CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 11, 2026

GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers

Cybersecurity News Archived Jun 11, 2026 ✓ Full text saved

A new malware loader called GoFlateLoader has been quietly spreading across the internet, and what makes it stand out is not how complex it is but how effective a simple trick has made it. Written in the Go programming language, this loader has one job: to decode and drop dangerous information-stealing programs onto a victim’s […] The post GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers By Tushar Subhra Dutta June 11, 2026 A new malware loader called GoFlateLoader has been quietly spreading across the internet, and what makes it stand out is not how complex it is but how effective a simple trick has made it. Written in the Go programming language, this loader has one job: to decode and drop dangerous information-stealing programs onto a victim’s computer without being caught. It does this not through advanced hacking techniques but by making itself too large for most security tools to scan. GoFlateLoader has been actively distributed since at least April 2026, and in that short time it has already impacted more than 33,000 unique users globally. Countries most affected include Brazil, India, Argentina, Mexico, Turkey, and Spain, painting a picture of a broad and ongoing campaign that shows no signs of slowing down. The loader has been seen delivering several well-known infostealers, including Lumma, Vidar, StealC, Amatera, Remus, and SvitStealer. Researchers at Gen Digital identified and have been actively tracking GoFlateLoader, noting that it stands out precisely because of what it lacks. As Gen Digital said in a report shared with Cyber Security News (CSN), the loader carries no anti-debugging checks, no virtual machine detection, and no sandbox-evasion logic, tools that most loaders use as a matter of course. Instead, it leans on one deceptively simple method to stay off the radar. The two main ways GoFlateLoader reaches victims are through fake cracked software downloads and through a malicious traffic distribution system recently documented by Check Point Research. In that second path, victims are redirected to a landing page showing a password-protected archive along with the password to open it, displayed separately. This separation makes it harder for security tools to automatically unpack and scan what is inside. Once the loader runs, it decodes its payload entirely within the computer’s memory, meaning the final malicious program never gets written to the hard drive. This in-memory approach is a known tactic used to avoid detection by security software that monitors file activity on disk. The use of Go’s syscall.Syscall function as a transfer mechanism, with hardcoded dummy arguments, is an unusual behavioral pattern that researchers say could serve as a useful detection marker. GoFlateLoader Uses Massive PE Overlay GoFlateLoader’s defining feature is its file size, which typically ranges between 700 and 950 megabytes. This enormous size is not accidental. GoFlateLoader’s execution flow (Source – Gen Digital) The loader artificially inflates itself by appending a large block of data, known as a PE overlay, to the end of the actual executable code. In most observed samples, this extra data is simply null bytes, though some builds use random padding instead. Structure of a GoFlateLoader sample highlighting a massive PE overlay (Source – Gen Digital) The goal of this inflation is straightforward. Many antivirus engines, endpoint detection tools, and cloud-based analysis platforms enforce strict size limits for files they are willing to deeply scan. VirusTotal, one of the most widely used threat intelligence platforms, enforces a 650 MB upload limit. GoFlateLoader’s consistent size just above that threshold strongly suggests it was built specifically to slip past VirusTotal and similar size-constrained tools. When compressed for distribution, the inflated data shrinks dramatically, making delivery fast and low-cost for attackers. Payloads Delivered and the Threat They Pose The final payloads GoFlateLoader delivers are all information stealers, programs designed to quietly harvest saved passwords, browser data, and cryptocurrency wallet credentials from infected machines. GoFlateLoader’s PE overlay filled with null bytes (Source – Gen Digital) The most common payloads observed are Amatera, Remus, and Lumma, with Vidar, StealC, and SvitStealer also seen in the wild. The loader comes in both 32-bit and 64-bit versions, each matched to the architecture of the payload it is meant to run. Users can reduce their risk by avoiding downloads from unofficial or untrusted sources, especially software advertised as cracked or free versions of paid programs. Keeping security tools updated and using solutions capable of detecting in-memory threats rather than relying solely on file scanning is strongly advised. Since GoFlateLoader avoids writing payloads to disk entirely, traditional file-based detection alone is unlikely to catch it. Indicators of Compromise (IoCs):- Type Indicator Description SHA-256 b88c5744975d2abb447aecc6c090fee9f8580413f4612eecdc6ed1973e8a1739 Password-protected archive containing GoFlateLoader x64 variant loading Remus (pwd: 1234) SHA-256 ed5ae7f36453c5a23e9868a5729d67e0549a11f6dea54f5f52d654a8f51d4902 Archive containing GoFlateLoader x64 variant loading Remus SHA-256 841c9297cb8a2e0ff89433d13c05bfc760eb2e98e251cb8fa785d2ad7cbac05f Archive containing GoFlateLoader x86 variant loading Amatera SHA-256 ece7c48eb411b24f26762ede83badb4a644c41d5777129381ac2541804d64fc2 Archive containing GoFlateLoader x86 variant loading Lumma SHA-256 421ce2d2f49c23bbe9f60ef3b9cd38d7eb912ce02e56a61837656210069bd9e2 Archive containing GoFlateLoader x64 variant loading Vidar SHA-256 121c2dc793b3873f75a29ec02241f94136de19c049382a50a50d0d5b99507073 GoFlateLoader x64 variant loading StealC SHA-256 2415db5081cec9bfd14ad6da1a66169fd96f13a49010c319a73d1ed6fafd4efa GoFlateLoader x64 variant loading Vidar SHA-256 d9917ade3b4c125a95b5d3e6343cde26145dfbf569bd7e2a843fd0c6fc8ddc28 GoFlateLoader x64 variant loading Remus SHA-256 4cf6893756f441522b94b36f10e5de0e47aeed4743f95c51650746d1ecf97e3d GoFlateLoader x64 variant loading SvitStealer SHA-256 8b89d6c9152d3aab97aadd515ecb69ca72654db2f25425759ba4b646853d737d GoFlateLoader x86 variant loading Lumma SHA-256 90ce4ff9da23ac150da0a8e17930cab1e369aa349fdc1b65691b70369145664a GoFlateLoader x86 variant loading Amatera Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Cybercriminals Exploit 2026 FIFA World Cup With Phishing, Fake Stores, and Ticket Scams Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs Critical Langflow Vulnerability Exploited to Execute Malicious Code Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking Latest News Cyber Security News Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking Cyber Security News Researcher Hacked Google Using AI and Earned $500,000 Bug Bounty Cyber Security News GitHub to Automate Disable npm Script Installs to Block Supply Chain Attacks AI Claude Mythos Turning N-Days Into N-Hours With Rapid Working Exploit Creation Cyber Security CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 11, 2026
    Archived
    Jun 11, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗