends straight to your inbox from LevelBlue.\r\nSource: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malwa\r\nre/\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/"
	],
	"report_names": [
		"the-golden-tax-department-and-the-emergence-of-goldenspy-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434349,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99bb1a89d61d851567eb0e45b01b5ee0b6157b8a.pdf",
		"text": "https://archive.orkl.eu/99bb1a89d61d851567eb0e45b01b5ee0b6157b8a.txt",
		"img": "https://archive.orkl.eu/99bb1a89d61d851567eb0e45b01b5ee0b6157b8a.jpg"
	}
}