A new malware loader, GoFlateLoader, has been spreading widely since April 2026 by using an unusual evasion technique. Written in the Go programming language, the loader avoids sophisticated anti-analysis features like anti-debugging or sandbox detection. Instead, it relies on an oversized PE overlay to make its file too large for many security scanners to process effectively. The loader has already affected more than 33,000 unique users globally, with significant concentrations in Brazil, India, Argentina, Mexico, Turkey, and Spain.
Delivery Method and Payload
The loader is distributed primarily through fake cracked software downloads and a malicious traffic distribution system identified by Check Point Research. In the latter method, victims are redirected to landing pages that display password-protected archives with the password shown separately, complicating automated unpacking. Once executed, GoFlateLoader decodes its payload entirely in the computer’s memory and never writes the final malicious program to the hard drive, a common tactic to avoid file-based detection. It has been observed delivering multiple well-known infostealers, including Lumma, Vidar, StealC, Amatera, Remus, and SvitStealer.
Detection and Impact
Researchers from Gen Digital are tracking the loader and note that its lack of standard evasion tools is offset by the effectiveness of its massive file size approach. The loader uses Go’s syscall.Syscall function as a transfer mechanism with hardcoded dummy arguments, an unusual behavioral pattern that researchers suggest could serve as a detection marker. The campaign shows no signs of slowing down, indicating that the simplicity of the technique has not diminished its effectiveness against current security tools.
Source: Cyber Security News
