A little-known threat actor, GoldenJackal, has been linked to a series of cyberattacks targeting embassies and government organizations, aiming to infiltrate air-gapped systems using two unique toolsets.
Victims included a South Asian embassy in Belarus and a European Union (EU) government organization, according to Slovak cybersecurity firm ESET.
"The ultimate goal of GoldenJackal seems to be stealing confidential information, especially from high-profile machines that might not be connected to the internet," said Matías Porolli, a security researcher, in an exhaustive analysis.
GoldenJackal first came to light in May 2023 when Russian cybersecurity vendor Kaspersky detailed the threat actor’s attacks on government and diplomatic entities in the Middle East and South Asia. However, the group’s origins date back to at least 2019.
One of the key characteristics of GoldenJackal’s intrusions is the use of JackalWorm, a worm capable of infecting connected USB drives and delivering a trojan called JackalControl.
Though there is insufficient evidence to definitively attribute these activities to a specific nation-state, some tactical overlaps exist with campaigns linked to Turla and MoustachedBouncer, both of which have also targeted foreign embassies in Belarus.
ESET discovered GoldenJackal artifacts at a South Asian embassy in Belarus in August and September 2019, and again in July 2021. Notably, the threat actor deployed an entirely revamped toolset between May 2022 and March 2024 against an EU government entity.
Air-Gapped Systems
"With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems," Porolli explained. "This speaks to the resourcefulness of the group."
In the South Asian embassy attack, three different malware families were used alongside JackalControl, JackalSteal, and JackalWorm:
Meanwhile, the attacks on the unnamed European government relied on a new set of malware tools written mainly in Go, which were designed to collect files from USB drives, spread malware, and exfiltrate data. The toolset included:
It remains unclear how GoldenJackal gains initial access to breach its targets. However, Kaspersky previously suggested that the group may be using trojanized Skype installers or malicious Microsoft Word documents as entry points.
GoldenDealer, already present on a computer connected to the internet, activates when a USB drive is inserted, copying itself and an unknown worm component to the removable device. The unknown component is likely executed when the infected USB drive is connected to the air-gapped system.
When the USB drive is reconnected to the internet-connected machine, GoldenDealer retrieves information stored on the drive and passes it to an external server. The server then responds with payloads to be executed on the air-gapped system.
GoldenDealer is also responsible for copying executables to the USB drive, which are then executed on the air-gapped machine when the device is reconnected. GoldenRobo, running on the internet-connected PC, transmits the stolen files to the attacker’s server.
Interestingly, ESET has not yet discovered a module responsible for copying the files from the air-gapped machine to the USB drive.
"Managing to deploy two separate toolsets for breaching air-gapped networks in just five years shows that GoldenJackal is a sophisticated threat actor aware of the network segmentation used by its targets," Porolli concluded.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067