Godlike12 is a backdoor malware threat written in the Go language. Its creation is attributed to an ATP (Advanced Persistent Threat) group of criminals that cybersecurity researchers have named the Holy Water APT. Godlike12 was detected as part of a water-hole attack campaign against a religious and ethnic group in Asia. The experts who analyzed the underlying code of the threat found leads in its obfuscation mechanism that points towards Chinese-language underground forums. Godlike12 communicates with its Command and Control (C&C, C2) servers through a Google Drive space, thanks to Google Drive's HTTPS API v3. In fact, the name of the threat - Godlike12, comes from the name that the hackers gave to the Google Drive space.
Upon its first execution on the victim's computer, Godlike12 starts scraping information. It logs the IP address, MAC address, Windows version and hostname. All gathered data is encrypted, stored as a text file located at %TEMP%/[ID]-lk.txt, and then sent to the Google drive. To receive further instructions, Godlike12 carries out frequent checks for a remote [ID]-cs.txt that contains encrypted commands. It should be noted that the backdoor threat itself does not have any persistence mechanism, as this function is relegated to the loader tool employed by the Holy Water APT.