{
	"id": "aec580b0-f5a4-4d18-a962-9b96c2e2d110",
	"created_at": "2026-04-06T00:17:26.323502Z",
	"updated_at": "2026-04-10T03:21:49.212525Z",
	"deleted_at": null,
	"sha1_hash": "ff9f29a3272bad9e68571b7b518af63af27b64f5",
	"title": "New Go-based Malware Loader Discovered I Arctic Wolf",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 920661,
	"plain_text": "New Go-based Malware Loader Discovered I Arctic Wolf\r\nBy Hady Azzam, Christopher Prest, and Steven Campbell\r\nPublished: 2024-01-24 · Archived: 2026-04-05 17:50:21 UTC\r\nBackground\r\nArctic Wolf Labs has been tracking two recent intrusions where threat actors leveraged a new Go-based malware\r\ndownloader we are calling “CherryLoader” that allowed them to swap exploits without recompiling code. The loader’s\r\nicon and name masqueraded as the legitimate CherryTree note taking application to trick the victims. In the intrusions we\r\ninvestigated, CherryLoader was used to drop one of two privilege escalation tools, PrintSpoofer or JuicyPotatoNG, which\r\nwould then run a batch file to establish persistence on the victim device.\r\nKey Takeaways\r\nArctic Wolf has observed a new loader, dubbed “CherryLoader”, written in Go used in recent intrusions.\r\nThe loader contains modularized features that allow the threat actor to swap exploits without recompiling code.\r\nCherryLoader drops two publicly available privilege escalation exploits.\r\nCherryLoader’s attack chain leverages process ghosting and allows threat actors to elevate privileges and establish\r\npersistence on victim machines.\r\nTechnical Analysis\r\nBased on incident response data and additional analysis, the threat actors initially leveraged the IP address 141.11.187[.]70\r\nto serve the victim CherryLoader and associated files. Two files were downloaded from that IP, a password protected rar\r\nfile (Packed.rar) and an executable (main.exe) used to unpack Packed.rar.\r\nThe Packed.rar file contained a Golang binary (cherrytree.exe) along with three additional files, NuxtSharp.Data,\r\nSpof.Data, and Juicy.Data. Cherrytree.exe was stripped and had its import address table destroyed to hinder analysis\r\nefforts.\r\nUsing static analysis, a unique reference for the project was found, revealing the author’s original project name\r\n“XorRunPeGoler”.\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 1 of 13\n\nAfter CherryLoader and its associated files were extracted from the .rar file, the threat actors invoked CherryLoader using\r\nthe following command:\r\nCherrytree.exe 405060EEw@! NuxtSharp.Data Spof.Data\r\nUpon execution, the binary checks the arguments passed to it and compares the first argument (password) against a\r\nhardcoded MD5 password hash. If the hashes match, the binary proceeds to the next step, if not, CherryLoader quits.\r\nThe binary then allocates memory to read and decrypt the file passed via the second argument (NuxtSharp.Data). The file\r\nis then decrypted with a simple XOR algorithm.\r\nTo start the XOR loop, CherryLoader copies the XOR key “Kry” and allocates memory for the decrypted data. It then\r\niterates over the NuxtSharp.Data file byte by byte and XORs the bytes with a letter that corresponds to an index in [“K”,\r\n“r”, “y”]. The index is limited with a modulus of 3 to avoid out of bounds access.\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 2 of 13\n\nNotably, the decryption algorithm does not rely on the entered password, therefore, it can be patched, rendering the\r\npassword argument useless. The password check is likely in place to deter analysis of the file. A python script to\r\ndemonstrate the decryption process can be found here.\r\nAfter the XOR loop completes and the file (NuxtSharp.Data) has been decrypted in memory, GetProcAddress is used to\r\ndynamically locate CreateFileW which saves the decrypted file as File.log in the %TEMP% directory.\r\nAfter saving File.log to disk, the sample will dynamically locate the CreateProcessW function to run cmd.exe which, in\r\nturn, will run File.log as its child process:\r\ncmd.exe /c File.log Spof.Data 123 12.log\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 3 of 13\n\nAfter running the cmd.exe process, it dynamically locates and calls DeleteFileW and RemoveDirectoryW to delete any\r\nevidence in the %TEMP% directory.\r\nFile.log (a.k.a NuxtSharp.Data)\r\nFilename File.log\r\nSHA256 e0f53fb3651caf5eb3b30603064d527b9ac9243f8e682e4367616484ec708976\r\n \r\nFile.log is a PE file written in C and appears to have symbols referring to an original project named NuxtSharp. File.log\r\nrepresents the next stage in the attack chain which begins by decrypting Spof.Data.\r\nDecrypting the Spoofer\r\nCherryLoader runs File.log as a process with three additional arguments. The main function of the File.log executable will\r\nfacilitate the passing of arguments to a function that will later decrypt and load the binary from memory.\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 4 of 13\n\nFile.log starts by creating a file named 12.log (the last argument specified on the command line). File.log then opens the\r\nencrypted Spof.Data file (first argument) and reads the data into a buffer for decryption.\r\nSpof.Data is encrypted using AES ECB (Rijndael); the key “123” was passed as the second argument in the initial\r\ncommand line.\r\nNotably, one of the other files found with CherryLoader, Juicy.Data, used the same encryption algorithm and key. Arctic\r\nWolf has created a Python script that will aid in decrypting both Spof.Data and Juicy.Data, the script can be found in the\r\nappendix here.\r\nEvasion Attempt (Process Ghosting)\r\nOnce File.log has completed the decryption of Spof.Data, it attempts to create a new process named 12.log using a fileless\r\ntechnique known as Process ghosting. This technique is modular in design and will allow the threat actor to leverage other\r\nexploit code in place of Spof.Data.  In this case, Juicy.Data which contains a different exploit, can be swapped in place\r\nwithout recompiling File.log.\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 5 of 13\n\nThe process ghosting technique starts by creating a file using the CreateFile API with the DELETE flag set as its\r\ndwDesiredAccess parameter.\r\nThen, it uses NtSetInformationFile API to set the FileInformation parameter which points to a\r\nFILE_DISPOSITION_INFORMATION structure; this structure has single Boolean parameter, called DeleteFile which,\r\nwhen set, causes the operating system to delete the file when it is closed.\r\nFile.log then writes the decrypted binary into a newly created file using the WriteFile API and then it creates an image\r\nsection using NtCreateSection:\r\nOnce the image section is created, it then uses CreateFileMappingA and MapViewOfFile to map the created file into\r\nmemory.\r\nAfter creating the file mapping, it closes the handles to the mapped files, resulting in the deletion of the previously created\r\nfile.\r\nFile.log then creates a new process leveraging the previously mapped section.\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 6 of 13\n\nOnce the created process is complete, it then retrieves the environment variables using CreateEnvironmentBlock, and the\r\nRtlCreateProcessParameters functions to set the arguments and the environment of the newly created process.\r\nBefore creating a new thread of execution, File.log will allocate memory into the newly created process using\r\nVirutalAllocEx and calls the WriteProcessMemory and ReadProcessMemory functions to set the base address, process\r\nparameters, and environment data into the newly allocated memory.\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 7 of 13\n\nFinally, it creates a new thread using a handle to the newly created process and the NtCreateThreadEx function to start\r\nthe execution of the 12.log process.\r\nAfter successful thread creation, it prints “Success – Threat ID” to the terminal with an ironic misspelling of the word\r\n“Threat” instead of Thread.\r\nPrivilege Escalation\r\nThe newly created process 12.log (Spof.Data) is linked to a publicly available privilege escalation tool named\r\nPrintSpoofer that abuses the SeImpersonatePrivilege on Windows 10 and Server 2016/2019. The strings in the binary\r\ncontained the name of the author for the PrintSpoofer tool.\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 8 of 13\n\nSimilarly, based on the file’s strings, Juicy.Data was another publicly available privilege escalation tool named\r\nJuicyPotatoNG.\r\nThe encrypted Spof.data and Juicy.data executables had three things in common:\r\nThey were both publicly available privilege escalation tools\r\nNaming convention followed the original project name:\r\nOpen source PrintSpoofer named Spof.data\r\nOpen source JuicyPotatoNG named Juicy.data\r\nThey both attempt to run user.bat after successfully escalating privileges.\r\nPersistence\r\nAfter successfully escalating privileges, Spof.data and Juicy.data, will attempt to run a batch file script called user.bat.\r\nThe batch file script is not obfuscated and will perform the following:\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 9 of 13\n\nFirst it creates an administrator account with a misspelled username Administrater and the password\r\n102030TTYG@\r\nWhitelist the exe process in Microsoft Defender (Ngrok is a reverse proxy, which can be used to connect to an\r\ninternal service that is not exposed externally or allowed through an external firewall)\r\nSets an exclusion for .exe files in Windows defender\r\nDisable Microsoft defender AntiSpyware (Effectively disabling Windows Defender)\r\nEnable remote connections and add firewall rules to allow RDP connections on port 3389\r\nRestart the windows service termservice (remote desktop service)\r\nThe goal of this stage is to establish persistence on the victim’s machine.\r\nConclusion\r\nCherryLoader is newly identified multi-stage downloader that leverages different encryption methods and other anti-analysis techniques in an attempt to detonate alternative, publicly available privilege escalation exploits without having to\r\nrecompile any code.\r\nEncryption methods include simple XOR as well as AES; Anti-analysis techniques includes a password provision and\r\nprocess ghosting; exploits in the package analyzed include PrintSpoofer and JuicyPotatoNG.\r\nArctic Wolf is committed to ending cyber risk and when active intrusions are identified we are quick to protect our\r\ncustomers.  In response to the intrusion, Arctic Wolf has detections in place to alert upon malicious activity found by the\r\nCherryLoader and the accompanying modules.\r\nCustomers can further protect their systems by ensuring they have regularly patched their software, limited the ability to\r\ncreate or audit the creation of administrator accounts, audit firewall modifications, audit the disablement of Windows\r\nDefender, audit Remote Desktop services, and the use of reverse proxy tools like ngrok.\r\nAppendix\r\nXOR Decryption Script for NuxtSharp.Data\r\nThe following Python script performs the same decryption function as Cherrytree.exe. It XORs each byte with one of the\r\nthree characters in the [“K”, “r”, “y”] array:\r\nfrom pathlib import Path\r\nkey = \"Kry\"\r\nfile = Path(\"NuxtSharp.Data\")\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 10 of 13\n\nwith file.open(\"rb\") as enc_file:\r\ndec_file = Path(\"dec_NuxtSharp\")\r\nfile_content = enc_file.read()\r\nkry_index = 0\r\nwith dec_file.open('wb') as decrypted_file:\r\nfor enc_byte in file_content:\r\ndec_byte = bytes([enc_byte ^ ord(key[kry_index])])\r\ndecrypted_file.write(dec_byte)\r\nkry_index = (kry_index + 1) %3\r\nAnother way to draw the same conclusion, is through data analysis of the file, as the XOR key would overwrite the null\r\nbytes with the corresponding letter as seen in the following figure:\r\nAES Decryption Script for Spof.Data and Juicy.Data\r\nThe following Python script performs the same decryption function as File.log. It uses the AES ECB algorithm and the\r\nprovided AES key to do so.\r\n#command line to decrypt Spof.Data\r\ndecrypt_file.py -f Spof.Data -k 123\r\n#command line to decrypt Juicy.Data\r\ndecrypt_file.py -f Juicy.Data -k 123\r\nfrom Crypto.Cipher import AES\r\nfrom pathlib import Path\r\nimport click\r\n@click.command()\r\n@click.option(\"-k\", \"--key\", required=True, help=\"AES Key for ECB Decryption\")\r\n@click.option(\"-f\", \"--file\", required=True, help=\"File to decrypt\")\r\ndef decrypt(file, key, output):\r\nfile = Path(file)\r\nif not file.exists():\r\nprint(\"[!] File does not exist.\")\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 11 of 13\n\noutput_file_name = \"decrypted_\" + file.name\r\noutput_file = Path(output_file_name)\r\nkey = bytes(key, 'utf-8').ljust(16, b'\\0')\r\necb = AES.new(key , AES.MODE_ECB)\r\nwith file.open('rb') as encrypted_file:\r\nIndicators of Compromise (IOCs)\r\nIndicator Type Context\r\n141.11.187[.]70\r\nIP\r\nAddress\r\nIP used to download\r\nPacked.rar and main.exe\r\n50f7f8a8d1bd904ad7430226782d35d649e655974e848ff58d80eafedd377ee9 SHA256 main.exe\r\nf9373383d2a1cea0179d016b4496475d44262945ab5fb6ff28cd156187c6ff6a SHA256 Packed.rar\r\n8c42321dd19bf4c8d2ef11885664e79b0064194e3222d73f00f4a1d67672f7fc SHA256 cherrytree.exe/CherryLoader\r\n7936b3d7d512c3a89914595c5048bce3c07bb872af59304fed95c567694230b0 SHA256 NuxtSharp.Data (Encrypted)\r\ne0f53fb3651caf5eb3b30603064d527b9ac9243f8e682e4367616484ec708976 SHA256 NuxtSharp.Data (Decrypted)\r\n08b8d8f8317936dad4f34676823b2eeb4fe99b0f4c213224e035b403e1e76cc0 SHA256 Spof.Data (Encrypted)\r\n92263e5085cb3fe58fd5803536c80c5c1084500c79fc026367a15b0f04ca0142 SHA256\r\nSpof.Data/PrintSpoofer\r\n(Decrypted)\r\n9e6338674cd29066a4daad4ac54f01d272040d4947de39cfdf562e59af7c1318 SHA256\r\nJuicy.data/JuicyPotatoNG\r\n(Encrypted)\r\n3641f3ddeb7583051f81ac15542850a1fba7591372389411a4b86363fdf02e78 SHA256 Juicy.Data (Decrypted)\r\n438c7ef49fbadd67bf809f7e3e239557e1d18d4c80e42c57f9479a89e3672fd9 SHA256 User.bat\r\nBy Hady Azzam, Christopher Prest, and Steven Campbell\r\nHady Azzam | Senior Security Researcher\r\nHady is a Senior security researcher at Arctic Wolf Labs focusing on malware analysis and detection research, He has over\r\nsix years of cumulative experience in reverse engineering and strong passion for novel security research.\r\nChristopher Prest | Lead Security Researcher\r\nChristopher is a lead security researcher and a 17 year veteran in Software and Application security development, coupled\r\nwith 2 years of cutting edge detection engineering and security research. A seasoned expert, Christopher focuses on\r\nMalware analysis and reverse engineering to shape the future of cybersecurity.\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 12 of 13\n\nSteven Campbell | Senior Threat Intelligence Researcher\r\nSteven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of\r\nexperience in intelligence analysis and security research. He has a strong background in infrastructure analysis and\r\nadversary tradecraft.\r\nSource: https://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nhttps://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://arcticwolf.com/resources/blog/cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions/"
	],
	"report_names": [
		"cherryloader-a-new-go-based-loader-discovered-in-recent-intrusions"
	],
	"threat_actors": [],
	"ts_created_at": 1775434646,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff9f29a3272bad9e68571b7b518af63af27b64f5.pdf",
		"text": "https://archive.orkl.eu/ff9f29a3272bad9e68571b7b518af63af27b64f5.txt",
		"img": "https://archive.orkl.eu/ff9f29a3272bad9e68571b7b518af63af27b64f5.jpg"
	}
}