GoFlateLoader: The Bloated Golang Malware Smuggling Infostealers Past Scanners

A simple but effective new loader is spreading information-stealing malware across the globe. Researchers at Gen Threat Labs have been tracking GoFlateLoader malware, a Golang-based loader that quietly delivers a range of infostealers. Since April 2026, the firm says it has protected more than 33,000 users from the threat, with Brazil, India, and Argentina among the hardest hit.

Simple by design

GoFlateLoader breaks the usual mold. Most loaders pack anti-debugging, anti-VM, and sandbox-evasion tricks. However, this one skips nearly all of them.

Instead, the GoFlateLoader malware relies on one blunt trick to stay hidden: sheer size. As Gen Threat Labs puts it, “prevalence and sophistication are not the same thing.” The loader simply reconstructs its payload and runs it in memory, so “it never touches the disk.”

A giant file that dodges detection

The loader’s defining feature is its bulk. Samples typically weigh between 700 and 950 MB. That heft comes from a massive, padded overlay appended to the file.

This bloat is deliberate. Many antivirus and EDR tools skip deep scanning of very large files to protect performance. Therefore, an oversized binary can slip right past them.

The trick also targets cloud analysis. For example, VirusTotal enforces a strict 650 MB upload limit. Notably, GoFlateLoader consistently sits just above that line. Consequently, the sample often cannot be uploaded for inspection at all.

Best of all for attackers, the bloat costs almost nothing. Because the padding is mostly null bytes, the file compresses down to a tiny archive for distribution.

Delivering a stealer buffet

Once it runs, the GoFlateLoader malware hands control to its real payload through a textbook in-memory PE load. These final payloads are mostly information stealers. The most common right now are Amatera, Remus, and Lumma. Gen has also seen it drop Vidar, StealC, and SvitStealer.

The loader ships in both 32-bit and 64-bit versions. Each one matches the architecture of the stealer it carries.

Attackers spread it through two main channels. The first is fake “cracked” software. The second uses a malicious traffic distribution system that funnels victims to a landing page. That page offers a password-protected archive and shows the password separately, which keeps scanners from opening it.

Detection and defense

Despite its low sophistication, this loader works well for its operators. You can read the full Gen Threat Labs analysis of GoFlateLoader for technical detail and indicators.

There are detection openings, though. The loader hands off execution using a quirky call with hardcoded argument values, which stands out as a pattern. Above all, treat suspiciously huge executables and “cracked” software downloads with caution, since both are favorite hiding spots for this threat.