← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
GoLoader at Industrial Scale: Two Unauthenticated Builder Panels, 468K Polymorphic Samples, Steganographic .NET Loaders, and a Cracked njRAT Config Pointing to a Chinese XWorm Operator
WHITE PetrP.73 2026-04-26 Modified: 2026-05-26
22
IOCs
MEDIUM VOLUME
Recent investigations uncovered two unauthenticated GoLoader builder panels located at IP addresses 121.127.246.86 and 118.107.6.148, both operational since at least January 2026. These panels are responsible for generating approximately 468,349 unique polymorphic Windows malware samples through a variety of methods, including steganography and process hollowing. The panels operate without login requirements, providing full API access to users. They actively manage 71 tasks and have been observed sending malicious payloads to a publicly accessible Alibaba Cloud storage bucket hosting 652 files amounting to about 867 MB, which include steganographic PNG carriers, VBS scripts, and Chinese-language social engineering themes targeting cryptocurrency investors.
threat intelligencemalware analysisc2 infrastructureapt campaignsiocsyara rulesreverse engineeringcybersecurity researchalibaba cloudoss bucketgoloader panelhong kongddns clusterstageaes256 configpanelcredentialsgoloaderpowershellloadermalwareaprilpythonbladabindidropperserviceratsencodedcommandtrojanbackxwormhongliveexecutionwindowsperemote accesstoupperwaterhydranjrat
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (7 / 22 total)
All FileHash-SHA256 URL YARA domain hostname
TYPEINDICATORDESCRIPTIONCREATED
hostname c.fi3.me 2026-04-26
hostname laohe.myvnc.com 2026-04-26
hostname laohe1.myvnc.com 2026-04-26
hostname laohe2.myvnc.com 2026-04-26
hostname laohe3.myvnc.com 2026-04-26
hostname laohe4.myvnc.com 2026-04-26
hostname laohe5.myvnc.com 2026-04-26
References (1)
↗ https://intel.breakglass.tech/post/goloader-polymorphic-builder-panels-stego-njrat-xworm-laohe