Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0588: GoldMax

GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[1][2][3]

EnterpriseS0588MalwareObject v2.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

GoldMax matters because it represents a cross-platform, second-stage command-and-control backdoor associated in ATT&CK with the SolarWinds Compromise and APT29. For leaders, the practical issue is not a single malware name; it is whether the organization can detect and investigate stealthy post-compromise activity that blends with web traffic, persists through scheduled execution, masks file and service names, and may avoid sandbox analysis.

Executive priority

Prioritize GoldMax as a resilience and incident-readiness test case for high-consequence intrusions: validate Windows and Linux visibility, scheduled task and cron monitoring, outbound web traffic governance, and evidence retention for C2, exfiltration over C2, and tool transfer. Because ATT&CK provides no official detection text for this object, executives should ask whether coverage is mapped to the related techniques rather than relying on malware signatures alone.

Technical view

SOC and IR teams should pivot from the malware object to its ATT&CK technique relationships. Validate detections for suspicious scheduled tasks on Windows, cron-based execution on Linux, masqueraded services or resources, command shell execution, system and time discovery, anti-analysis behavior, packed or encoded files, deobfuscation activity, ingress tool transfer, and web-protocol C2. Network analysis should account for junk data and asymmetric cryptography, which can reduce payload visibility and make metadata, destination reputation, timing, process-to-network correlation, and endpoint context more important.

Likely telemetry

  • Windows process creation and command-line telemetry, especially cmd.exe execution tied to unusual parent processes or persistence mechanisms
  • Windows Scheduled Task creation, modification, and execution events
  • Linux cron file changes, cron execution logs, and related process telemetry
  • Service creation, service renaming, task naming, and file path/name telemetry for masquerading or legitimate-name abuse
  • Endpoint file metadata for packed, encoded, or newly introduced executables on Windows and Linux

Detection direction

  • Build coverage around the listed technique relationships rather than expecting a single GoldMax signature; ATT&CK does not provide official detection guidance for this malware object.
  • Tune for suspicious persistence on both supported platforms: Windows Scheduled Tasks and Linux cron entries, especially when names or paths mimic legitimate resources.
  • Correlate web-protocol outbound traffic with endpoint process lineage, new files, scheduled execution, and shell activity to reduce false positives from normal HTTP/S use.
  • Treat encrypted C2 and junk-data behavior as reasons to emphasize metadata analytics and host context; content inspection may be limited.
  • Review detections for masquerading carefully: focus on deviations in path, signer, owner, creation time, parent process, and execution context rather than name similarity alone.

Mitigation priorities

  • Harden and monitor persistence mechanisms first: restrict and audit scheduled task and cron creation, especially by non-administrative or unexpected processes.
  • Improve outbound control and logging for web traffic from servers and workstations, including egress allowlisting where operationally feasible.
  • Ensure EDR and logging coverage is consistent across Windows and Linux assets, since ATT&CK lists both variants as relevant platforms.
  • Strengthen file and service hygiene: baseline legitimate services, scheduled jobs, executable locations, and administrative scripts to make masquerading easier to spot.
  • Maintain investigation-ready retention for endpoint, DNS, proxy, firewall, and authentication-adjacent logs so suspected second-stage activity can be reconstructed.
Analyst notes and limits

The strongest defensive value comes from mapping GoldMax to its related ATT&CK behaviors: C2 over web protocols, encrypted or junked communications, scheduled persistence, masquerading, discovery, file obfuscation, tool transfer, and possible exfiltration over C2. The object is linked by ATT&CK to the SolarWinds Compromise and APT29, which supports prioritizing this as a high-sophistication tradecraft scenario.

The supplied ATT&CK object has no official detection field and no object-level tactics specified. This take does not assert current exploitation, local exposure, or guaranteed detection. Local asset inventory, logging configuration, network architecture, and control baselines are required to determine actual coverage.

Official MITRE ATT&CK definition

GoldMax

GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

18 rows
Domain ID Name Relationship / procedure
Enterprise T1053.005 Scheduled Task Sub-technique

GoldMax has used scheduled tasks to maintain persistence.[1]
Enterprise T1027.002 Software Packing Sub-technique

GoldMax has been packed for obfuscation.[2]
Enterprise T1564.011 Ignore Process Interrupts Sub-technique

The GoldMax Linux variant has been executed with the `nohup` command to ignore hangup signals and continue to run if the terminal session was terminated.[3]
Enterprise T1124 System Time Discovery

GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.[1][2]
Enterprise T1016 System Network Configuration Discovery

GoldMax retrieved a list of the system's network interface after execution.[1]
Enterprise T1053.003 Cron Sub-technique

The GoldMax Linux variant has used a crontab entry with a @reboot line to gain persistence.[3]
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

GoldMax has RSA-encrypted its communication with the C2 server.[1]
Enterprise T1059.003 Windows Command Shell Sub-technique

GoldMax can spawn a command shell, and execute native commands.[1][2]
Enterprise T1140 Deobfuscate/Decode Files or Information

GoldMax has decoded and decrypted the configuration file when executed.[1][2]
Enterprise T1001.001 Junk Data Sub-technique

GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.[1]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.[1][2]
Enterprise T1071.001 Web Protocols Sub-technique

GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.[1][2]
Enterprise T1105 Ingress Tool Transfer

GoldMax can download and execute additional files.[1][2]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

GoldMax has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.[1][3]
Enterprise T1497.003 Time Based Checks Sub-technique

GoldMax has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value.[1]
Enterprise T1497.001 System Checks Sub-technique

GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to c8:27:cc:c2:37:5a.[1][2]
Enterprise T1041 Exfiltration Over C2 Channel

GoldMax can exfiltrate files over the existing C2 channel.[1][2]
Enterprise T1036.004 Masquerade Task or Service Sub-technique

GoldMax has impersonated systems management software to avoid detection.[1]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0016: APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

Campaign Enterprise

C0024: SolarWinds Compromise

The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]

Relationship explorer

All related ATT&CK context

uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1027.002: Software Packing Enterprise uses · Campaign C0024: SolarWinds Compromise Enterprise uses · Technique T1564.011: Ignore Process Interrupts Enterprise uses · Technique T1124: System Time Discovery Enterprise uses · Group G0016: APT29 Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1053.003: Cron Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1001.001: Junk Data Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1497.003: Time Based Checks Enterprise uses · Technique T1497.001: System Checks Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1036.004: Masquerade Task or Service Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.3
Created
Modified
Raw hash
01cd2c87c9007c92...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.3 Current bundle 01cd2c87c900…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    MSTIC NOBELIUM Mar 2021

    Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.

    Open source URL
  2. [2]
    FireEye SUNSHUTTLE Mar 2021

    Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.

    Open source URL
  3. [3]
    CrowdStrike StellarParticle January 2022

    CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.

    Open source URL
  4. [4]
    GoldMax

    (Citation: MSTIC NOBELIUM Mar 2021)

  5. [5]
    SUNSHUTTLE

    (Citation: FireEye SUNSHUTTLE Mar 2021)

  6. [6]
    mitre-attack S0588
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use