← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Post-Quantum Crypto in a Go Trojan: A Garble-Obfuscated ASUS DLL Ships ML-KEM, a Fabricated DigiCert Chain, and Azure + Firebase C2
WHITE PetrP.73 2026-04-26 Modified: 2026-05-26
8
IOCs
LOW VOLUME
On April 9, 2026, a Go-compiled Windows DLL trojan was submitted to VirusTotal, which is identified by multiple detection platforms as WinGo/Agent_AGen.ACA and Trojan:Win32/Wacatac.B!ml. Packaged as an ASUSTeK Gaming Host Detection utility, it features significant obfuscation through Garble and contains a fabricated DigiCert Authenticode signature. Its distinct use of post-quantum cryptography, specifically ML-KEM alongside ChaCha20-Poly1305, is notably unusual for malware, as adoption of such technology in this context is largely absent from existing public records.
threat intelligencemalware analysisc2 infrastructureapt campaignsiocsyara rulesreverse engineeringcybersecurity researchmlkemcode signingazure webappsgarbleaeadhkdfsamplecrypto stackchainaprilaugusttemplate
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (8)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 SSLCertFingerprint domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 3271ee162568f50a6810be9b8973807f 2026-04-26
FileHash-MD5 85425de806a7373a22ce968eef1a561d 2026-04-26
FileHash-MD5 aad2f0b1a1de74557ffa6d6f9ef46170 2026-04-26
FileHash-SHA1 8930835f206921ae0db300f2ea7c69655e57523a 2026-04-26
FileHash-SHA256 328e097831c74290f102dcf11c41bc4b7b82a37681d8df3690783ea8a9e3bebc 2026-04-26
FileHash-SHA256 54c4d3d318017005f0f9faa89a3d04dcdfa348238fb6dfe72ba40356dd6d447d 2026-04-26
SSLCertFingerprint 26:44:73:dd:e1:e0:05:2b:ec:d0:46:c4:a6:8d:4f:a8:ad:11:a6:1f 2026-04-26
domain ck-3d80df5d12cdfe6450a782fc87bf66b444.google 2026-04-26
References (1)
↗ https://intel.breakglass.tech/post/wingo-post-quantum-garble-trojan-asus-dll-sideload