Goodor
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
This group avoids using custom malware, opting for commodity malware families that hinder attempts at applying attribution... • Use of commodity malware such as Goodor, DorShel, and Karagany | The chaining or combination of multiple legacy vulnerability exploits with exploitation of the newer Windows Zerologon vulnerability
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This group avoids using custom malware, opting for commodity malware families that hinder attempts at applying attribution... • Use of commodity malware such as Goodor, DorShel, and Karagany
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueThe StartA function then issues a system command to run this... CreateBat demonstrates a string load... containing a ping command... The end result is a .bat file written to disk.
Persistence
1 techniquePrivilege Escalation
2 techniquesThe chaining or combination of multiple legacy vulnerability exploits with exploitation of the newer Windows Zerologon vulnerability
Stealth
3 techniquesThe malware will also create a filename, ntdll.exe, and append it to this path.
The malware likely performs some sort of Base64 decoding and decryption... Decode, in turn, calls 'FromB64' and 'Decrypt.'... After stepping over the Decode function... this section will populate with the decoded and then decrypted data.
The dropped payload is a UPX-packed Windows executable. Filename: ntdll.exe
Command and Control
2 techniquesThe GetU function pulls one of five hardcoded C2 servers and appends an identifier string to it... The malware didn’t appear to call out to the C2 server during the GetHTTP call...
The malware contains a large block of Base64-encoded data... After stepping over the Decode function... this section will populate with the decoded and then decrypted data... it uses the WriteFile call to write the decoded executable to this location. The StartA function then issues a system command to run this.
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Golang backdoor/dropper that decodes and decrypts an embedded payload, writes it to %AppData%\Roaming\NT\ntdll.exe, executes it, and creates a batch file to establish HKCU Run-key persistence, delete the initial dropper, and self-delete. The dropped payload builds HTTP GET requests to hardcoded C2 servers, appears to decode/decrypt additional data from responses, write it to disk, and execute it.
GOODOR is a malware backdoor used by DYMALLOY as part of its toolkit for long-term access and reconnaissance.
A commodity malware family reportedly used by Dymalloy/Berserk Bear to hinder attribution rather than relying on custom malware.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.