← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Post-Quantum Crypto in a Go Trojan: A Garble-Obfuscated ASUS DLL Ships ML-KEM, a Fabricated DigiCert Chain, and Azure + Firebase C2
WHITE PetrP.73 2026-04-26 Modified: 2026-05-26
8
IOCs
LOW VOLUME
On April 9, 2026, a Go-compiled Windows DLL trojan was submitted to VirusTotal, which is identified by multiple detection platforms as WinGo/Agent_AGen.ACA and Trojan:Win32/Wacatac.B!ml. Packaged as an ASUSTeK Gaming Host Detection utility, it features significant obfuscation through Garble and contains a fabricated DigiCert Authenticode signature. Its distinct use of post-quantum cryptography, specifically ML-KEM alongside ChaCha20-Poly1305, is notably unusual for malware, as adoption of such technology in this context is largely absent from existing public records.
threat intelligencemalware analysisc2 infrastructureapt campaignsiocsyara rulesreverse engineeringcybersecurity researchmlkemcode signingazure webappsgarbleaeadhkdfsamplecrypto stackchainaprilaugusttemplate
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (1 / 8 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 SSLCertFingerprint domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 8930835f206921ae0db300f2ea7c69655e57523a 2026-04-26
References (1)
↗ https://intel.breakglass.tech/post/wingo-post-quantum-garble-trojan-asus-dll-sideload