The old trick again worked where the defenders were waiting for a complex disguise.
Sometimes the easiest way to hide the malware is built not on complex camouflage, but on an excess “weight”, and it is this technique that GoFlateLoader uses, the Loader on the Golang to deliver infollers Lumma, Vidar, StealC, Amatera, Remus and other malware.
GoFlateLoader doesn’t look technically complicated. There is no protection against debugging, virtual machine verification, entanglement API calls or complex logic masking. The loader acts straight: it takes a coded malicious component from the .rdata section, stands for several stages, restores the executable PE-file and runs directly into the memory.
The main technique of GoFlateLoader is associated with a huge PE-overlay, an additional data block at the end of the executable file. Samples usually inflate up to 700-950 MB, most often due to zero bytes, sometimes due to accidental garbage. In the archive, such a file is strongly compressed, so it is convenient for the attackers to distribute it, and the protections and automatic sandboxes may not check the file deeply because of the size limits.
Gen Threat Labs is linked The spread of GoFlateLoader with hacked software packages and malicious traffic redirect system that Check Point Research has previously studied. Such a system leads victims to pages with archives under the password, and the password itself shows separately. Automatic scanners without a password can not always remove and check the contents.
After launch, GoFlateLoader manually places a malicious PE file in the memory and transmits control via syscall.Syscall using fictitious arguments 1, 2, 3 and 4. Such a template looks unusual and can help in detecting, especially along with other signs: a large eutherly, storing a coded load in .rdata and a characteristic sequence of manual loading PE.
Since April 2026, Gen Thread Labs, according to its own data, has protected more than 33 thousand unique users from GoFlateLoader. Most cases were noticed in Brazil, India, Argentina, Mexico, Turkey and Spain.
To reduce the risk, experts advise to rigidly limit the installation of hacked software, block the known pages of malicious TDS and configure sandboxes so that they disassemble large compressed files and archives with a password, if the password is indicated on the download page.
Sometimes the easiest way to hide the malware is built not on complex camouflage, but on an excess “weight”, and it is this technique that GoFlateLoader uses, the Loader on the Golang to deliver infollers Lumma, Vidar, StealC, Amatera, Remus and other malware.
GoFlateLoader doesn’t look technically complicated. There is no protection against debugging, virtual machine verification, entanglement API calls or complex logic masking. The loader acts straight: it takes a coded malicious component from the .rdata section, stands for several stages, restores the executable PE-file and runs directly into the memory.
The main technique of GoFlateLoader is associated with a huge PE-overlay, an additional data block at the end of the executable file. Samples usually inflate up to 700-950 MB, most often due to zero bytes, sometimes due to accidental garbage. In the archive, such a file is strongly compressed, so it is convenient for the attackers to distribute it, and the protections and automatic sandboxes may not check the file deeply because of the size limits.
Gen Threat Labs is linked The spread of GoFlateLoader with hacked software packages and malicious traffic redirect system that Check Point Research has previously studied. Such a system leads victims to pages with archives under the password, and the password itself shows separately. Automatic scanners without a password can not always remove and check the contents.
After launch, GoFlateLoader manually places a malicious PE file in the memory and transmits control via syscall.Syscall using fictitious arguments 1, 2, 3 and 4. Such a template looks unusual and can help in detecting, especially along with other signs: a large eutherly, storing a coded load in .rdata and a characteristic sequence of manual loading PE.
Since April 2026, Gen Thread Labs, according to its own data, has protected more than 33 thousand unique users from GoFlateLoader. Most cases were noticed in Brazil, India, Argentina, Mexico, Turkey and Spain.
To reduce the risk, experts advise to rigidly limit the installation of hacked software, block the known pages of malicious TDS and configure sandboxes so that they disassemble large compressed files and archives with a password, if the password is indicated on the download page.
