S0597: GoldFinder
GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldFinder was discovered in early 2021 during an investigation into the SolarWinds Compromise by APT29.[1]
Analyst context for executives and security teams
GoldFinder matters because it is not primarily about stealing data or causing disruption; it helps an intruder understand how traffic moves from a compromised Windows environment to command-and-control infrastructure. That makes it useful for avoiding monitoring points and validating whether other malware communications may be exposed. For leaders, the practical issue is whether network egress, proxy, DNS, and endpoint telemetry are complete enough to show suspicious HTTP-based path testing from compromised systems.
Executive priority
Treat this as a control-validation signal for resilience and incident readiness. GoldFinder was reported in the context of the SolarWinds Compromise and APT29, so it is associated with high-consequence intrusion tradecraft, but the supplied ATT&CK data does not support claims of current exploitation. Executives should ask whether the organization can prove visibility over outbound web traffic from Windows endpoints, whether incident responders can reconstruct C2 paths, and whether egress controls create useful audit evidence rather than blind trust in allowed HTTP/S traffic.
Technical view
GoldFinder is described by ATT&CK as a custom Go-based HTTP tracer tool for Windows that logs the route between a compromised network and a C2 server. ATT&CK links it to Internet Connection Discovery, Web Protocols, and Automated Collection. SOC and IR teams should validate whether they can detect unusual HTTP/S connectivity testing, route/path discovery behavior, and logging or collection activity from non-standard executables on Windows systems. Because no official ATT&CK detection guidance is provided, coverage should be proven through local telemetry review and controlled validation rather than assumed from signatures.
Likely telemetry
- Windows endpoint process execution and command-line telemetry
- EDR alerts and binary metadata for unusual Go-compiled or custom executables
- Proxy, secure web gateway, and firewall logs for outbound HTTP/S sessions
- DNS resolution logs associated with outbound web connections
- NetFlow or equivalent network metadata showing external connection paths and timing
Detection direction
- Baseline legitimate administrative connectivity testing so custom or unexpected HTTP tracing from workstations and servers stands out.
- Correlate Windows process execution with outbound HTTP/S traffic to unfamiliar external destinations, especially when the process is not a browser, updater, or approved management tool.
- Review proxy and firewall logs for repeated path-testing or connectivity-check patterns that precede or accompany suspected C2 communications.
- Tune carefully for false positives from network diagnostics, monitoring agents, software updaters, and sanctioned availability testing.
- Use relationship context to prioritize detections that combine Internet Connection Discovery, Web Protocol C2-like traffic, and automated local logging or collection behavior.
Mitigation priorities
- Prioritize outbound egress control and logging for Windows endpoints, including proxy/firewall enforcement for HTTP/S traffic where appropriate.
- Ensure endpoint execution controls and allowlisting policies reduce the chance of unapproved custom tools running unnoticed.
- Retain proxy, DNS, firewall, and endpoint telemetry long enough to support incident reconstruction of C2 paths.
- During incident response, treat discovery of this type of tool as a reason to review what monitoring points the adversary may have identified and potentially avoided.
- Use threat intelligence and ATT&CK relationship context to inform hunting, but require local evidence before making attribution or exposure claims.
Analyst notes and limits
The supplied ATT&CK object identifies GoldFinder as malware/software, Windows platform, and a custom HTTP tracer discovered during investigation of the SolarWinds Compromise by APT29. The most decision-relevant point is that the tool can help an adversary understand where C2 traffic may be observed, making telemetry completeness and egress governance central to defense.
Official ATT&CK detection text is not provided, tactics are not specified directly on the malware object, and no indicators, hashes, command lines, or concrete log patterns were supplied. Local environment baselines and telemetry are required to build reliable detections.
GoldFinder
GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldFinder was discovered in early 2021 during an investigation into the SolarWinds Compromise by APT29.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1119 | Automated Collection | GoldFinder logged and stored information related to the route or hops a packet took from a compromised machine to a hardcoded C2 server, including the target C2 URL, HTTP response/status code, HTTP response headers and values, and data received from the C2 node.CitationMSTIC NOBELIUM Mar 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | GoldFinder has used HTTP for C2.CitationMSTIC NOBELIUM Mar 2021 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | c2b87b08d934… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MSTIC NOBELIUM Mar 2021
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
Open source URL -
[2]
GoldFinder
(Citation: MSTIC NOBELIUM Mar 2021)
-
[3]
mitre-attack S0597Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.