A newly discovered attack campaign infiltrated a UK-based technology company via tax payment software. The attackers could run Windows commands, create new users, move laterally and upload code to execute malware. The attackers could also potentially use the network access to exfiltrate data. GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. In addition, it uses an EXEProtector module that monitors for the deletion of either iteration of itself. If deleted, the malware will download and execute a new version. Reseearchers believes that this triple-layer protection makes it exceedingly difficult to remove this kind of file from an infected system.