GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers
Cybersecurity NewsArchived Jun 11, 2026✓ Full text saved
A new malware loader called GoFlateLoader has been quietly spreading across the internet, and what makes it stand out is not how complex it is but how effective a simple trick has made it. Written in the Go programming language, this loader has one job: to decode and drop dangerous information-stealing programs onto a victim’s […] The post GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and StealC Infostealers
By Tushar Subhra Dutta
June 11, 2026
A new malware loader called GoFlateLoader has been quietly spreading across the internet, and what makes it stand out is not how complex it is but how effective a simple trick has made it.
Written in the Go programming language, this loader has one job: to decode and drop dangerous information-stealing programs onto a victim’s computer without being caught.
It does this not through advanced hacking techniques but by making itself too large for most security tools to scan.
GoFlateLoader has been actively distributed since at least April 2026, and in that short time it has already impacted more than 33,000 unique users globally.
Countries most affected include Brazil, India, Argentina, Mexico, Turkey, and Spain, painting a picture of a broad and ongoing campaign that shows no signs of slowing down.
The loader has been seen delivering several well-known infostealers, including Lumma, Vidar, StealC, Amatera, Remus, and SvitStealer.
Researchers at Gen Digital identified and have been actively tracking GoFlateLoader, noting that it stands out precisely because of what it lacks.
As Gen Digital said in a report shared with Cyber Security News (CSN), the loader carries no anti-debugging checks, no virtual machine detection, and no sandbox-evasion logic, tools that most loaders use as a matter of course. Instead, it leans on one deceptively simple method to stay off the radar.
The two main ways GoFlateLoader reaches victims are through fake cracked software downloads and through a malicious traffic distribution system recently documented by Check Point Research.
In that second path, victims are redirected to a landing page showing a password-protected archive along with the password to open it, displayed separately. This separation makes it harder for security tools to automatically unpack and scan what is inside.
Once the loader runs, it decodes its payload entirely within the computer’s memory, meaning the final malicious program never gets written to the hard drive.
This in-memory approach is a known tactic used to avoid detection by security software that monitors file activity on disk.
The use of Go’s syscall.Syscall function as a transfer mechanism, with hardcoded dummy arguments, is an unusual behavioral pattern that researchers say could serve as a useful detection marker.
GoFlateLoader Uses Massive PE Overlay
GoFlateLoader’s defining feature is its file size, which typically ranges between 700 and 950 megabytes. This enormous size is not accidental.
GoFlateLoader’s execution flow (Source – Gen Digital)
The loader artificially inflates itself by appending a large block of data, known as a PE overlay, to the end of the actual executable code. In most observed samples, this extra data is simply null bytes, though some builds use random padding instead.
Structure of a GoFlateLoader sample highlighting a massive PE overlay (Source – Gen Digital)
The goal of this inflation is straightforward. Many antivirus engines, endpoint detection tools, and cloud-based analysis platforms enforce strict size limits for files they are willing to deeply scan. VirusTotal, one of the most widely used threat intelligence platforms, enforces a 650 MB upload limit.
GoFlateLoader’s consistent size just above that threshold strongly suggests it was built specifically to slip past VirusTotal and similar size-constrained tools. When compressed for distribution, the inflated data shrinks dramatically, making delivery fast and low-cost for attackers.
Payloads Delivered and the Threat They Pose
The final payloads GoFlateLoader delivers are all information stealers, programs designed to quietly harvest saved passwords, browser data, and cryptocurrency wallet credentials from infected machines.
GoFlateLoader’s PE overlay filled with null bytes (Source – Gen Digital)
The most common payloads observed are Amatera, Remus, and Lumma, with Vidar, StealC, and SvitStealer also seen in the wild. The loader comes in both 32-bit and 64-bit versions, each matched to the architecture of the payload it is meant to run.
Users can reduce their risk by avoiding downloads from unofficial or untrusted sources, especially software advertised as cracked or free versions of paid programs.
Keeping security tools updated and using solutions capable of detecting in-memory threats rather than relying solely on file scanning is strongly advised. Since GoFlateLoader avoids writing payloads to disk entirely, traditional file-based detection alone is unlikely to catch it.
Indicators of Compromise (IoCs):-
Type Indicator Description
SHA-256 b88c5744975d2abb447aecc6c090fee9f8580413f4612eecdc6ed1973e8a1739 Password-protected archive containing GoFlateLoader x64 variant loading Remus (pwd: 1234)
SHA-256 ed5ae7f36453c5a23e9868a5729d67e0549a11f6dea54f5f52d654a8f51d4902 Archive containing GoFlateLoader x64 variant loading Remus
SHA-256 841c9297cb8a2e0ff89433d13c05bfc760eb2e98e251cb8fa785d2ad7cbac05f Archive containing GoFlateLoader x86 variant loading Amatera
SHA-256 ece7c48eb411b24f26762ede83badb4a644c41d5777129381ac2541804d64fc2 Archive containing GoFlateLoader x86 variant loading Lumma
SHA-256 421ce2d2f49c23bbe9f60ef3b9cd38d7eb912ce02e56a61837656210069bd9e2 Archive containing GoFlateLoader x64 variant loading Vidar
SHA-256 121c2dc793b3873f75a29ec02241f94136de19c049382a50a50d0d5b99507073 GoFlateLoader x64 variant loading StealC
SHA-256 2415db5081cec9bfd14ad6da1a66169fd96f13a49010c319a73d1ed6fafd4efa GoFlateLoader x64 variant loading Vidar
SHA-256 d9917ade3b4c125a95b5d3e6343cde26145dfbf569bd7e2a843fd0c6fc8ddc28 GoFlateLoader x64 variant loading Remus
SHA-256 4cf6893756f441522b94b36f10e5de0e47aeed4743f95c51650746d1ecf97e3d GoFlateLoader x64 variant loading SvitStealer
SHA-256 8b89d6c9152d3aab97aadd515ecb69ca72654db2f25425759ba4b646853d737d GoFlateLoader x86 variant loading Lumma
SHA-256 90ce4ff9da23ac150da0a8e17930cab1e369aa349fdc1b65691b70369145664a GoFlateLoader x86 variant loading Amatera
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Cybercriminals Exploit 2026 FIFA World Cup With Phishing, Fake Stores, and Ticket Scams
Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User
Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs
Critical Langflow Vulnerability Exploited to Execute Malicious Code
Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking
Latest News
Cyber Security News
Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking
Cyber Security News
Researcher Hacked Google Using AI and Earned $500,000 Bug Bounty
Cyber Security News
GitHub to Automate Disable npm Script Installs to Block Supply Chain Attacks
AI
Claude Mythos Turning N-Days Into N-Hours With Rapid Working Exploit Creation
Cyber Security
CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks