top of page
Image by Roméo A.

GoldenSpy

Malware Dissection Playbook

The GoldenSpy Hybrid represents an evolution of the Chinese-linked GoldenSpy malware family, first exposed in 2020 within tax software distributed to foreign firms in China. The hybridized samples incorporate traits of both GoldenSpy and GoldenEye, blending financial software backdoor tactics with custom VM-style code execution and structured exception handler (SEH)-based evasion.

Analysis

  1. Loader installs dispatcher component.

  2. Dispatcher uses custom VM-like handlers to interpret instructions.

  3. Registry tampering hides payload configs.

  4. Payload injected into legitimate process (e.g., IE).

Execution Chain

Persistence

 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\GoldenUpdate

File association hijacks (.tmp\shell\open\command)

Evasion

  • Custom VM-style dispatcher for obfuscation

  • SEH-based evasion against debuggers

  • Polymorphic string/config mutation

Networking

  • Finance-themed update domains  {hxxp://update-gov.cn, hxxp://finance-update.org)

  • HTTPS callbacks with disguised headers

  • Use of VPS infra for agility

IOC's and Artifacts 

This collection highlights key artifacts and IOCs we consider most relevant for analysts developing detection rules or conducting research. For YARA rules, please refer to the community repository.

 

Note: We do not publish or accept file hashes unless they are used to illustrate a specific malware technique or reference research (either our own analysis or external sources). Our focus is on dynamic detection logic and deeper research, rather than relying solely on static indicators.

File Artifacts 

  • C:\Program Files (x86)\Internet Explorer\iexplore.dll (Injected DLL)

  • %ProgramData%\GoldenEye\config.dat (Encrypted config)

 

Registry Persistence 

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\GoldenUpdate

  • HKCU\Software\Classes\.tmp\shell\open\command

 

Domains 

  • hxxp://update-gov.cn 

  • hxxp:// finance-update.org

 

IPs 

  • hxxp:// 45.77.12.200 

  • hxxp:// 104.168.128.55

​

Patterns

  • Custom VM-style dispatcher

  • SEH-based evasion

Refrences:

Note: Much of the analysis presented here was gathered by our analysts and is drawn from Into the Hex: A Security Analysts’ Anthology of Malware by Frank M. Galambos (2025).

​

Here's some supporting resources:

Trustwave SpiderLabs – GoldenSpy: Chinese Tax Software with a Hidden Backdoor (initial discovery, 2020).
Trustwave SpiderLabs – GoldenSpy Evolves: Uninstallers & Variants (follow-up analysis of adaptations).
Fox-IT (NCC Group) – ShadowPad: Stealthy Backdoor for Long-Term Espionage (comparison of modular backdoors).
Secureworks – Research on Chinese VM-dispatcher style malware overlaps (PlugX, ShadowPad, GoldenSpy evolutions).

bottom of page