The saga of the Chinese bank-mandated Aisino Intelligent Tax software that installed a remote access and control backdoor has taken an unexpected turn, as security researchers found it received an update that deletes the malicious code.
Trustwave Spiderlabs said the software, which foreign companies have to use to pay local taxes, downloaded a new file.
This turned out to be an uninstaller for the backdoor, which Spiderlabs named GoldenSpy.
The uninstaller executable is fetched from a host on a network allocated to China Mobile, Spiderlabs said, with a second version containing obfuscated variables to avoid antivirus appearing shortly after the first one.
Once the Aisino Intelligent Tax program runs the downloaded executable, the uninstaller deletes all GoldenSpy files and folders, as well as the entries it inserted into the Windows Registry system configuration database.
After the GoldenSpy backdoor has been removed, the uninstaller executes a Windows shell command to delete itself quietly and without notifications or user input.
While the direct threat of the GoldenSpy command and control remote access malware appears to be gone after the uninstaller has finished, Spiderlabs said it has to leave users concerned about what else could be downloaded and executed in a similar manner.
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
EDUtech AU
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
