Operation GoldenSpy Chapter Two
In mid-2020 companies in China were targeted with the GoldenSpy malware hidden inside of legitimate tax software. A few weeks later an uninstaller for the malware was discovered hosted on one of the actor's original command and control servers. The software was automatically downloaded by the tax product and removed any reference of GoldenSpy including stopping processes and deleting files and registry entries. A second version of the uninstaller was also discovered but used Base64 encoding to obfuscate variables.