A new series of attacks targeting air-gapped systems at governmental organizations has been attributed to the advanced persistent threat (APT) group GoldenJackal.
The cyber-espionage campaign, spanning May 2022 to March 2024 and discovered by ESET researchers, used a range of custom toolsets designed to infiltrate isolated systems, particularly those without direct internet access.
Historical Context of GoldenJackal’s Activities
ESET has traced GoldenJackal’s activities back to at least 2019, when the group targeted a South Asian embassy in Belarus. During this campaign, GoldenJackal employed a custom toolset aimed specifically at air-gapped systems, marking one of the earliest known instances of such an attack. Their tools have now been publicly documented for the first time.
Key components of the attack included:
-
GoldenDealer – which facilitated the transfer of malicious files via USB drives
-
GoldenHowl – a modular backdoor with capabilities such as data collection and exfiltration
-
GoldenRobo – a tool used to gather and exfiltrate files from compromised systems
Recent Attacks and Enhanced Toolsets
ESET’s investigation highlighted the aforementioned second wave of attacks on a European Union governmental organization.
For these more recent incidents, GoldenJackal upgraded its toolkit to a more modular design. This new setup provided them with enhanced capabilities for persisting in networks, gathering and distributing files, and managing configurations across targeted systems.
“Some hosts were abused to exfiltrate files, others were used as local servers to receive and distribute staged files or configuration files, and others were deemed interesting for file collection, for espionage purposes,” ESET explained.
Target Profile and Potential Origins
GoldenJackal, active since at least 2019, has primarily focused on government and diplomatic entities in Europe, South Asia and the Middle East. The group’s operations are believed to be aimed at stealing confidential information, particularly from high-profile, air-gapped machines.
While ESET linked the tools to GoldenJackal, the group’s origin remains unclear. However, some indicators suggest a possible Russian connection, given similarities to previously identified malware attributed to Russian-speaking groups.
“In the GoldenHowl malware, the C&C protocol is referred to as transport_http, which is an expression typically used by Turla [...] and MoustachedBouncer. This may indicate that the developers of GoldenHowl are Russian speakers,” ESET wrote.
Regardless, GoldenJackal’s use of USB-based infiltration methods underscores the dangers posed by these attacks, potentially capable of breaching even the most secure systems.
Read more on USB-based attacks: Artificial Intelligence and USBs Drive 8% Rise in Cyber-Attacks