{
	"id": "b768a435-7474-4095-903b-321b3f15ee33",
	"created_at": "2026-04-06T00:19:45.075773Z",
	"updated_at": "2026-04-10T03:24:18.103439Z",
	"deleted_at": null,
	"sha1_hash": "d59e61109b2f45fae3d2729075796f2cc108b05f",
	"title": "Attackers target Ukraine using GoMet backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 537375,
	"plain_text": "Attackers target Ukraine using GoMet backdoor\r\nBy Jaeson Schultz\r\nPublished: 2022-07-21 · Archived: 2026-04-05 15:33:21 UTC\r\nExecutive summary\r\nSince the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber\r\nattacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of\r\nmalware targeting Ukraine — this time aimed at a large software development company whose software is used in\r\nvarious state organizations within Ukraine. We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot\r\nignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style\r\nattack, though at this time we do not have any evidence that they were successful. Cisco Talos confirmed that the\r\nmalware is a slightly modified version of the open-source backdoor named \"GoMet.\" The malware was first\r\nobserved on March 28, 2022.\r\nGoMet backdoor\r\nThe story of this backdoor is rather curious — there are two documented cases of its usage by sophisticated threat\r\nactors. First, in 2020, attackers were deploying this malware after the successful exploitation of CVE-2020-5902,\r\na vulnerability in F5 BIG-IP so severe that USCYBERCOM posted a tweet urging all users to patch the\r\napplication. The second is more recent and involved the successful exploitation of CVE-2022-1040, a remote code\r\nexecution vulnerability in Sophos Firewall.\r\nBoth cases are very similar. They both start with the exploitation of a public vulnerability on appliances where the\r\nmalicious actors then dropped GoMet as a backdoor. As of publishing time, Cisco Talos has no reason to believe\r\nthese cases are related to the usage of this backdoor in Ukraine.\r\nThe original GoMet author posted the code on GitHub on March 31, 2019 and had commits until April 2, 2019.\r\nThe commits didn't add any features but did fix some code convention aesthetics. The backdoor itself is a rather\r\nsimple piece of software written in the Go programming language. It contains nearly all the usual functions an\r\nattacker might want in a remotely controlled agent. Agents can be deployed on a variety of operating systems (OS)\r\nor architectures (amd64, arm, etc.). GoMet supports job scheduling (via Cron or task scheduler depending on the\r\nOS), single command execution, file download, file upload or opening a shell. An additional notable feature of\r\nGoMet lies in its ability to daisy chain — whereby the attackers gain access to a network or machine and then use\r\nthat same information to gain access to multiple networks and computers — connections from one implanted host\r\nto another. Such a feature could allow for communication out to the internet from otherwise completely \"isolated\"\r\nhosts.\r\nThis version was changed by malicious actors, in the original code, the cronjob is configured to be executed once\r\nevery hour on the hour. In our samples, the cronjob is configured to run every two seconds. This change makes the\r\nhttps://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html\r\nPage 1 of 8\n\nsample slightly more noisy since it executes every two seconds, but also prevents an hour-long sleep if the\r\nconnection fails which would allow for more aggressive reconnection to the C2.\r\nThe objective of the cron job defined in the main part of the malware is to check if it's connected to the C2, if not\r\nit will start the agent component again and connect to the C2. The picture below shows the execution flow of the\r\nC2 setup routine Agent.Start.\r\nThis flow reveals another change to the GitHub versions. If the C2 is unreachable, the sample will sleep for a\r\nrandom amount of time between five and 10 minutes. GO's sleep implementation uses nanoseconds. The Pseudo\r\nCode would look like the following: time_Sleep(1000000000 * (rnd_val + 300)).\r\nThe 'WaitGroup_Add' call in the disassembly screenshot can also be confusing. The trick is, the Go compiler is\r\nchanging the source code WaitGroup.Done() to WaitGroup.Add(-1).\r\nAfter the Agent.start routine is done, the next cron job triggered the execution of the serve() routine and tried to\r\nstart another instance of the Agent.\r\nThe simplified source code of the GitHub version looks like this:\r\nhttps://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html\r\nPage 2 of 8\n\nThe simplified pseudo-code for the samples in the wild looks like this:\r\nhttps://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html\r\nPage 3 of 8\n\nTalos found two samples of this version of the backdoor:\r\nf24158c5132943fbdeee4de4cedd063541916175434f82047b6576f86897b1cb (FctSec.exe)\r\n950ba2cc9b1dfaadf6919e05c854c2eaabbacb769b2ff684de11c3094a03ee88 (SQLocalM86.exe)\r\nThese samples have minor differences but are likely built from the same source code, just with a slightly different\r\nconfiguration.\r\nIf we look closely at the functions, they are not 100% equal, but we can see that the changes are mainly strings\r\nand similar victim or compiler-dependent data, along with researcher comments. Below is the Main.Main function\r\nas an example.\r\nhttps://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html\r\nPage 4 of 8\n\nThe malicious activity we detected included a fake Windows update scheduled tasks created by the GoMet\r\ndropper. Additionally, the malware used a somewhat novel approach to persistence. It enumerated the autorun\r\nvalues and, instead of creating a new one, replaced one of the existing goodware autorun executables with the\r\nmalware. This potentially could avoid detection or hinder forensic analysis.\r\nIn one of the cases, about 60 seconds before the schtask query is executed, a blank CMD process is opened and\r\nthen subsequently executes systeminfo and schtask queries rather than these queries being chain opened by\r\nsvchost or services or another process. This execution looks like:\r\nC:\\WINDOWS\\system32\\cmd.exe 7)\r\nsysteminfo\r\nschtasks /query /tn microsoft\\windows\\windowsupdate\\scheduled\r\nschtasks /query /tn microsoft\\windows\\windowsupdate\\scheduled /v\r\nInfrastructure\r\nBoth samples have the command and control (C2) IP address hardcoded, which is 111.90.139[.]122.\r\nCommunication occurs via HTTPS on the default port.\r\nThe certificate on this server was issued on April 4, 2021 as a self-signed certificate, with the\r\n9b5e112e683a3605c9481d8f565cfb3b7e2feab7 SHA-1 fingerprint. This indicates that this campaign preparation\r\nbegan as early as April 2021. At the moment, there are no known domains associated with this IP address and the\r\nhttps://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html\r\nPage 5 of 8\n\nlast time there was a domain associated with it was on Jan. 23, 2021, which is outside the known attack time\r\nframe.\r\nConclusion\r\nAs the war in Ukraine rages on with little resolution in sight, we are reminded that attackers will try just about\r\nanything to gain additional leverage over their Ukrainian adversaries. Cisco Talos expects to see the continued\r\ndeployment of a range of cyber weapons targeting the Ukrainian government and its counterparts. We remain\r\nvigilant and are committed to helping Ukraine defend its networks against such cyber attacks and working closely\r\nwith our strategic allies in the region to gather and provide actionable threat intelligence.\r\nIn this instance, we saw a software company targeted with a backdoor designed for additional persistent access.\r\nWe also observed the threat actor take active steps to prevent detection of their tooling by obfuscating samples and\r\nutilizing novel persistence techniques. This access could be leveraged in a variety of ways, including deeper\r\naccess or launching additional attacks, including the potential for software supply chain compromise. It's a\r\nreminder that although the cyber activities haven't necessarily risen to the level many have expected, Ukraine is\r\nstill facing a well-funded, determined adversary that can inflict damage in a variety of ways — this is just the\r\nlatest example of those attempts.\r\nWe assess with moderate to high confidence that these actions are being conducted by Russian state-sponsored\r\nactors or those acting in their interests.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html\r\nPage 6 of 8\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nhttps://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html\r\nPage 7 of 8\n\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise\r\nSHA-256 Hashes\r\nf24158c5132943fbdeee4de4cedd063541916175434f82047b6576f86897b1cb\r\n950ba2cc9b1dfaadf6919e05c854c2eaabbacb769b2ff684de11c3094a03ee88\r\nIPs\r\n111.90.139[.]122\r\nSource: https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html\r\nhttps://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html"
	],
	"report_names": [
		"attackers-target-ukraine-using-gomet.html"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434785,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d59e61109b2f45fae3d2729075796f2cc108b05f.pdf",
		"text": "https://archive.orkl.eu/d59e61109b2f45fae3d2729075796f2cc108b05f.txt",
		"img": "https://archive.orkl.eu/d59e61109b2f45fae3d2729075796f2cc108b05f.jpg"
	}
}