BACKORDER is a downloader malware written in the Go programming language that specifically targets Windows systems. First documented by security researchers at EclecticIQ, this threat distinguishes itself through its ability to manipulate Windows Defender settings before deploying additional malicious payloads. Unlike simpler downloaders that simply fetch and execute files, BACKORDER actively works to disable security protections on your machine, creating a persistent vulnerability that allows attackers to install whatever malware they choose without triggering your antivirus alerts. We've seen an uptick in BACKORDER infections across Metro Atlanta, and understanding how it operates is the first step toward protecting your system.
Threat Profile
| Malware Name | BACKORDER |
|---|---|
| Type | Downloader / Trojan |
| Platform | Windows (PE executable) |
| File Type | Windows PE executable |
| Programming Language | Go (Golang) |
| Primary Function | Manipulates Windows Defender exclusions and downloads secondary payloads |
| First Documented | Prior to June 2026 |
| Risk Level | High – Disables security protections and enables further compromise |
| Typical Payload Size | Typical for Go-compiled executables (2-8 MB) |
| Known Aliases | BACKORDER |
| Detection Rate | Varies by security vendor; newer variants may evade detection |
| Common Distribution | Software bundles, email attachments, drive-by downloads |
How It Spreads
BACKORDER typically arrives on victim systems through deceptive distribution methods that exploit user trust or inattention. Because it's a downloader rather than standalone malware with obvious symptoms, attackers often package it with seemingly legitimate software or disguise it as a system utility. The initial infection vector is crucial to understand because preventing BACKORDER from executing in the first place is far easier than removing it after it's compromised your security settings.
We've observed BACKORDER infections stemming from several common scenarios in our Roswell repair shop. Clients frequently report installing what they believed was a legitimate program—sometimes a video codec, PDF converter, or system optimizer—only to discover later that BACKORDER was bundled within the installer. Others have been infected through malicious email attachments that appeared to come from shipping companies, financial institutions, or even government agencies.
- Software bundling: Packaged with free utilities, video converters, or system tools from unofficial download sites
- Malicious email attachments: Disguised as invoices, shipping notifications, or document files requiring immediate attention
- Compromised websites: Drive-by downloads from hacked legitimate sites or malicious advertisements (malvertising)
- Fake software updates: Posing as critical updates for Flash Player, Java, or other common plugins
- Pirated software: Bundled with cracked applications or key generators from torrent sites and file-sharing platforms
- Trojanized legitimate tools: Modified versions of genuine utilities distributed through unofficial channels
What It Does On Your Machine
Once BACKORDER executes on your system, its first priority is self-preservation through security manipulation. The malware specifically targets Windows Defender, Microsoft's built-in antivirus solution that protects millions of Windows 10 and 11 users. By adding specific paths to Windows Defender's exclusion list, BACKORDER creates safe zones where it can download and execute additional malware without triggering any security alerts. This is particularly insidious because most users trust Windows Defender to protect them—and have no idea their protection has been silently compromised.
After establishing these exclusion zones, BACKORDER contacts remote command-and-control servers to receive instructions about which payloads to download next. These secondary infections can be anything the attacker chooses: ransomware, banking trojans, cryptocurrency miners, spyware, or additional backdoors. Essentially, BACKORDER transforms your computer into a platform that attackers control, deciding what malware to install based on their current objectives. You might be infected with one thing today and something entirely different next week, all managed through the same BACKORDER installation.
Because BACKORDER is written in Go, a compiled language that produces relatively large executables, the malware file itself often appears as a multi-megabyte binary in locations where legitimate software might reside. The Go compilation also makes BACKORDER somewhat easier to detect than malware written in lower-level languages, but its primary defense mechanism—disabling security software—compensates for this weakness. Users may notice unusual CPU activity during download operations or strange network connections, but without functioning antivirus protection, these symptoms often go unrecognized until significant damage has occurred.
Manual Removal — Step by Step
Disconnect From Network Immediately
Before attempting any removal steps, disconnect your computer from the internet by unplugging your ethernet cable or disabling Wi-Fi. This prevents BACKORDER from downloading additional payloads during the removal process and stops any data exfiltration that might be occurring through secondary infections.
Boot Into Safe Mode With Networking
Restart your computer and boot into Safe Mode with Networking. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and press 5 or F5 to select Safe Mode with Networking. This loads Windows with minimal drivers and prevents most malware from loading automatically.
Check Windows Defender Exclusions
Open Windows Security → Virus & threat protection → Manage settings → scroll down to Exclusions → Manage exclusions. Review every listed exclusion carefully. BACKORDER will have added folders or file paths you don't recognize. Write down these paths (you'll need to scan them later) and remove any exclusions you didn't personally create. Be thorough—attackers often add multiple exclusions.
Run Full System Scan With Updated Definitions
With exclusions removed, reconnect to the internet briefly to update Windows Defender definitions (Windows Security → Virus & threat protection → Check for updates). Then disconnect again and run a full system scan. This may take 2-4 hours depending on your drive size. Windows Defender should now detect BACKORDER and any payloads it downloaded. Quarantine everything it finds.
Manually Check Common Persistence Locations
Open File Explorer and navigate to C:\Users\[YourUsername]\AppData\Local\Temp\, C:\ProgramData\, and C:\Users\[YourUsername]\AppData\Roaming\. Sort by Date Modified and look for executable files (.exe, .dll) created around the time you suspect infection occurred. Also check your Downloads folder for suspicious installers. Delete anything you don't recognize, but photograph file names first in case you need to reference them.
Examine Startup Programs and Scheduled Tasks
Press Ctrl+Shift+Esc to open Task Manager, click the Startup tab, and disable any unfamiliar entries. Then open Task Scheduler (search in Start menu), expand Task Scheduler Library, and look for recently created tasks with random names or tasks that run executables from AppData or ProgramData folders. Right-click and delete suspicious scheduled tasks.
Run Secondary Malware Scanner
Download Malwarebytes Free (from the official malwarebytes.com site only) on a clean computer, transfer it via USB drive to the infected machine, and run a full scan. BACKORDER often downloads additional threats that Windows Defender might miss. Malwarebytes excels at detecting these secondary infections and removing them completely.
Reset Browser Settings
BACKORDER payloads often include browser hijackers or adware. Open each browser you use and reset it to default settings: Chrome (Settings → Reset settings → Restore settings to their original defaults), Firefox (Help → More troubleshooting information → Refresh Firefox), Edge (Settings → Reset settings → Restore settings to their default values). This removes malicious extensions and altered settings.
Change All Passwords From Clean Device
Because you don't know what payloads BACKORDER installed, assume credential theft occurred. Using a different, confirmed-clean device (phone, tablet, or another computer), change passwords for all critical accounts: email, banking, social media, and any sites where you've stored payment information. Enable two-factor authentication wherever available.
Monitor System Behavior Post-Removal
After completing these steps, reconnect to the internet and monitor your system closely for 48-72 hours. Watch for unexpected CPU usage, unusual network activity, programs you don't recognize, or new Windows Defender exclusions appearing. If any suspicious behavior returns, the infection may not be fully removed and professional intervention is necessary.
Prevention
- Download software only from official sources: Always obtain programs directly from the developer's website or verified app stores like the Microsoft Store. Avoid third-party download sites that bundle additional software or modified installers. When searching for software, type the exact URL rather than clicking search results, which may include malicious sponsored links.
- Keep Windows Defender enabled and updated: Never disable Windows Defender unless you have enterprise-grade replacement security software. Enable Cloud-delivered protection and Automatic sample submission in Windows Security settings. These features use Microsoft's global threat intelligence network to identify new threats like BACKORDER variants before they're added to definition updates.
- Scrutinize email attachments and links: Don't open email attachments or click links unless you're absolutely certain of the sender's identity and were expecting the message. Hover over links to preview the actual URL before clicking. When in doubt, contact the supposed sender through a different communication channel to verify legitimacy.
- Maintain regular system backups: Use Windows Backup or a third-party solution to create regular system images and file backups stored on an external drive that's disconnected when not in use. If BACKORDER downloads ransomware or causes system corruption, having recent backups means you can restore your system without paying ransoms or losing data.
- Use a Standard User account for daily activities: Create a separate Administrator account for system changes and use a Standard User account for web browsing, email, and general work. Malware like BACKORDER has more difficulty modifying system settings when executed from a Standard User context, as Windows will prompt for Administrator credentials before allowing security modifications.
- Enable Tamper Protection in Windows Security: Open Windows Security → Virus & threat protection → Manage settings → toggle Tamper Protection to On. This prevents unauthorized applications (including BACKORDER) from modifying Windows Defender settings, adding exclusions, or disabling real-time protection without explicit user permission.
- Review Windows Defender exclusions monthly: Make it a monthly habit to check Windows Security → Virus & threat protection → Manage settings → Exclusions. You should know exactly what's excluded and why. Most home users don't need any exclusions at all. If you find entries you don't recognize, research them before removing, but when in doubt, delete the exclusion and see if anything breaks.
- Stay skeptical of urgent update prompts: Legitimate software updates rarely demand immediate action through pop-up windows or email links. When you see update notifications, close them and manually check for updates through the application's built-in update mechanism or the official website. Flash Player, Java, and other commonly impersonated products should be updated through their official control panels or removed if no longer needed.
Bring It In
Manual malware removal is tedious, time-consuming, and—frankly—risky if you're not completely certain you've eliminated every component. BACKORDER is particularly problematic because you can't be sure what additional payloads it downloaded before you disconnected from the network. Those secondary infections might include keyloggers recording your passwords right now, ransomware waiting to encrypt your files at a scheduled time, or cryptocurrency miners slowly degrading your hardware. Our technicians at Computer Repair Roswell have forensic tools and experience that go beyond consumer antivirus software, allowing us to identify and remove threats that standard scans miss.
We're located right here in Roswell, Georgia, and we've built our reputation on honest, effective malware removal without unnecessary upsells or scare tactics. Bring your infected computer to our shop at [address], call us at (770) 856-1222, or visit our contact page to schedule an appointment. We'll assess your system thoroughly, explain exactly what we find, provide you with a clear quote before starting work, and have you back up and running safely—typically within 24-48 hours. Don't gamble with your data, your privacy, or your financial security. Let us handle BACKORDER properly and show you how to prevent the next infection before it starts.