GoldenJackal: The Cyberespionage APT Crew Targeting Air-Gapped Systems
In the ever-evolving landscape of cybersecurity threats, Advanced Persistent Threat (APT) groups continue to pose significant risks to government and diplomatic entities worldwide. One such group, known as GoldenJackal, has recently come under scrutiny for its sophisticated cyberespionage activities, particularly its ability to breach air-gapped systems—computers that are isolated from unsecured networks. According to researchers from antivirus vendor ESET, GoldenJackal has successfully hacked air-gapped PCs belonging to government and diplomatic organizations at least twice, employing two distinct sets of custom malware.
The Timeline of Attacks
ESET’s investigation reveals that GoldenJackal has been active since at least 2019, with notable attacks occurring in a South Asian embassy in Belarus and a European government organization. The embassy attack took place in August 2019, while the more recent breaches occurred between May 2022 and March 2024. This timeline highlights the group’s persistent efforts to infiltrate sensitive environments, raising alarms about the potential implications for national security.
Custom Malware Toolsets
GoldenJackal’s ability to compromise air-gapped systems is particularly alarming, as these systems are designed to be secure and isolated from external threats. ESET’s researchers have identified two separate toolsets used by the group, showcasing a high level of sophistication and resourcefulness. The first toolset, employed during the 2019 embassy attack, included a malware component named “GoldenDealer.” This tool is designed to monitor USB storage devices, allowing it to download executables from a command-and-control (C2) server and execute them on air-gapped machines.
Once a USB device is inserted into an infected PC, GoldenDealer installs additional malware, including a modular backdoor called GoldenHowl and a file-stealing utility named GoldenRobo. The exact method of how GoldenDealer initially infiltrates a system remains unclear, with ESET suggesting the possibility of an unknown worm component.
In contrast, the second toolset, developed between 2022 and 2024, was written in Go and introduced several new capabilities. This includes “GoldenUsbCopy,” which monitors USB devices to steal files, and “GoldenAce,” a distribution tool that propagates other executables. The group also employs “GoldenBlacklist” and its Python counterpart “GoldenPyBlacklist” to scan and retain interesting email messages, while “GoldenMailer” and “GoldenDrive” facilitate the exfiltration of stolen files via email and cloud storage, respectively.
Connections to Other Threat Actors
While ESET and Kaspersky have not definitively attributed GoldenJackal’s activities to a specific nation-state, there are intriguing connections that suggest a possible link to Russian-speaking operatives. ESET noted that one of the malware samples utilized a command-and-control protocol commonly associated with Turla, a group believed to be backed by Russia’s Federal Security Service (FSB). This raises questions about the potential geopolitical motivations behind GoldenJackal’s cyberespionage efforts.
Previous Findings and ESET’s Insights
Kaspersky had previously reported on GoldenJackal’s limited attacks against government and diplomatic groups in the Middle East and South Asia, beginning in 2020. ESET’s researchers first detected the group’s malware in May 2022 but could not initially attribute it to any known APT group. However, further analysis revealed connections to Kaspersky’s earlier findings, ultimately leading to the identification of the 2019 Belarus embassy attack.
ESET malware researcher Matías Porolli emphasized the unusual nature of GoldenJackal’s operations, stating, "With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems." This statement underscores the group’s resourcefulness and the potential threat it poses to sensitive organizations.
Conclusion
The activities of GoldenJackal serve as a stark reminder of the persistent and evolving threats posed by APT groups in the digital age. Their ability to breach air-gapped systems, coupled with the sophisticated malware toolsets they employ, highlights the need for heightened vigilance and robust cybersecurity measures among government and diplomatic entities. As the landscape of cyber threats continues to evolve, organizations must remain proactive in their defense strategies to safeguard sensitive information and maintain national security.
For those interested in further details, ESET has published a comprehensive list of indicators of compromise related to GoldenJackal’s malware in their GitHub repository.