HeaconLoad
HeaconLoad is a Golang downloader observed in a large-scale GitHub-based malware distribution campaign documented by Trend Micro. In that operation, attackers used more than 100 public GitHub repositories, SEO-stuffed README files, and fake download pages to distribute ZIP archives masquerading as legitimate software tools, utilities, and game cheats. HeaconLoad was delivered either as an additional payload alongside the BoryptGrab information stealer and other malware, or directly within some delivered bundles.
Trend Micro reported that HeaconLoad downloads and executes additional payloads, maintains persistence via registry entries and scheduled tasks, sends system information to a command-and-control server, and retrieves additional bundles when available. The broader infection chains in the campaign included DLL sideloading, VBS/PowerShell downloaders, and .NET loaders. The same campaign also delivered BoryptGrab, Vidar variants, and a PyInstaller backdoor named TunnesshClient. Supporting evidence cited by Trend Micro, including Russian-language comments and infrastructure artifacts, suggests the operators may be of Russian origin.
High-confidence behavioral details directly mentioned in the content for HeaconLoad are: it is written in Go, functions as a downloader, downloads and runs additional payloads, persists through registry entries and scheduled tasks, and transmits host system information to its C2. The campaign primarily targeted Windows users seeking software tools or game cheats via GitHub-hosted lures and fake download pages.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Persistence
2 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
2 techniques
Stealth
Discovery
1 technique
Discovery
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Golang-based downloader/loader used to fetch and execute additional payloads in the campaign.
Golang downloader/loader used as an additional payload; maintains persistence via registry entries and scheduled tasks, sends system info to C2, and downloads additional bundles/payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.