GoLang written malware becomes a growing trend

July 1, 2021
golang malware PSYA ransomware backdoor chachi image 1

A recent cybersecurity report says there’s been a 2,000% increase in the number of new malware written using the GoLang programming language since 2017. Both state-sponsored and non-state threat actor groups have written the GoLang-based malware and are actively adding this to their toolset.

  • The PSYA ransomware is one of the newest malware found and currently being tracked by cybersecurity researchers.
  • The PSYA targets the healthcare and education sector organizations in the US utilizing a new remote access trojan (RAT) dubbed ChaChi.
  • The malware is written using the GoLang programming language by threat actors steering away from C and C++-based malicious codes due to the language’s agility and ease of cross-platform coding offered by the language.
  • This ease the targeting of Windows, Linux, and Mac using the same malware codebase
  • Recently, the FBI released a warning due to the rise in PSYA cyber attacks against schools in the UK and the US.


More information on ChaChi remote access trojan

Initially, ChaChi had low-level capabilities and had poor obfuscation and no port-forwarding and DNS tunnelling. The recent versions being tracked can now perform as well as other well-known RAT. From backdoor creation, stealing data, DNS tunnelling, credential dumping using the LSASS (Windows Local Security Authority Subsystem Service), network mapping, and lateral movement across the internal networks.


According to the researchers, seeing malware written in GoLang was rare before 2019.

  • By the end of May 2021, a cybersecurity firm reported new ransomware, Epsilon Red, written in the GoLang programming language. It was targeting a US-based business in the Healthcare industry and Nucleus Software, an India-based IT firm.
  • Last 2020, the threat actors behind JSWorm ransomware have changes the malware’s codebase from C++ to GoLang.
  • Palo Alto found an estimated 10,700 unique malware samples written using the GoLang language, 92% of the samples were compiled for Windows.


Some of the most notorious ransomware and malware strains and variants are written in GoLang, including Nefilim, EKANS, and Robbinhood. In addition, Chinese and Russian state-sponsored hacking groups have been launching malware written solely in GoLang. Zeboracy and WellMess are two Russian malware, whereas Godlike12 and Go Loader are GoLang-based malware written by threat actors in China.

Malware authors that write using GoLang are on a steady rise. Still, educating the users and staff about these rising threats and keeping an eye on warnings released by the cybersecurity community and intelligence agencies are advised to maintain awareness and not get victimized.

About the author

Leave a Reply