Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

GoldenSpy: Chapter Two – The Uninstaller

On June 25, 2020 Trustwave SpiderLabs published research showing that the Intelligent Tax software, published by Aisino Corporation and required by a Chinese bank, actually contained a hidden backdoor that surrendered complete command and control of the victim’s network. This story received international news coverage and was widely discussed in security circles. To review the original blog post click here.

On June 28, 2020, our Threat Fusion team identified a new file being downloaded by the Aisino Intelligent Tax product. But this time it had nothing to do with remote command and control of the victim. Rather, this new sample’s sole mission is to delete GoldenSpy and remove any trace it existed. Including the deletion of registry entries, all files and folders (including the GoldenSpy log file), and finally, the uninstaller deletes itself with the following command: cmd.exe /c del /q C:\Users\admin\AppData\Local\Temp\AWX.exe. Note the “/c” which will terminate the Windows Command-line interface after the operation is completed and “/d” which will delete without asking permission or giving any notification.

Gone without a trace, or even knowing it was there.

In our testing, this GoldenSpy uninstaller will automatically download and execute, and effectively, will negate the direct threat of GoldenSpy in your environment, however, as the deployment of this uninstaller is delivered directly from the supposedly legitimate tax software, this has to leave users of Intelligent Tax concerned about what else could be downloaded and executed in a similar manner. 

While the SpiderLabs team is gratified to see GoldenSpy research and analysis result in such a rapid course reversal in the Golden Tax threat campaign, we are not so optimistic as to believe that this new development signifies a slow-down in threat actor activity. This threat is a clear and present danger, driven by incredibly smart and innovative adversaries. We will allow for the briefest of pats on the back and then return to hunting for the next threat.

Organizations must continuously be vigilant, always threat hunting, because our adversaries will continue to find new ways to trick, manipulate, and socially engineer their way into environments. The value of the GoldenSpy case-study is not the IOCs we provided, it’s the lesson that malware can be cleverly hidden in any software, regardless of its source or supposed legitimacy. 

Full Analysis of the GoldenSpy Uninstaller below:

GoldenSpy Uninstaller


Trustwave SpiderLabs investigated the main tax software executable again for the execution flow because we observed the software execution is derived from the command given to upgrade or install new software on the infected machines.

Once installed, the main tax module will send a POST request for any software upgrades that are needed. Initially, it would download the SVMinstaller module to implant the GoldenSpy malware, but as of June 28, we have identified a new flow that downloads and executes a customized GoldenSpy uninstaller called “AWX.exe”. Currently, Aisino Intelligent Tax Software is deploying the GoldenSpy Uninstaller, instead of GoldenSpy itself. This does raise the question as to what it might deploy next.

The GoldenSpy Uninstaller, called "AWX.exe" is silently pushed to infected machines from and it cleans up all the traces of GoldenSpy’s existence. The following flow begins the process:

  • The command “PROTOCOL_00” will request any software upgrades
  • Receives command to install “AWX.exe”
  • The command “PROTOCOL_99” downloads and executes “AWX.exe”
    • http://223.112.21[.2:8090]/download/AWX.exe


MD5: 735AC19B261DC66D5850BEA21F3D54FE

SHA256: 7F5ED71F18937ECC6DB9520CA9A9D16E3C113609C7A9A99A29BA74687F1349D2

SHA1: 4755B68996B53AD3F734127FE46723B60681856E

PDB path : D:\日常工作\客户端软件\VCProject\dgs\Release\del.pdb

Translated : D:\day-to-day work\Client software\VCProject\dgs\Release\del.pdb

Created TImeStamp : 28 June 2020 04:15PM GMT

Upon installation, AWX.exe takes the following actions:

  1. Identify the executables "svm.exe" and "svmm.exe"
  2. Stop the “GoldenSpy” services
  3. Kills both “svm.exe” and “svmm.exe” processes.
  4. Log the Processes the svm error logs
  • C:\Program Files (x86)\svm\log\{yearmonthdate}-svm.log
  • C:\Program Files (x86)\svm\log\{yearmonthdate}-svmm.log

The contents of the log entries are shown below:

  • [yeardatemonth time]  [ERROR][SVM](5056): 1063
  • [yeardatemonth time]  [ERROR][SVMM](3880): 1063
  1. Uninstall the autostart services and delete all files and folders containing any reference to GoldenSpy. To include:
  • C:\Program Files (x86)\svm\svm.exe
  • C:\Program Files (x86)\svm\svmm.exe
  • C:\Program Files (x86)\svm

*Note, this deletion operation also deletes the log file it just generated.

  1. Delete the registry entries
  1. Self-Delete “GoldenSpy Uninstaller” AWX.exe

cmd.exe /c del /q C:\Users\admin\AppData\Local\Temp\AWX.exe

Second Sample Identified – BWXT.EXE

In the early morning hours of June 29, a second version of this GoldenSpy Uninstaller was identified to be downloaded by the Intelligent Tax software, only a few hours after the original was identified. The new sample was compiled on 29 June 2020 at 10:38PM GMT. Behaviorally, it was identical to AWX.EXE, however, this version obfuscated its variables with Base64 encoding. SpiderLabs cannot verify the reason for this change, but we hypothesize that it may have been to evade antivirus, as several AV engines began to alert on AWX.EXE.

Strings within the AWX.EXE include:

Project path:
Translated Project Path:
D:\day-to-day work\Client software\VCProject\dgs\Release\BWXT.pdb


During our analysis, we found that the GoldenSpy threat actors followed our removal recommendations step by step with their uninstaller. The table below shows our recommendations, compared to their installer.

Trustwave Recommendations

GoldenSpy Uninstaller

Freeze both svm.exe and svmm.exe processes

Stops the “GoldenSpy” services

Kill SVM processes

Looks “svm.exe” and “svmm.exe” and kills both processes

Go to SVM directory and permanently delete related files

Uninstall the service and delete the files and folder

Remove all registry artifacts related to SVM service

Remove all registry artifacts related to SVM service


Self-delete "AWX.exe"

Indicators of Compromise:



















GoldenSpy Uninstaller YARA Rule:

rule Goldenspy_Uninstaller
  author = "SpiderLabs"
  malware_family = "GoldenSpy"
 filetype =  "exe_dll"

    $str1 = "taskkill /IM svm.exe /IM svmm.exe /F" ascii    //Kill the running process
    $str2 = "\\svm.exe -stopProtect" ascii                                //Stop the service
    $str3 = "\\svmm.exe -u" ascii                                                    //Uninstall the malware
    $str4 = "\\VCProject\\dgs\\Release\\" ascii                        //Project path
    $str5 = "dGFza2tpbGwgL0lNIHN2bS5leGUgL0lNIHN2bW0uZXhlIC9GIA" ascii
    $str6 = "c3ZtLmV4ZSAtc3RvcFByb3RlY3Q" ascii
    $str7 = "XHN2bW0uZXhlIC11" ascii
    $str8 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\svm" ascii
    $str9 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXHN2bQ" ascii


    (uint16(0) == 0x5A4D) and 4 of ($str*) 

Special Thanks to SpiderLabs Threat Hunter Reegun Richard Jayapaul for his analysis of this new GoldenSpy threat actor activity.

Latest SpiderLabs Blogs

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More