← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Post-Quantum Crypto in a Go Trojan: A Garble-Obfuscated ASUS DLL Ships ML-KEM, a Fabricated DigiCert Chain, and Azure + Firebase C2
WHITE PetrP.73 2026-04-26 Modified: 2026-05-26
8
IOCs
LOW VOLUME
On April 9, 2026, a Go-compiled Windows DLL trojan was submitted to VirusTotal, which is identified by multiple detection platforms as WinGo/Agent_AGen.ACA and Trojan:Win32/Wacatac.B!ml. Packaged as an ASUSTeK Gaming Host Detection utility, it features significant obfuscation through Garble and contains a fabricated DigiCert Authenticode signature. Its distinct use of post-quantum cryptography, specifically ML-KEM alongside ChaCha20-Poly1305, is notably unusual for malware, as adoption of such technology in this context is largely absent from existing public records.
threat intelligencemalware analysisc2 infrastructureapt campaignsiocsyara rulesreverse engineeringcybersecurity researchmlkemcode signingazure webappsgarbleaeadhkdfsamplecrypto stackchainaprilaugusttemplate
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (3 / 8 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 SSLCertFingerprint domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 3271ee162568f50a6810be9b8973807f 2026-04-26
FileHash-MD5 85425de806a7373a22ce968eef1a561d 2026-04-26
FileHash-MD5 aad2f0b1a1de74557ffa6d6f9ef46170 2026-04-26
References (1)
↗ https://intel.breakglass.tech/post/wingo-post-quantum-garble-trojan-asus-dll-sideload