Home/ Threat Actors/ GOLD SOUTHFIELD

🌐GOLD SOUTHFIELD

🌐 GOLD SOUTHFIELD is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Criminal. We map 14 detection use cases to this actor across 9 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0115) ↗

14Use cases

0Articles

9Techniques

0IOCs

About this actor (MITRE)

[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly l

Known aliases

GOLD SOUTHFIELDPinchy Spider

Top techniques

T1027.010 · Command Obfuscation T1059.001 · PowerShell T1113 · Screen Capture

All other tracked techniques

T1133 · External Remote Services T1190 · Exploit Public-Facing Application T1195.002 · Compromise Software Supply Chain T1199 · Trusted Relationship T1219 · Remote Access Tools T1566 · Phishing

Detection use cases (14)

GOLD SOUTHFIELD / Pinchy Spider — REvil/Sodinokibi pre-encryption recovery-inhibit ritual (vssadmin + bcdedit + wbadmin chain) AI · profile SΣ GOLD SOUTHFIELD — Kaseya VSA-style supply-chain RMM abuse: Kaseya/RMM agent spawning certutil -decode + DLL-sideload of MsMpEng.exe + mpsvc. AI · profile S Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match Self-hosted application service spawns shell or SSH within seconds of inbound unauthenticated API write MITRE match Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read MITRE match Authentication not detected on admin API endpoint MITRE match AWS EC2 key-pair created MITRE match