S0493: GoldenSpy
GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.[1]
Analyst context for executives and security teams
GoldenSpy matters because it represents backdoor malware delivered through legitimate, required tax preparation software on Windows systems. For leaders, the key issue is not just malware execution; it is the trust placed in mandatory third-party business software and whether security teams can detect malicious persistence, command-and-control, discovery, tool transfer, and possible data exfiltration when the initial package appears legitimate.
Executive priority
Prioritize this as a software supply-chain and endpoint resilience scenario. Executives should ask whether mandated or business-critical third-party applications are inventoried, risk-reviewed, monitored after installation, and covered by incident response playbooks. The business risk is elevated where compliance or tax operations depend on software that users may be required to install, because blocking it outright may not be operationally simple and response decisions may need legal, compliance, and business input.
Technical view
GoldenSpy is a Windows backdoor associated with legitimate tax software packaging. ATT&CK relationships indicate behaviors defenders should validate across initial access via software supply-chain compromise, Windows command shell execution, native API use, Windows service persistence, local account creation, system and file discovery, ingress tool transfer, web-protocol command-and-control, non-standard ports, exfiltration over the C2 channel, encoded or encrypted files, resource-name masquerading, time-based checks, and file deletion. Because MITRE provides no official detection text for this object, coverage should be proven through telemetry tests and historical hunting rather than assumed from generic malware alerts.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and child processes from tax or business software paths
- Windows service creation, modification, service executable path changes, and related registry/service control events
- Local account creation and group membership changes on Windows endpoints
- File creation, modification, encoding/packed artifact indicators, suspicious placement in legitimate-looking paths, and file deletion events
- Software inventory, installation source, update history, and package provenance for required third-party tax software
Detection direction
- Do not rely on software reputation alone; validate monitoring for trusted or required applications spawning shells, creating services, adding accounts, deleting files, or initiating unusual outbound web traffic.
- Baseline expected network behavior for the relevant tax or business software, then tune for new destinations, non-standard ports, unusual timing, and data transfer patterns over existing C2-like channels.
- Correlate host and network evidence: service persistence plus discovery plus outbound web traffic is more meaningful than any single event by itself.
- Hunt for masquerading indicators where file names, registry keys, or locations approximate legitimate resources, especially when paired with recent third-party software installation or update activity.
- Account for false positives from legitimate software updates, support tools, and administrative scripts; require change-ticket, signer, path, parent-process, and destination context before escalation.
Mitigation priorities
- Maintain an authoritative inventory of required third-party software and document business owners, installation sources, update mechanisms, and exception decisions.
- Apply least privilege so business applications cannot create services, add local accounts, or modify sensitive system areas unless explicitly required and approved.
- Use application control, change control, and endpoint hardening to constrain unexpected execution from third-party software directories.
- Ensure egress controls and proxy inspection provide visibility into web traffic and non-standard port usage from endpoints running required business software.
- Prepare incident response decision paths for supply-chain scenarios where the affected software may be operationally or legally required.
Analyst notes and limits
The supplied ATT&CK relationship set is useful for building a defensive validation plan: supply-chain initial access, persistence, execution, discovery, C2, exfiltration, stealth, and cleanup behaviors are all represented. The most important local question is whether the organization has Windows telemetry and software governance strong enough to distinguish legitimate tax software behavior from backdoor activity.
MITRE provides no official detection guidance for GoldenSpy in the supplied object, and the object tactics field is not specified. The description identifies targeting of organizations in China via the Intelligent Tax software suite, but this take does not infer current activity, attribution, prevalence, or exposure beyond the supplied ATT&CK fields and relationships.
GoldenSpy
GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543.003 | Windows Service Sub-technique | GoldenSpy has established persistence by running in the background as an autostart service.CitationTrustwave GoldenSpy June 2020 |
| Enterprise | T1082 | System Information Discovery | GoldenSpy has gathered operating system information.CitationTrustwave GoldenSpy June 2020 |
| Enterprise | T1136.001 | Local Account Sub-technique | GoldenSpy can create new users on an infected system.CitationTrustwave GoldenSpy June 2020 |
| Enterprise | T1571 | Non-Standard Port | GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.CitationTrustwave GoldenSpy June 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006.CitationTrustwave GoldenSpy June 2020 |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | GoldenSpy has been packaged with a legitimate tax preparation software.CitationTrustwave GoldenSpy June 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | GoldenSpy's setup file installs initial executables under the folder |
| Enterprise | T1106 | Native API | GoldenSpy can execute remote commands in the Windows command shell using the |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | GoldenSpy can execute remote commands via the command-line interface.CitationTrustwave GoldenSpy June 2020 |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1070.004 | File Deletion Sub-technique | GoldenSpy's uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.CitationTrustwave GoldenSpy2 June 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.CitationTrustwave GoldenSpy June 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | GoldenSpy's uninstaller has base64-encoded its variables. CitationTrustwave GoldenSpy2 June 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 109c4581ff7a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trustwave GoldenSpy June 2020
Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
Open source URL -
[2]
mitre-attack S0493Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.