spam #73806
Description
During routine inspection and monitoring of system behavior, we detected suspicious activity linked to the execution of the file downloaded from the official Go distribution URL:
https://dl.google.com/go/go1.23.9.windows-386.zip
Upon further analysis, indicators suggest that this package (specifically the executable within) may be associated with potentially malicious behavior. Key observations include:
The file was executed by a parent process with an obfuscated or random-looking name, often a tactic seen in malware deployment.
Files with suspicious naming patterns were created under %TEMP% and %APPDATA% (e.g., 2025-05-07_5332e15068faad79ee084d193811b47e_elex_frostygoop_sliver_snatch.exe).
Additional artifacts were found in the user’s Roaming directory, indicating possible persistence or exploitation routines (e.g., buildid@go1.23.9-go1.23.9-windows-386-2025-05-21.v1.count).
No digital signature validation was performed on the extracted binaries, raising integrity concerns.
Reported by:
TCBS Cybersecurity Team
Date: May 21, 2025