IT cybersecurity specialists discovered a new and highly sophisticated malware called GOVERSHELL, attributed to a China-aligned advanced persistent threat actor codenamed UTA0388. This especially powerful malware is entirely developed using the increasingly popular Go programming language. Yet in recent months, five different variants have swept through different population centers. Other variants are HealthKick, TE32, TE64, WebSocket and Beacon that each have different functionalities and ways of delivery.
The second variant, HealthKick, was seen as early as April 2025 and it functions by running commands through cmd.exe. Then in June 2025 TE32 surfaced, using a PowerShell reverse shell to allow for remote command execution. The third variant, TE64, appeared in early July 2025 and runs both native and dynamic commands through PowerShell. WebSocket showed up in the middle of July 2025 and is executing commands through powershell.exe. Finally, the Beacon variant was identified in September 2025, leveraging PowerShell for command execution.
Delivery Mechanisms of GOVERSHELL
GOVERSHELL is mainly spread through spear-phishing campaigns targeting areas from North America to Asia and Europe. These campaigns are characterized by the distribution of fraudulent emails, which include links that lead victims to a counterfeit Cloudflare CAPTCHA verification page. The emails are designed to look authentic and frequently pretend to be from academic experts and lead analysts. They often originate from phony groups set up to deceive you.
Volexity, a cybersecurity firm that has been tracking UTA0388’s activities, recently described how specifically targeted these phishing campaigns are.
“The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations.” – Volexity
We learned that these phishing emails were coming from Proton Mail, Microsoft Outlook and Gmail, all trusted email users. This method increases their trustworthiness and raises their persuasiveness. The links we have provided above go to remotely hosted archives that contain the malicious payload.
Technical Characteristics of GOVERSHELL Variants
Each variant of GOVERSHELL displays unique technical traits that mirror the developing tactics used by UTA0388. Our project HealthKick, for example, uses cmd.exe for command execution, so it is pretty easy under the hood. TE32, by contrast, uses PowerShell reverse shell, through which it executes commands directly and stealthier.
TE64 expands upon this power by running both native and dynamic commands, giving you an additional layer of flexibility. AUTHENTICATION WebSocket runs through powershell.exe for its execution. At the same time, Beacon duplicates TE64’s functionality, taking advantage of PowerShell to run arbitrary commands.
To ensure the highest possible impact for their campaigns, UTA0388 has exploited otherwise benign platforms to host campaign-destroying archive files. Platforms like Netlify, Sync, and OneDrive have been abused in the past to serve bad content. This particular tactic is intended to obscure where the malware came from. Additionally, it increases the chances that targets will trust the files they are downloading.
“The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload.” – Volexity
Use of Abused Services and DLL Side-Loading
GOVERSHELL also uses DLL side-loading techniques to execute a malicious DLL payload. This approach lets the malware avoid detection from a number of security technologies by hiding in plain sight, masquerading as a high value, legitimate application or library.
Additionally, GOVERSHELL employs DLL side-loading techniques to launch a rogue DLL payload. This method allows the malware to bypass some security measures by disguising itself as a legitimate application or library.
