Last month, users were warned that the Intelligent Tax software product by the Aisino Corporation was found to have the GoldenSpy backdoor hidden within it. Now it appears that GoldenSpy was not the only malware hidden within Chinese corporate tax software. It was discovered that the GoldenHelper malware was found in the Golden Tax Invoicing Software from Baiwang. While GoldenHelper is functionally different from GoldenSpy, both share a similar delivery method. They utilize three DLLs to interface with Golden Tax Software: bypass Windows security, escalate privileges, and download and execute arbitrary code. GoldenHelper also makes use of a number of means of obfuscation to evade detection, including name randomization while in transit. From January 2018 to July 2019 GoldenHelper was found to install a final payload named “taxver.exe,” though no samples have yet to be analyzed at this time.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in