The saga of the Chinese bank-mandated Aisino Intelligent Tax software that installed a remote access and control backdoor has taken an unexpected turn, as security researchers found it received an update that deletes the malicious code.
Trustwave Spiderlabs said the software, which foreign companies have to use to pay local taxes, downloaded a new file.
This turned out to be an uninstaller for the backdoor, which Spiderlabs named GoldenSpy.
The uninstaller executable is fetched from a host on a network allocated to China Mobile, Spiderlabs said, with a second version containing obfuscated variables to avoid antivirus appearing shortly after the first one.
Once the Aisino Intelligent Tax program runs the downloaded executable, the uninstaller deletes all GoldenSpy files and folders, as well as the entries it inserted into the Windows Registry system configuration database.
After the GoldenSpy backdoor has been removed, the uninstaller executes a Windows shell command to delete itself quietly and without notifications or user input.
While the direct threat of the GoldenSpy command and control remote access malware appears to be gone after the uninstaller has finished, Spiderlabs said it has to leave users concerned about what else could be downloaded and executed in a similar manner.
_(37).jpg&h=140&w=231&c=1&s=0)
Melbourne Cloud & Datacenter Convention 2026
iTnews Executive Retreat - Data & AI Edition
.png&w=120&c=1&s=0)
iTnews Cloud Covered Breakfast Summit
iTnews State of Security Breakfast
The 2026 iAwards
_(1).jpg&h=140&w=231&c=1&s=0)
