{"paper":{"title":"Memory Forensics Techniques for Automated Detection and Analysis of Go Malware","license":"http://creativecommons.org/licenses/by-nc-nd/4.0/","headline":"A memory forensics framework parses Go runtime structures to recover execution state and artifacts from malware binaries.","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Andrew Case, Hala Ali, Irfan Ahmed","submitted_at":"2026-05-13T18:34:00Z","abstract_excerpt":"The Go programming language has become increasingly popular among malware developers due to its ability to produce statically linked, cross-platform executables that challenge traditional analysis techniques. These binaries embed a substantial runtime and compiler-generated metadata and are compiled with aggressive optimizations that discard type information for function parameters and local variables. Go's design further complicates analysis by representing strings as pointer-length pairs rather than null-terminated sequences, employing a caller-allocated stack model that obscures argument bo"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"we present the first memory forensics framework for runtime analysis of Go binaries... The framework successfully recovered C2 endpoints, persistence mechanisms, encryption keys, ransom notes, and execution state, including critical runtime artifacts that were absent from published threat intelligence.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That Go's internal runtime structures (type metadata, string representation, goroutine stacks, ABI) remain stable enough to parse reliably from memory across the versions and compiler optimizations used by the evaluated malware samples.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"A Volatility 3 plugin framework recovers runtime C2 endpoints, keys, and execution state from Go malware by parsing internal heap, stack, and goroutine structures.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"A memory forensics framework parses Go runtime structures to recover execution state and artifacts from malware binaries.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"b4c21f7dd739db44a67930cd1781ac3e42fbfb9ad2a1f568e5d9fcb21106ca01"},"source":{"id":"2605.14020","kind":"arxiv","version":1},"verdict":{"id":"070fc996-6407-4d04-bc58-48ad745476cb","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T05:30:00.461805Z","strongest_claim":"we present the first memory forensics framework for runtime analysis of Go binaries... The framework successfully recovered C2 endpoints, persistence mechanisms, encryption keys, ransom notes, and execution state, including critical runtime artifacts that were absent from published threat intelligence.","one_line_summary":"A Volatility 3 plugin framework recovers runtime C2 endpoints, keys, and execution state from Go malware by parsing internal heap, stack, and goroutine structures.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That Go's internal runtime structures (type metadata, string representation, goroutine stacks, ABI) remain stable enough to parse reliably from memory across the versions and compiler optimizations used by the evaluated malware samples.","pith_extraction_headline":"A memory forensics framework parses Go runtime structures to recover execution state and artifacts from malware binaries."},"references":{"count":19,"sample":[{"doi":"10.1016/j.fsidi.20","year":2025,"title":"Leveraging memory forensics to investigate and detect illegal 3d printing activities","work_id":"e4184c04-4b1d-4a6e-ab3d-8c32298b8751","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2019,"title":"{DroidScraper}: A tool for android{In-Memory}object recovery and reconstruction, in: 22nd International Symposium on Research in At- tacks, Intrusions and Defenses (RAID 2019), pp. 547–559. Ali-Gombe,","work_id":"9aaa71d7-e9bd-466a-a9e2-f417be74210f","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2026,"title":"Accessed: 2026-01-16","work_id":"05698f57-2b50-444d-9e33-8e74559630cb","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2026,"title":"Accessed: 2026-01-16","work_id":"b9601fce-d7ce-4d4f-ad44-9ee662e6e9eb","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2026,"title":"Accessed: 2026-01-16","work_id":"e0e5b642-3aeb-4331-bbee-abd370b4ceee","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":19,"snapshot_sha256":"88eddde61f4b52985fa82b5b4cc16059cfa1d21bb7be207e9336364bbcaacdbc","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}