GoldenJackal Harnesses .NET Malware for Espionage


GoldenJackal is an Advanced Persistent Threat (APT) group that has silently operated for years. Since 2019, this covert group has strategically focused on stealth, maintaining a low profile, and being selective with their targets to reduce the chances of detection.

GoldenJackal’s primary motivations center around espionage, as indicated by their use of data exfiltration and credential dumping tools. Their methods of attack include spear-phishing campaigns involving malicious documents and trojanized ‘Skype for Business’ installers.

A defining trait of GoldenJackal is their use of .NET malware – malicious software constructed with the .NET framework. Their .NET-based toolset includes ‘JackalControl,’ ‘JackalSteal,’ ‘JackalWorm,’ ‘JacklPerInfo,’ and ‘JackalScreenWatcher.’ Each component serves a different purpose, ranging from gaining control over infected systems, stealing sensitive data, and moving laterally across networks to capture screenshots and spread malware via USB drives.

Any powerful tool, even a software framework developed for legitimate purposes like .NET, can be repurposed for malicious intent. GoldenJackal’s tactics underline this, using a mainstream framework to create a covert arsenal of digital weapons.

Acreto Solution

Acreto’s robust solutions can be leveraged to address and counteract the threats posed by the Advanced Persistent Threat (APT) group, GoldenJackal. Here’s how:

Firstly, GoldenJackal has been methodically targeting government and diplomatic entities across Asia favoring stealth and a low profile. This matches perfectly with Acreto’s Ecosystems solution:

  • Ecosystems can be set up to provide a dedicated security infrastructure per application, use-case, or even a particular third-party, inherently limiting access only to those necessary, thereby drastically reducing the chances of unwanted intrusions. With its global functionality, the Ecosystems solution could safeguard the targeted entities regardless of their geographical location.

  • The primary tactics used by GoldenJackal include spear-phishing campaigns, malicious documents, and trojanized ‘Skype for Business’ installers. This highlights the need for secure communication channels. Acreto’s Ecosystems can eliminate the Internet Attack Surface, blocking all access from the Internet while ensuring secure communication between authorized systems.

  • Acreto provides Micro-Segmentation and Nano-Segmentation to isolate individual or groups of systems on a shared network, preventing lateral movement of threats.

  • To combat GoldenJackal’s ‘.NET’ malware toolset, the ‘Jackal’ series. Acreto’s Encrypted Secure Scan can decrypt, scan, and re-encrypt communications in real-time. If any malicious content is detected in the encrypted payload, it is blocked, neutralizing threats like the ‘Jackal’ series before they can inflict damage.

  • With Access Control, Acreto can provide an additional layer of security. For instance, the Identity with MFA control can ensure only authorized users gain access to the Ecosystem, significantly lowering the chances of credential dumping, a method often used by GoldenJackal.

  • GoldenJackal’s modus operandi also includes controlling infected systems. Acreto’s solutions can counteract this by isolating data flows between Ecosystem members, limiting access only to specified sources and destinations, which would help keep the systems secure.

  • Acreto’s Event Tracking & Management and Threat Prevention capabilities can provide constant vigilance against the stealthy operations of GoldenJackal. By identifying and mitigating known threats and performing Zero-Day Behavioral Analysis, Acreto can help ensure that any unusual activity is promptly detected and addressed.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Open → With inbound or outbound access from or to the Internet or a third-party

Closed → Fully contained with access limited to Ecosystem members

Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

  • Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

  • Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.


Access Control

Identity with MFA

  • User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

  • Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

Network Protocol / Port

Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Protocol

Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Program

Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.


Content Category

Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.

File Type Upload / Download Controls

Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.

Data Leak Prevention

Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:

  • Credit Cards Upload / Download Controls

  • Social Security Number Upload / Download Controls

  • RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Threat Signature

Identifies and mitigates known bad exploits, malware, botnets and ransomware.

Zero-Day Behavioral Analysis

Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.


Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.


Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanisms of Attack

  • The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher intended to:

    • Control victim machines

    • Spread across systems using removable drives

    • Exfiltrate certain files from the infected system

    • Steal credentials

    • Collect information about the local system

    • Collect information about users’ web activities

    • Take screen captures of the desktop

  • JackalControl

    • This is a Trojan that allows the attackers to remotely control the target machine through a set of predefined and supported commands. These are received via an HTTPS communication channel facilitated between the malware and the C2 servers, and can instruct the implant to conduct any of the following operations:

      • Execute an arbitrary program with provided arguments

      • Download arbitrary files to the local file system

      • Upload arbitrary files from the local file system

  • JackalSteal

    • This tool can be used to monitor removable USB drives, remote shares, and all logical drives in the targeted system. The malware can work as a standard process or as a service. It cannot maintain persistence, so it must be installed by another component.

  • JackalWorm

    • This worm was developed to spread and infect systems using removable USB drives. The program was designed as a flexible tool that can be used to infect systems with any malware.

  • JackalPerInfo

    • This malware was developed to collect information about the compromised system, as well as a specific set of files that could potentially be used to retrieve stored credentials and the user’s web activities. The attacker named it “perinfo”, a contraction of the program’s main class name PersonalInfoContainer.

  • JackalScreenWatcher

    • This tool is used to collect screenshots of the victim’s desktop and sends the pictures to a remote, hard-coded C2 server:


This specific webpage was also used as a C2 for the JackalSteal component, indicating that the tools are probably part of a unique framework.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

About The Author: Acreto Threat Labs

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.