Offensive Golang Bonanza: Writing Golang Malware

Conference:  Defcon 29



The presentation discusses the use of Golang in malware development and its advantages over other programming languages.
  • Golang is a popular programming language for malware developers due to its built-in libraries and cross-compilation capabilities.
  • Golang binaries include a monolithic runtime, making it difficult for AV companies to create signatures for them.
  • The community of Golang security experts has grown rapidly, sharing ideas and developing new tools.
  • An anecdote is shared about how AV companies had trouble creating signatures for Golang binaries, including legitimate orchestration tools like Docker and Terraform.
AV companies had trouble creating signatures for Golang binaries, including legitimate orchestration tools like Docker and Terraform, due to the inclusion of the Golang runtime. This led to the community of Golang security experts growing rapidly and sharing ideas.


The past two years have seen the rise of Golang-based malware from its beginnings as a way to win at CCDC and red team engagements to its current use by actual threat actors. This talk will break down why Golang is so useful for malware with a detailed tour through the available components used for exploitation, EDR and NIDS evasion, and post-exploitation, by one of the main authors of the core components. Although focused on the offensive perspective, there will be valuable insights into the challenges in detecting Golang malware. Interested in learning Golang? Interested in writing or detecting malware? This is your invitation into the weird and wonderful world of Golang malware. REFERENCES: List of Golang Security Tools: https://github.com/Binject/awesome-go-security C-Sto: https://github.com/c-sto/goWMIExec https://github.com/C-Sto/BananaPhone https://github.com/C-Sto/gosecretsdump capnspacehook: https://github.com/capnspacehook/pandorasbox https://github.com/capnspacehook/taskmaster Vyrus / gscript crew: https://github.com/gen0cide/gscript https://github.com/vyrus001/go-mimikatz https://github.com/vyrus001/msflib secretsquirrel / Josh Pitts: https://github.com/secretsquirrel/the-backdoor-factory https://github.com/Genetic-Malware/Ebowla https://github.com/secretsquirrel/SigThief https://github.com/golang/go/issues/16292 malwareunicorn on OSX loading: https://malwareunicorn.org/workshops/macos_dylib_injection.html Misc: https://github.com/sassoftware/relic https://github.com/EgeBalci/sgn https://github.com/moonD4rk/HackBrowserData https://github.com/emperorcow/go-netscan https://github.com/CUCyber/ja3transport https://github.com/swarley7/padoracle Command and Control: https://github.com/BishopFox/sliver https://github.com/DeimosC2/DeimosC2 https://github.com/t94j0/satellite Obfuscation/RE: https://github.com/unixpickle/gobfuscate https://github.com/mvdan/garble https://github.com/goretk/redress Of interest for defense, but breaks Docker & Terraform: https://github.com/unsecureio/gokiller