Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Mustard Tempest

🌐Mustard Tempest

🌐 Mustard Tempest is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Criminal. We map 14 detection use cases to this actor across 12 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1020) ↗
14Use cases
0Articles
12Techniques
0IOCs

About this actor (MITRE)

[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access for the download of additional malware including LockBit, [WastedLocker](https://attack.mitre.org/software/S0612), and remote access tools.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Se

Known aliases

Mustard TempestDEV-0206TA569GOLD PRELUDEUNC1543

Top techniques

T1036.005 · Match Legitimate Resource Name or LocationT1082 · System Information DiscoveryT1105 · Ingress Tool Transfer

All other tracked techniques

T1189 · Drive-by CompromiseT1204.001 · Malicious LinkT1566.002 · Spearphishing LinkT1583.004 · ServerT1583.008 · MalvertisingT1584.001 · DomainsT1608.001 · Upload MalwareT1608.004 · Drive-by TargetT1608.006 · SEO Poisoning

Detection use cases (14)

Mustard Tempest (TA569 / SocGholish) JS payload spawning host-profile recon LOLBins AI · profile SΣ Mustard Tempest fake-update ZIP-from-browser → wscript JS execution chain AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host MITRE match Click on URL whose host doesn't match the sender domain MITRE match Phishing-link click correlated to endpoint execution MITRE match User clicked through a Safe Links warning page MITRE match Attacker Tools On Endpoint MITRE match Azure AD Device Code Authentication MITRE match