A new malware loader named GoFlateLoader has emerged, utilizing a straightforward yet effective technique to bypass security measures. Written in the Go programming language, its primary function is to decode and deploy information-stealing malware onto victims’ systems while evading detection.
Since at least April 2026, GoFlateLoader has impacted over 33,000 users worldwide, with significant activity in Brazil, India, Argentina, Mexico, Turkey, and Spain. It has been observed delivering various infostealers, including Lumma, Vidar, StealC, Amatera, Remus, and SvitStealer.
According to Gen Digital, GoFlateLoader distinguishes itself by lacking common anti-analysis features such as anti-debugging checks, virtual machine detection, and sandbox evasion techniques. Instead, it relies on a simple yet effective method to remain undetected.
The loader primarily spreads through fake cracked software downloads and malicious traffic distribution systems. In one method, victims are redirected to a landing page presenting a password-protected archive with the password displayed separately, complicating automated scanning by security tools.
Upon execution, GoFlateLoader decodes its payload entirely within the system’s memory, ensuring the final malicious program is never written to disk—a tactic designed to evade detection by security software monitoring file activity. Notably, it uses Go’s syscall.Syscall function with hardcoded dummy arguments, an unusual behavior that could serve as a detection marker.
GoFlateLoader’s Massive PE Overlay
A defining characteristic of GoFlateLoader is its substantial file size, typically between 700 and 950 megabytes. This size inflation is achieved by appending a large block of data, known as a PE overlay, to the end of the executable code. In most cases, this extra data consists of null bytes, though some versions use random padding.
The purpose of this size inflation is to exploit the limitations of many antivirus engines, endpoint detection tools, and cloud-based analysis platforms, which often impose strict size limits on files they scan. By exceeding these limits, GoFlateLoader effectively evades detection.
GoFlateLoader’s use of a massive PE overlay to evade detection underscores the evolving tactics of cybercriminals. This approach highlights the need for security solutions to adapt and address such evasion techniques. Organizations should remain vigilant and update their security measures to detect and mitigate such threats effectively.
Source: Cyber Security News
