GoExec
GoExec is a Golang-based remote execution tool used to execute commands on other connected remote endpoints within a victim network, including via WMI and DCOM. Cisco Talos reported its use by the threat actor UAT-8837, which Talos assesses with medium confidence to be a China-nexus actor focused on obtaining initial access to high-value organizations and targeting critical infrastructure sectors in North America since at least 2025. In UAT-8837 intrusions, GoExec was part of a broader post-compromise toolset used after access was gained through exploitation of vulnerable servers or compromised credentials, including exploitation of Sitecore CVE-2025-53690. Talos reported that UAT-8837 used Impacket, Invoke-WMIExec, GoExec, and SharpWMI interchangeably for remote command execution and cycled through these tools when detection blocked execution. The surrounding activity included reconnaissance, credential and Active Directory information collection, disabling RDP RestrictedAdmin, and hands-on-keyboard post-exploitation. No standalone infection vector or malware-specific indicators of compromise for GoExec were provided in the content beyond its observed operational use as a remote execution utility.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GoExec, a Golang-based tool to execute commands on other connected remote endpoints within the victim's network
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueImpacket, to run commands with elevated privileges ... GoExec, a Golang-based tool to execute commands on other connected remote endpoints within the victim's network
Discovery
1 techniqueUAT-8837 may run a series of commands during the intrusion to obtain sensitive information, such as credentials from victim organizations
Lateral Movement
1 technique“GoExec, a remote execution tool, was described as ‘likely an on-the-fly decision by the operator’...”
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Go-based remote execution tool used for executing commands on remote systems as part of lateral movement.
A Golang-based remote execution tool used to run commands on other endpoints inside the victim network.
Go-based remote execution utility leveraging WMI/DCOM to run commands on other endpoints using credentials or NTLM hashes.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.