pith. machine review for the scientific record.
sign in
Pith Number

pith:KKAWWXDR

pith:2026:KKAWWXDRZBVFXWLLQ4NJSPHWS7
not attested not anchored not stored refs resolved

Memory Forensics Techniques for Automated Detection and Analysis of Go Malware

Andrew Case, Hala Ali, Irfan Ahmed

A memory forensics framework parses Go runtime structures to recover execution state and artifacts from malware binaries.

arxiv:2605.14020 v1 · 2026-05-13 · cs.CR

Open paper page JSON Open Graph Bundle Merged state What is a Pith Number?

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

we present the first memory forensics framework for runtime analysis of Go binaries... The framework successfully recovered C2 endpoints, persistence mechanisms, encryption keys, ransom notes, and execution state, including critical runtime artifacts that were absent from published threat intelligence.

C2weakest assumption

That Go's internal runtime structures (type metadata, string representation, goroutine stacks, ABI) remain stable enough to parse reliably from memory across the versions and compiler optimizations used by the evaluated malware samples.

C3one line summary

A Volatility 3 plugin framework recovers runtime C2 endpoints, keys, and execution state from Go malware by parsing internal heap, stack, and goroutine structures.

References

19 extracted · 19 resolved · 0 Pith anchors

[1] Leveraging memory forensics to investigate and detect illegal 3d printing activities 2025 · doi:10.1016/j.fsidi.20
[2] {DroidScraper}: A tool for android{In-Memory}object recovery and reconstruction, in: 22nd International Symposium on Research in At- tacks, Intrusions and Defenses (RAID 2019), pp. 547–559. Ali-Gombe, 2019
[3] Accessed: 2026-01-16 2026
[4] Accessed: 2026-01-16 2026
[5] Accessed: 2026-01-16 2026
Receipt and verification
First computed 2026-05-17T23:39:12.947711Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

52816b5c71c86a5bd96b871a993cf697ffe8ace60d158cd0c6aabb352774551f

Aliases

arxiv: 2605.14020 · arxiv_version: 2605.14020v1 · doi: 10.48550/arxiv.2605.14020 · pith_short_12: KKAWWXDRZBVF · pith_short_16: KKAWWXDRZBVFXWLL · pith_short_8: KKAWWXDR
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/KKAWWXDRZBVFXWLLQ4NJSPHWS7 \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 52816b5c71c86a5bd96b871a993cf697ffe8ace60d158cd0c6aabb352774551f
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "e82cb7d2d4b50c8e0267e113b35ed5210657cc7f43544491241b4c4964230502",
    "cross_cats_sorted": [],
    "license": "http://creativecommons.org/licenses/by-nc-nd/4.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-13T18:34:00Z",
    "title_canon_sha256": "c6116c818abdae2a77a463f6496d408cd963b7487456cfbd16944dc2c0bb56fb"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.14020",
    "kind": "arxiv",
    "version": 1
  }
}