GoFlateLoader Uses Massive PE Overlay to Deliver Lumma, Vidar, and

A new malware loader, GoFlateLoader, is quietly expanding its reach across the internet. Its distinctive characteristic isn’t inherent complexity but the surprising effectiveness of a simple technique: it leverages a Written in the Go programming language, this loader has one job: to decode and drop dangerous information-stealing programs onto a victim’s computer without being caught.

It does this not through advanced hacking techniques but by making itself too large for most security tools to scan.

GoFlateLoader has been actively distributed since at least April 2026, and in that short time it has already impacted more than 33,000 unique users globally.

Countries most affected include Brazil, India, Argentina, Mexico, Turkey, and Spain, painting a picture of a broad and ongoing campaign that shows no signs of slowing down.

The loader has been seen delivering several well-known infostealers, including Lumma, Vidar, StealC, Amatera, Remus, and SvitStealer.

Researchers at Gen Digital identified and have been actively tracking GoFlateLoader, noting that it stands out precisely because of what it lacks.

As Gen Digital said in a report shared with Cyber Security News (CSN), the loader carries no anti-debugging checks, no virtual machine detection, and no sandbox-evasion logic, tools that most loaders use as a matter of course. Instead, it leans on one deceptively simple method to stay off the radar.

The two main ways GoFlateLoader reaches victims are through fake cracked software downloads and through a malicious traffic distribution system recently documented by Check Point Research.

In that second path, victims are redirected to a landing page showing a password-protected archive along with the password to open it, displayed separately. This separation makes it harder for security tools to automatically unpack and scan what is inside.

Once the loader runs, it decodes its payload entirely within the computer’s memory, meaning the final malicious program never gets written to the hard drive.

This in-memory approach is a known tactic used to avoid detection by security software that monitors file activity on disk.

The use of Go’s syscall.Syscall function as a transfer mechanism, with hardcoded dummy arguments, is an unusual behavioral pattern that researchers say could serve as a useful detection marker.

GoFlateLoader Uses Massive PE Overlay

GoFlateLoader’s defining feature is its file size, which typically ranges between 700 and 950 megabytes. This enormous size is not accidental.

The loader artificially inflates itself by appending a large block of data, known as a PE overlay, to the end of the actual executable code. In most observed samples, this extra data is simply null bytes, though some builds use random padding instead.

The goal of this inflation is straightforward. Many antivirus engines, endpoint detection tools, and cloud-based analysis platforms enforce strict size limits for files they are willing to deeply scan. VirusTotal, one of the most widely used threat intelligence platforms, enforces a 650 MB upload limit.

GoFlateLoader’s consistent size just above that threshold strongly suggests it was built specifically to slip past VirusTotal and similar size-constrained tools. When compressed for distribution, the inflated data shrinks dramatically, making delivery fast and low-cost for attackers.

Payloads Delivered and the Threat They Pose

The final payloads GoFlateLoader delivers are all information stealers, programs designed to quietly harvest saved passwords, browser data, and cryptocurrency wallet credentials from infected machines.

The most common payloads observed are Amatera, Remus, and Lumma, with Vidar, StealC, and SvitStealer also seen in the wild. The loader comes in both 32-bit and 64-bit versions, each matched to the architecture of the payload it is meant to run.

Users can reduce their risk by avoiding downloads from unofficial or untrusted sources, especially software advertised as cracked or free versions of paid programs.

Keeping security tools updated and using solutions capable of detecting in-memory threats rather than relying solely on file scanning is strongly advised. Since GoFlateLoader avoids writing payloads to disk entirely, traditional file-based detection alone is unlikely to catch it.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.