arxiv: 2605.14020 · v1 · pith:KKAWWXDRnew · submitted 2026-05-13 · 💻 cs.CR

Memory Forensics Techniques for Automated Detection and Analysis of Go Malware

Hala Ali , Andrew Case , Irfan Ahmed This is my paper

Pith reviewed 2026-05-15 05:30 UTC · model grok-4.3

classification 💻 cs.CR

keywords memory forensicsGo malwareruntime analysisVolatility pluginsgoroutine stacksC2 endpointsstatic linkingABI analysis

0 comments

The pith

A memory forensics framework parses Go runtime structures to recover execution state and artifacts from malware binaries.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Go binaries challenge analysis because they are statically linked, discard type information, represent strings as pointer-length pairs, and spread state across goroutines. The paper presents the first framework that parses Go's internal structures to reconstruct type and function metadata, recover strings, and derive argument values through ABI-aware backward analysis. It further examines goroutine stacks to identify active functions and their runtime values. Implemented as Volatility 3 plugins, the approach was tested on recent malware including BRICKSTORM, Obscura ransomware, and Pantegana RAT. It recovered C2 endpoints, persistence mechanisms, encryption keys, ransom notes, and execution state absent from published threat intelligence.

Core claim

We present the first memory forensics framework for runtime analysis of Go binaries. By parsing Go's internal structures, our framework reconstructs type and function metadata, recovers heap-allocated and static strings, and distinguishes application-level functions. Through ABI-aware backward analysis, it derives execution paths and argument values from call sites. To capture runtime state beyond what static analysis reveals, it analyzes goroutine stacks to identify actively executing functions and recover their runtime argument values. We implemented all capabilities as Volatility 3 plugins and evaluated them against malware seen in recent incidents, successfully recovering C2 endpoints, 0

What carries the argument

Volatility 3 plugins that parse Go runtime structures (type metadata, pointer-length string representations, goroutine stacks, and ABI) to reconstruct metadata and derive execution paths from memory.

If this is right

Recovers C2 endpoints and persistence mechanisms directly from infected system memory.
Extracts encryption keys and ransom notes that exist only in runtime state.
Identifies actively executing functions and their argument values from goroutine stacks.
Supplies runtime artifacts missing from static analysis and published threat reports.
Supports automated analysis of Go malware samples through existing Volatility workflows.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same parsing approach could apply to other languages that embed substantial runtime metadata if their structures become documented.
Memory forensics tools may need periodic updates as compilers change internal layouts in languages like Go.
Integration into incident response could reduce reliance on reverse engineering for concurrent malware.

Load-bearing premise

Go's internal runtime structures including type metadata, string representations, and goroutine stacks remain stable enough to parse reliably across the malware samples and compiler versions tested.

What would settle it

A memory dump from Go malware compiled with a newer version that alters the runtime ABI or string representation would cause the plugins to fail to recover the expected C2 endpoints and argument values.

Figures

Figures reproduced from arXiv: 2605.14020 by Andrew Case, Hala Ali, Irfan Ahmed.

**Figure 1.** Figure 1: Go runtime metadata extraction 3.1.1. Process Memory Analysis The framework parses the executable header to identify program segments and then scans read-only segments for pclntab using version-specific magic bytes: \xf1\xff\xff\xff (Go 1.20+), \xf0\xff\xff\xff (Go 1.18–1.19), \xfa\xff\xff\xff (Go 1.16–1.17), and \xfb\xff\xff\xff (Go 1.2–1.15). Each candidate match is validated by enforcing pcHeader invari… view at source ↗

**Figure 2.** Figure 2: Heap object recovery describes a contiguous memory region divided into fixedsize slots. Key fields include the base address (startAddr), slot size (elemsize), total capacity (nelems), number of allocated objects (allocCount), allocation bitmap (allocBits), and span state. For active spans, allocated objects are recovered by iterating the allocation bitmap and calculating object addresses using their bit… view at source ↗

**Figure 3.** Figure 3: Function analysis workflow treat the first word as a potential string data pointer and the second as a potential length. We then validate that the pointer references accessible memory, the length is within reasonable bounds, and the referenced bytes form valid UTF-8 with predominantly printable characters. Objects that fail string validation are excluded and evaluated under the remaining candidates. Pointe… view at source ↗

**Figure 4.** Figure 4: Comparison of the go_strings plugin and the Linux strings utility with Curve25519 key agreement, terminates security software prior to encryption, and deletes volume shadow copies to prevent recovery. We analyzed a memory image from an infected Windows host containing a live Obscura process (PID 1100). Using go_strings, we reconstructed heap allocation state (112 of 942 spans active) and recovered 778 st… view at source ↗

**Figure 5.** Figure 5: ABI-Aware Backward Analysis of main.copyFile [PITH_FULL_IMAGE:figures/full_fig_p009_5.png] view at source ↗

**Figure 6.** Figure 6: ABI-Aware Backward Analysis of main.main.func1 HTTP/TLS communication with the C2 server [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗

**Figure 7.** Figure 7: Runtime forensic artifacts recovered from Pantegana memory using go_strings indicators and behaviours not reported in published threat intelligence. References Ali, H., Case, A., Ahmed, I., 2025a. Leveraging memory forensics to investigate and detect illegal 3d printing activities. Forensic Science International: Digital Investigation 53, 301925. doi:10.1016/j.fsidi.20 25.301925. Ali, H., Case, A., Ahmed, … view at source ↗

read the original abstract

The Go programming language has become increasingly popular among malware developers due to its ability to produce statically linked, cross-platform executables that challenge traditional analysis techniques. These binaries embed a substantial runtime and compiler-generated metadata and are compiled with aggressive optimizations that discard type information for function parameters and local variables. Go's design further complicates analysis by representing strings as pointer-length pairs rather than null-terminated sequences, employing a caller-allocated stack model that obscures argument boundaries, and fragmenting program state across concurrent goroutines. Although existing static analysis and reverse engineering tools provide Go-specific support, they remain limited to compile-time artifacts and cannot recover runtime execution state and artifacts that persist solely in memory. To address this gap, we present the first memory forensics framework for runtime analysis of Go binaries. By parsing Go's internal structures, our framework reconstructs type and function metadata, recovers heap-allocated and static strings, and distinguishes application-level functions. Through ABI-aware backward analysis, it derives execution paths and argument values from call sites. To capture runtime state beyond what static analysis reveals, it analyzes goroutine stacks to identify actively executing functions and recover their runtime argument values. We implemented all capabilities as Volatility 3 plugins and evaluated them against malware seen in recent incidents, such as the BRICKSTORM backdoor, Obscura ransomware, and Pantegana RAT, as well as open-source samples for reproducibility. The framework successfully recovered C2 endpoints, persistence mechanisms, encryption keys, ransom notes, and execution state, including critical runtime artifacts that were absent from published threat intelligence.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This paper delivers the first memory forensics framework for Go binaries by parsing runtime structures, which works on the samples shown but rests on thin evaluation without version robustness or metrics.

read the letter

The core advance here is a set of Volatility 3 plugins that read Go's internal memory layouts to pull out runtime strings, type info, goroutine stacks, and call arguments that static tools cannot reach. That is genuinely new for this language, where malware authors increasingly ship static binaries that hide state in memory only. The authors show it recovering C2 endpoints, keys, and execution details from BRICKSTORM, Obscura, Pantegana, and open-source cases, including artifacts missing from public reports. That practical demonstration is the paper's strongest point and gives incident responders something concrete to try.

Referee Report

2 major / 1 minor

Summary. The paper presents the first memory forensics framework for runtime analysis of Go binaries, implemented as Volatility 3 plugins. It parses Go runtime structures (type metadata, string headers as pointer+length, goroutine stacks, ABI-derived arguments) to reconstruct function metadata, recover heap/static strings, identify executing functions, and derive argument values. Evaluation on real malware (BRICKSTORM backdoor, Obscura ransomware, Pantegana RAT) and open-source samples claims successful recovery of C2 endpoints, persistence mechanisms, encryption keys, ransom notes, and execution state absent from static analysis or published threat intelligence.

Significance. If reliable, the framework would address a clear gap in analyzing increasingly common Go malware whose static linking and runtime optimizations defeat traditional tools. Strengths include concrete Volatility 3 plugin implementations, ABI-aware backward analysis, goroutine stack examination for runtime state, and evaluation on both real incident samples and open-source binaries for reproducibility.

major comments (2)

[Evaluation] Evaluation section: claims of successful artifact recovery on BRICKSTORM, Obscura, and Pantegana rest on qualitative statements without quantitative metrics (success rates, error rates, number of samples tested, or version-specific failure modes), undermining assessment of the framework's practical reliability.
[Framework description and Evaluation] Framework description and Evaluation: the parsing of Go runtime layouts (string representation, type metadata, caller-allocated stacks, goroutine structures) assumes cross-version stability but provides no version-detection logic, no enumeration of tested Go releases (e.g., 1.18–1.22), and no discussion of handling compiler optimizations known to alter stack frames and string headers; this is load-bearing for claims that recovered C2 endpoints and keys are trustworthy outside the evaluated binaries.

minor comments (1)

[Abstract and Evaluation] Abstract and Evaluation: references to 'open-source samples for reproducibility' do not name the specific binaries or provide repository links, reducing the ability to verify results.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive comments, which highlight important aspects of evaluation rigor and framework robustness. We address each major comment below, indicating where revisions will be made to strengthen the manuscript.

read point-by-point responses

Referee: [Evaluation] Evaluation section: claims of successful artifact recovery on BRICKSTORM, Obscura, and Pantegana rest on qualitative statements without quantitative metrics (success rates, error rates, number of samples tested, or version-specific failure modes), undermining assessment of the framework's practical reliability.

Authors: We acknowledge that the evaluation is presented through qualitative case studies on three real incident samples (BRICKSTORM backdoor, Obscura ransomware, Pantegana RAT) plus open-source binaries, demonstrating recovery of specific runtime artifacts such as C2 endpoints, encryption keys, and execution state that static analysis could not provide. Establishing quantitative metrics like success rates or error rates is inherently difficult in this domain because ground-truth runtime state for live malware is rarely available in public reports. We will revise the evaluation section to explicitly state the total number of samples tested, list the specific artifacts recovered per sample, and add a brief discussion of observed failure modes tied to Go version differences. This will improve transparency without overstating the results as a broad benchmark. revision: partial
Referee: [Framework description and Evaluation] Framework description and Evaluation: the parsing of Go runtime layouts (string representation, type metadata, caller-allocated stacks, goroutine structures) assumes cross-version stability but provides no version-detection logic, no enumeration of tested Go releases (e.g., 1.18–1.22), and no discussion of handling compiler optimizations known to alter stack frames and string headers; this is load-bearing for claims that recovered C2 endpoints and keys are trustworthy outside the evaluated binaries.

Authors: We agree that an explicit treatment of version compatibility is needed. Our plugins were developed and validated against Go releases 1.18 through 1.22, which encompass the compiler versions present in the evaluated malware. Core data structures (pointer-length string headers, goroutine metadata, and caller-allocated stack layout) have remained stable across this range; variations arise mainly from compiler optimizations that affect argument placement and inlining. Our ABI-aware backward analysis already accounts for these by walking call sites rather than relying on fixed offsets. We will add a dedicated subsection enumerating the tested releases, describing the stability assumptions, and outlining how the analysis handles optimization-induced changes to stack frames. No automatic version-detection logic will be added, as it is not required for the targeted range and would increase plugin complexity without improving reliability for the evaluated samples. revision: yes

Circularity Check

0 steps flagged

No circularity: engineering framework directly parses documented Go runtime layouts

full rationale

The paper describes an engineering implementation of memory parsing for Go binaries using known runtime structures such as string headers, type metadata, and goroutine stacks. No mathematical derivations, predictions, or first-principles results are claimed that could reduce to fitted inputs or self-referential definitions. All capabilities are presented as direct applications of publicly documented Go ABI and runtime layouts, with evaluation against specific malware samples serving as validation rather than circular confirmation. The work contains no self-citation load-bearing steps, ansatz smuggling, or renaming of known results as novel derivations.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The framework rests on the assumption that Go compiler-generated metadata and runtime data structures are accessible and stable in memory; no free parameters or new invented entities are introduced.

axioms (1)

domain assumption Go runtime internal structures (type metadata, string headers, goroutine stacks, ABI calling conventions) are stable enough to parse from memory across the compiler versions used by the target malware
Invoked when the framework reconstructs type and function metadata and recovers argument values from call sites and goroutine stacks.

pith-pipeline@v0.9.0 · 5579 in / 1294 out tokens · 38589 ms · 2026-05-15T05:30:00.461805+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

19 extracted references · 19 canonical work pages

[1]

Leveraging memory forensics to investigate and detect illegal 3d printing activities

Ali, H., Case, A., Ahmed, I., 2025a. Leveraging memory forensics to investigate and detect illegal 3d printing activities. Forensic Science International: Digital Investigation 53, 301925. doi:10.1016/j.fsidi.20 25.301925. Ali,H.,Case,A.,Ahmed,I.,2025b.Memoryanalysisofthepythonruntime environment. Forensic Science International: Digital Investigation 53, ...

work page doi:10.1016/j.fsidi.20 2025
[2]

{DroidScraper}: A tool for android{In-Memory}object recovery and reconstruction, in: 22nd International Symposium on Research in At- tacks, Intrusions and Defenses (RAID 2019), pp. 547–559. Ali-Gombe,A.,Tambaoan,A.,Gurfolino,A.,RichardIII,G.G.,2020.App- agnostic post-execution semantic analysis of android in-memory foren- sics artifacts, in: Proceedings o...

work page 2019
[3]

Accessed: 2026-01-16

Analyzing Golang Executables.https://www.pnfsoftwar e.com/blog/analyzing-golang-executables/. Accessed: 2026-01-16. Capstone Engine Team,

work page 2026
[4]

Accessed: 2026-01-16

Capstone: The ultimate disassembly frame- work.https://github.com/capstone- engine/capstone. Accessed: 2026-01-16. Carvey, H., O’Donnell-Welch, L., Schmidt, A., Pham, A.,

work page 2026
[5]

Accessed: 2026-01-16

Obscura, an obscure new ransomware variant.https://www.huntress.com/blog/ob scura-ransomware-variant. Accessed: 2026-01-16. Case, A., Richard III, G.G.,

work page 2026
[6]

Accessed: 2026-01-16

Obscura ransomware: A case study in ran- somware data loss.https://www.coveware.com/blog/2025/11/18/obscura -ransomware-data-loss-validation. Accessed: 2026-01-16. Cybersecurity and Infrastructure Security Agency (CISA), National Secu- rityAgency(NSA),CanadianCentreforCyberSecurity,2025. BRICK- STORM Backdoor: Malware Analysis Report AR25-338A.https: //ww...

work page 2025
[7]

Accessed: 2026-01-15

AlphaGolang: A Step-by-Step Go Malware Reversing Methodology for IDA Pro.https://www.sentinelone.com/la bs/alphagolang-a-step-by-step-go-malware-reversing-methodology-f or-ida-pro/. Accessed: 2026-01-15. Hex-Rays,

work page 2026
[8]

Accessed: 2026-01-16

Stop guessing and start going: Cleaner golang decompi- lation in ida 9.2.https://hex-rays.com/blog/stop-guessing-and-start -going. Accessed: 2026-01-16. Hunt.io, 2025a. Gh0st and pantegana: Two rats that refuse to fade away. https://hunt.io/blog/gh0st- and- pantegana- two- rats- that- refuse- t o-fade-away. Accessed: 2026-01-16. Hunt.io, 2025b. Pantegana ...

work page 2026
[9]

Accessed: 2026-01-15

Rust and go malware: Cross-platform threats evading traditional defenses.https://medium.com/@instatunnel/rust -and-go-malware-cross-platform-threats-evading-traditional-defen ses-d7fddf127d32. Accessed: 2026-01-15. Mandiant, 2025a. Another brickstorm: Stealthy backdoor enabling espi- onage into tech and legal sectors.https://cloud.google.com/blog/to pics/...

work page 2026
[10]

Accessed: 2026-01-16

Goresym: Go symbol recovery tool.https://github.com /mandiant/GoReSym. Accessed: 2026-01-16. Manna, M., Case, A., Ali-Gombe, A., Richard III, G.G.,

work page 2026
[11]

Accessed: 2026-01-16

Garble: Changelog (v0.15.0).https://github.com/burro wers/garble/blob/6dab979/CHANGELOG.md. Accessed: 2026-01-16. Maurya,A.,2021. Golangmalwareismorethanafad:Financialmotivation drives adoption.https://www.crowdstrike.com/en-us/blog/financial-m otivation-drives-golang-malware-adoption/. Accessed: 2026-01-15. Meskauskas, T.,

work page 2026
[12]

https://www.pcrisk.com/removal- guides/33788- obscura- ransomware

How to remove obscura (.obscura) ransomware. https://www.pcrisk.com/removal- guides/33788- obscura- ransomware. Accessed: 2026-01-16. omaidf,

work page 2026
[13]

Accessed: 2026-01-16

Go-malware: Golang malware examples.https://github.c om/omaidf/go-malware/tree/master. Accessed: 2026-01-16. Raimbaud, K., Rascagneres, P.,

work page 2026
[14]

Accessed: 2026-01-15

GoResolver: Using Control-flow GraphSimilaritytoDeobfuscateGolangBinaries,Automatically.https: //www.volexity.com/blog/2025/04/01/goresolver- using- control- flo w-graph-similarity-to-deobfuscate-golang-binaries-automatically/. Accessed: 2026-01-15. First Author et al.:Preprint submitted to ElsevierPage 11 of 12 Smmarwar,S.K.,Gupta,G.P.,Kumar,S.,2024. And...

work page 2025
[15]

Accessed: 2026-01-15

BitSight Threat Intelligence Briefing: Key Malware Trends Shaping Cyber Risk in 2025.https://www.bitsight.com/blo g/current-malware-trends-2025. Accessed: 2026-01-15. Sylve, J., Case, A., Marziale, L., Richard, G.G.,

work page 2025
[16]

https://go.dev/src/cmd/compile/abi-internal

Go Internal ABI Specification (ABIInternal). https://go.dev/src/cmd/compile/abi-internal. Accessed: 2026-01-18. Trellix,

work page 2026
[17]

Accessed: 2026-01-16

Feeding gophers to ghidra.https://www.trellix.com/blogs/ research/feeding-gophers-to-ghidra/. Accessed: 2026-01-16. Volatility Foundation,

work page 2026
[18]

Accessed: 2026-01-16

Volatility 3: The volatile memory extraction framework.https://github.com/volatilityfoundation/volatility3. Accessed: 2026-01-16. Volexity,2025. Goresolver:Context-awarerecoveryofgomalwareseman- tics.https://github.com/volexity/GoResolver. Accessed: 2026-01-16. Wang,E.,Zurowski,S.,Duffy,O.,Thomas,T.,Baggili,I.,2022. Juicingv8: Aprimaryaccountforthememoryf...

work page 2026
[19]

url = https://unit42.paloaltonetworks.com/bookworm- stately-taurus-attribution-framework/

Bookworm to stately taurus using the unit 42 attribu- tion framework. url = https://unit42.paloaltonetworks.com/bookworm- stately-taurus-attribution-framework/. Accessed: 2026-01-21. First Author et al.:Preprint submitted to ElsevierPage 12 of 12

work page 2026