← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
GoLoader at Industrial Scale: Two Unauthenticated Builder Panels, 468K Polymorphic Samples, Steganographic .NET Loaders, and a Cracked njRAT Config Pointing to a Chinese XWorm Operator
WHITE PetrP.73 2026-04-26 Modified: 2026-05-26
22
IOCs
MEDIUM VOLUME
Recent investigations uncovered two unauthenticated GoLoader builder panels located at IP addresses 121.127.246.86 and 118.107.6.148, both operational since at least January 2026. These panels are responsible for generating approximately 468,349 unique polymorphic Windows malware samples through a variety of methods, including steganography and process hollowing. The panels operate without login requirements, providing full API access to users. They actively manage 71 tasks and have been observed sending malicious payloads to a publicly accessible Alibaba Cloud storage bucket hosting 652 files amounting to about 867 MB, which include steganographic PNG carriers, VBS scripts, and Chinese-language social engineering themes targeting cryptocurrency investors.
threat intelligencemalware analysisc2 infrastructureapt campaignsiocsyara rulesreverse engineeringcybersecurity researchalibaba cloudoss bucketgoloader panelhong kongddns clusterstageaes256 configpanelcredentialsgoloaderpowershellloadermalwareaprilpythonbladabindidropperserviceratsencodedcommandtrojanbackxwormhongliveexecutionwindowsperemote accesstoupperwaterhydranjrat
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (22)
All FileHash-SHA256 URL YARA domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 01e294c52ddfdf020f27bc8087cd0cba195c086b5c813ee6cd56dde3ba04c0ef 2026-04-26
FileHash-SHA256 41f5cf259dcbd2f11f9e3ba7e69aa9321f779bdbec565f1c5a0ede228c6fa793 2026-04-26
FileHash-SHA256 47e0b431759b881b2928d6944990107dfce28db982b1641eb410e75c0b0a3003 2026-04-26
FileHash-SHA256 cd211c0f3bea9f37bea80d2cf0574348b3ae37b8008967e2d30bd0f9cabbd540 2026-04-26
FileHash-SHA256 ff78ce69e42cdd4f4afe1b1e28eab1edf794473de3fc53fa92cf269e2b790c12 2026-04-26
FileHash-SHA256 ff9dfa375086a0aa129ceda98f6cdefb4eef56ee044c013e6f8119c29ff56eaa 2026-04-26
URL http://118.107.6.148:8081 2026-04-26
URL http://121.127.246.86:8081 2026-04-26
URL http://151.242.152.198/0.p.txt 2026-04-26
URL http://45.64.52.170:5000 2026-04-26
URL http://laohe1.myvnc.com:5000 2026-04-26
YARA 0f5be50e0152c25fa45c05a5489015ee1d9a3ad6 Detects polymorphic VBS droppers generated by GoLoader panels (behavioral pattern, not hash-based) 2026-04-26
YARA 42a08fda0b79c61b60df44983eb6c1a6eeb83efc Detects GoLoader builder panel HTML served on port 8081 2026-04-26
YARA e1f4221779b156b608d7f46bceafd5d58133ba69 Detects LNK files using PowerShell DeflateStream with ZZZ delimiter for payload delivery 2026-04-26
domain http.host 2026-04-26
hostname c.fi3.me 2026-04-26
hostname laohe.myvnc.com 2026-04-26
hostname laohe1.myvnc.com 2026-04-26
hostname laohe2.myvnc.com 2026-04-26
hostname laohe3.myvnc.com 2026-04-26
hostname laohe4.myvnc.com 2026-04-26
hostname laohe5.myvnc.com 2026-04-26
References (1)
↗ https://intel.breakglass.tech/post/goloader-polymorphic-builder-panels-stego-njrat-xworm-laohe