S0588: GoldMax
GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[1][2][3]
Analyst context for executives and security teams
GoldMax matters because it represents a cross-platform, second-stage command-and-control backdoor associated in ATT&CK with the SolarWinds Compromise and APT29. For leaders, the practical issue is not a single malware name; it is whether the organization can detect and investigate stealthy post-compromise activity that blends with web traffic, persists through scheduled execution, masks file and service names, and may avoid sandbox analysis.
Executive priority
Prioritize GoldMax as a resilience and incident-readiness test case for high-consequence intrusions: validate Windows and Linux visibility, scheduled task and cron monitoring, outbound web traffic governance, and evidence retention for C2, exfiltration over C2, and tool transfer. Because ATT&CK provides no official detection text for this object, executives should ask whether coverage is mapped to the related techniques rather than relying on malware signatures alone.
Technical view
SOC and IR teams should pivot from the malware object to its ATT&CK technique relationships. Validate detections for suspicious scheduled tasks on Windows, cron-based execution on Linux, masqueraded services or resources, command shell execution, system and time discovery, anti-analysis behavior, packed or encoded files, deobfuscation activity, ingress tool transfer, and web-protocol C2. Network analysis should account for junk data and asymmetric cryptography, which can reduce payload visibility and make metadata, destination reputation, timing, process-to-network correlation, and endpoint context more important.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe execution tied to unusual parent processes or persistence mechanisms
- Windows Scheduled Task creation, modification, and execution events
- Linux cron file changes, cron execution logs, and related process telemetry
- Service creation, service renaming, task naming, and file path/name telemetry for masquerading or legitimate-name abuse
- Endpoint file metadata for packed, encoded, or newly introduced executables on Windows and Linux
Detection direction
- Build coverage around the listed technique relationships rather than expecting a single GoldMax signature; ATT&CK does not provide official detection guidance for this malware object.
- Tune for suspicious persistence on both supported platforms: Windows Scheduled Tasks and Linux cron entries, especially when names or paths mimic legitimate resources.
- Correlate web-protocol outbound traffic with endpoint process lineage, new files, scheduled execution, and shell activity to reduce false positives from normal HTTP/S use.
- Treat encrypted C2 and junk-data behavior as reasons to emphasize metadata analytics and host context; content inspection may be limited.
- Review detections for masquerading carefully: focus on deviations in path, signer, owner, creation time, parent process, and execution context rather than name similarity alone.
Mitigation priorities
- Harden and monitor persistence mechanisms first: restrict and audit scheduled task and cron creation, especially by non-administrative or unexpected processes.
- Improve outbound control and logging for web traffic from servers and workstations, including egress allowlisting where operationally feasible.
- Ensure EDR and logging coverage is consistent across Windows and Linux assets, since ATT&CK lists both variants as relevant platforms.
- Strengthen file and service hygiene: baseline legitimate services, scheduled jobs, executable locations, and administrative scripts to make masquerading easier to spot.
- Maintain investigation-ready retention for endpoint, DNS, proxy, firewall, and authentication-adjacent logs so suspected second-stage activity can be reconstructed.
Analyst notes and limits
The strongest defensive value comes from mapping GoldMax to its related ATT&CK behaviors: C2 over web protocols, encrypted or junked communications, scheduled persistence, masquerading, discovery, file obfuscation, tool transfer, and possible exfiltration over C2. The object is linked by ATT&CK to the SolarWinds Compromise and APT29, which supports prioritizing this as a high-sophistication tradecraft scenario.
The supplied ATT&CK object has no official detection field and no object-level tactics specified. This take does not assert current exploitation, local exposure, or guaranteed detection. Local asset inventory, logging configuration, network architecture, and control baselines are required to determine actual coverage.
GoldMax
GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | GoldMax has used scheduled tasks to maintain persistence.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1027.002 | Software Packing Sub-technique | GoldMax has been packed for obfuscation.CitationFireEye SUNSHUTTLE Mar 2021 |
| Enterprise | T1564.011 | Ignore Process Interrupts Sub-technique | The GoldMax Linux variant has been executed with the `nohup` command to ignore hangup signals and continue to run if the terminal session was terminated.CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1124 | System Time Discovery | GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.CitationMSTIC NOBELIUM Mar 2021CitationFireEye SUNSHUTTLE Mar 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | GoldMax retrieved a list of the system's network interface after execution.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1053.003 | Cron Sub-technique | The GoldMax Linux variant has used a crontab entry with a |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | GoldMax has RSA-encrypted its communication with the C2 server.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | GoldMax can spawn a command shell, and execute native commands.CitationMSTIC NOBELIUM Mar 2021CitationFireEye SUNSHUTTLE Mar 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | GoldMax has decoded and decrypted the configuration file when executed.CitationMSTIC NOBELIUM Mar 2021CitationFireEye SUNSHUTTLE Mar 2021 |
| Enterprise | T1001.001 | Junk Data Sub-technique | GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.CitationMSTIC NOBELIUM Mar 2021CitationFireEye SUNSHUTTLE Mar 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.CitationMSTIC NOBELIUM Mar 2021CitationFireEye SUNSHUTTLE Mar 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | GoldMax can download and execute additional files.CitationMSTIC NOBELIUM Mar 2021CitationFireEye SUNSHUTTLE Mar 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.CitationMSTIC NOBELIUM Mar 2021CitationCrowdStrike StellarParticle January 2022 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | GoldMax has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1497.001 | System Checks Sub-technique | GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to |
| Enterprise | T1041 | Exfiltration Over C2 Channel | GoldMax can exfiltrate files over the existing C2 channel.CitationMSTIC NOBELIUM Mar 2021CitationFireEye SUNSHUTTLE Mar 2021 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | GoldMax has impersonated systems management software to avoid detection.CitationMSTIC NOBELIUM Mar 2021 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.3 | Current bundle | 01cd2c87c900… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MSTIC NOBELIUM Mar 2021
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
Open source URL -
[2]
FireEye SUNSHUTTLE Mar 2021
Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
Open source URL -
[3]
CrowdStrike StellarParticle January 2022
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
Open source URL -
[4]
GoldMax
(Citation: MSTIC NOBELIUM Mar 2021)
-
[5]
SUNSHUTTLE
(Citation: FireEye SUNSHUTTLE Mar 2021)
-
[6]
mitre-attack S0588Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.