A newly identified malware loader called GoFlateLoader has infected more than 33,000 users globally since at least April 2026, distributing a rotating set of powerful information-stealing malware families — including Lumma, Vidar, and StealC — by exploiting a disarmingly simple technique: making itself too large for most security tools to scan. Researchers at Gen Digital, who identified and analyzed the threat, say its effectiveness is a wake-up call about the limits of file-size-bounded detection systems.
The Core Trick: Deliberate File Inflation
GoFlateLoader is written in the Go programming language and carries no advanced anti-analysis features. It does not perform anti-debugging checks, virtual machine detection, or sandbox-evasion routines — capabilities that most modern loaders include as standard. Instead, it relies on a single, brutally effective method: artificially inflating its own file size to between 700 and 950 megabytes by appending a massive block of data — a PE overlay — to the end of the executable.
In most observed samples, the overlay consists entirely of null bytes, though some variants use random padding. This extra data is functionally meaningless, but its size is deliberate. VirusTotal, the world’s most widely used threat intelligence scanning platform, enforces a 650 MB upload limit. GoFlateLoader consistently exceeds this threshold, meaning the full file cannot be submitted to VirusTotal for multi-engine analysis. Many enterprise endpoint detection tools and cloud sandboxes impose similar size constraints, causing them to skip deep inspection entirely.
When the loader is distributed via archive (ZIP or similar), the largely-null overlay compresses dramatically, making delivery fast and low-bandwidth for the attacker — while the decompressed version blooms back to its scan-evading size on disk.
Distribution Methods
GoFlateLoader reaches victims through two primary channels:
- Fake cracked software sites: Users searching for pirated versions of paid applications are directed to download sites hosting GoFlateLoader disguised as installers.
- Malicious Traffic Distribution Systems (TDS): Victims are redirected through ad networks and malicious redirectors to a landing page displaying a password-protected archive alongside its password shown separately on the page. This separation prevents automated tools from unpacking and scanning the archive’s contents.
Payload Execution: In-Memory Only
When GoFlateLoader executes, it decodes its embedded payload entirely within system memory. The final malicious program is never written to the hard drive in a way that traditional file-scanning security tools can detect. The loader uses Go’s syscall.Syscall function with hardcoded dummy arguments as the payload transfer mechanism — an unusual behavioral pattern that Gen Digital researchers say could serve as a detection indicator for security teams.
The loader comes in both 32-bit and 64-bit variants, each matched to the architecture of its intended payload. Observed final-stage payloads include:
- Lumma Stealer — a MaaS infostealer targeting browser credentials, cryptocurrency wallets, and 2FA codes
- Vidar — steals passwords, credit card data, and browser history
- StealC — lightweight credential harvester used in high-volume campaigns
- Amatera, Remus, and SvitStealer — additional infostealer families observed in the wild
Geographic Reach
Since April 2026, GoFlateLoader has been detected affecting users in Brazil, India, Argentina, Mexico, Turkey, and Spain, among others. The broad geographic distribution suggests the operator is running a large-scale, indiscriminate campaign rather than targeting specific sectors or regions.
Detection and Defense Recommendations
Traditional file-based antivirus solutions are poorly suited to detecting GoFlateLoader because they often cannot scan files exceeding their size limits, and the final payload is never written to disk. Organizations should take the following steps:
- Deploy endpoint detection solutions capable of in-memory threat detection and behavioral analysis, not just file hash matching
- Block downloads of extremely large executables (>500 MB) from non-enterprise sources via web proxy policies
- Educate users to avoid downloading cracked software or executables from unverified sites
- Monitor for Go-based process execution followed by anomalous
syscall.Syscallpatterns - Use the SHA-256 hashes published in Gen Digital’s research to update threat intelligence platforms
GoFlateLoader is a reminder that attackers do not always need sophisticated techniques to evade defenses — they need to understand and exploit the practical limitations of the tools defenders rely on. File-size blind spots in scanning infrastructure remain a real and exploitable gap.