Go Infostealer Build Pattern
Recurring build artefacts observed in Go-based infostealers compiled for Windows. First documented in the PacketPursuit corpus for the acrstealer family, but the settings are generic and may appear in other Go stealers.
Pattern Definition
| Setting | Value | Purpose |
|---|---|---|
go version |
go1.26.2 (or near-current) |
Latest stable at time of build |
GOOS |
windows |
Target platform |
GOARCH |
386 |
32-bit build (smaller footprint, broader compatibility) |
CGO_ENABLED |
0 |
Static binary, no C dependencies |
-trimpath=true |
Set | Removes absolute source paths from binary |
| Module path | Random 12–20 alphanumeric chars | Anti-attribution; poisons dependency graphs |
| Function names | Randomized main.* identifiers |
Hinders static analysis and family clustering |
| Signing | Authenticode certificate (often self-signed or low-reputation CA) | Social-engineering trust |
| Resources | .rsrc with 256×256 PNG icons |
Masquerades as legitimate application |
Detection
Look for the combination of go1.26.2 + CGO_ENABLED=0 + -trimpath=true + a module path that is purely random alphanumeric, inside a signed PE32. The .text entropy stays below 6.5 because no external packer is used — the obfuscation is compile-time only.
Observed In
- acrstealer — siblings with module paths
vcCgXjVCTGAvGklandPfeYrYvazVUGgZq - lummastealer — Go 1.25.4, module path
NZlhQRhWFITWnSR; notable absence of.rsrcicon section, distinguishing it from ACR Stealer siblings - menomoushop — Go 1.25.4, randomized
main.*function names, Authenticode signed (Go Daddy DV CNmaybe.us),.symtabretained^[/intel/analyses/3aca18df0426522e0c301a55dae3d892b2009719854207b4bae45f4c94403c9f.html] - 9d2ca3 — Go 1.25.4 PE64, module path
wqeHivEQWBGOQgj, 39 randomizedmain.*functions, fabricated Authenticode (CN=askart.com), fused-string API decoding, no.rsrcsection. Also demonstratesGOARCH=amd64builds in this cluster.