S0477: Goopy
Analyst context for executives and security teams
Goopy matters because it is a Windows backdoor/Trojan associated in ATT&CK with APT32 and designed to look like a legitimate Google Updater executable. For leaders, the practical issue is not a single malware name; it is whether Windows endpoints, egress controls, mailbox evidence, and SOC workflows can recognize a disguised backdoor that may collect local data, persist via scheduled tasks, communicate over common protocols, and impair defensive tools.
Executive priority
Prioritize this as a validation case for endpoint resilience and investigation readiness. The ATT&CK relationships tie Goopy to collection, discovery, persistence, command execution, command-and-control over web/mail/DNS protocols, exfiltration over C2, and stealth behaviors such as binary padding, junk code insertion, masquerading, DLL abuse, mailbox data clearing, and tool modification. Executives should ask whether the organization can prove coverage for these behaviors with auditable telemetry, not just malware signatures or hash blocklists.
Technical view
Goopy is a Windows malware object with no official ATT&CK detection text. Defensive validation should therefore be behavior-led. SOC and detection teams should test visibility around suspicious Google Updater-like filenames/locations, scheduled task creation or modification, cmd.exe and Visual Basic execution, DLL loading patterns, native API-heavy execution, local data access, user/process discovery, mailbox artifact changes, security tool tampering, and outbound C2-like traffic over HTTP/S, mail protocols, and DNS. Because related techniques include binary padding and junk code insertion, static signatures and hash-only controls should be treated as insufficient on their own.
Likely telemetry
- Windows endpoint process creation and command-line logging, especially cmd.exe, Visual Basic-related execution, and discovery commands
- Scheduled task creation, modification, and execution events
- File creation, rename, path, signature, and parent-process telemetry for executables impersonating Google Updater
- DLL load telemetry and abnormal DLL search/load behavior around suspicious executables
- Endpoint file access telemetry for local data collection from user, configuration, database, or other sensitive locations
Detection direction
- Do not rely only on hashes or static malware labels; the ATT&CK relationships include binary padding and junk code insertion, which can change file representation and complicate static analysis.
- Baseline legitimate Google Update executable names, expected install paths, code-signing status, parent processes, and scheduled tasks; alert on close matches or unexpected locations without assuming every Google-like name is malicious.
- Correlate weak signals: masqueraded executable plus scheduled task persistence, discovery activity, local file access, and outbound traffic over web/mail/DNS is more meaningful than any single event.
- Tune scheduled task analytics for false positives from administrators and software updaters, but require justification for newly created tasks launching unusual binaries or scripts.
- Validate mailbox audit coverage for deletion/export-style activity because the relationship set includes Clear Mailbox Data.
Mitigation priorities
- Harden Windows endpoint execution controls with application control, trusted publisher validation, and restrictions on unapproved binaries in user-writable or unusual paths.
- Govern scheduled task creation and review recurring tasks that execute scripts, command shells, or updater-like binaries outside expected vendor locations.
- Strengthen endpoint logging, EDR health monitoring, and tamper protection so tool impairment is visible and recoverable.
- Limit unnecessary outbound web, mail, and DNS paths; ensure egress monitoring can associate network activity with endpoint processes where possible.
- Protect mailbox audit logs and retention so mailbox data clearing can be investigated after the fact.
Analyst notes and limits
This take is based on ATT&CK S0477 Goopy, its official description, the Cybereason Cobalt Kitty reference, and supplied ATT&CK relationships. The relationship to APT32 is useful for threat intelligence context, but local evidence is required before making attribution or exposure claims. The strongest defensive value is using Goopy as a behavior-based coverage test across Windows endpoint, network, mailbox, and security-tool telemetry.
ATT&CK provides no official detection text for Goopy in the supplied object, and the object-level tactics are not specified. The guidance above is derived from the supplied technique relationships and should be validated against the organization’s actual Windows estate, logging depth, security tooling, and legitimate Google Update behavior.
Goopy
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.004 | DNS Sub-technique | Goopy has the ability to communicate with its C2 over DNS.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | Goopy's decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1685 | Disable or Modify Tools | Goopy has the ability to disable Microsoft Outlook's security policies to disable macro warnings.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1033 | System Owner/User Discovery | Goopy has the ability to enumerate the infected system's user name.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Goopy has the ability to communicate with its C2 over HTTP.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1070.008 | Clear Mailbox Data Sub-technique | Goopy has the ability to delete emails used for C2 once the content has been copied.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1005 | Data from Local System | Goopy has the ability to exfiltrate documents from infected systems.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1106 | Native API | Goopy has the ability to enumerate the infected system's user name via |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Goopy has used a polymorphic decryptor to decrypt itself at runtime.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1574.001 | DLL Sub-technique | Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Goopy has the ability to exfiltrate data over the Microsoft Outlook C2 channel.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Goopy has the ability to maintain persistence by creating scheduled tasks set to run every hour.CitationCybereason Cobalt Kitty 2017 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Goopy has had null characters padded in its malicious DLL payload.CitationCybereason Cobalt Kitty 2017 |
Groups, software, and campaigns
G0050: APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 79483051a47b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason Cobalt Kitty 2017
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
Open source URL -
[2]
mitre-attack S0477Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.