3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
GOLD SOUTHFIELD

GOLD SOUTHFIELD

ID: afc3f50b20cce67136affccecb54712097526
Cybercrime Ransomware Affiliate
Threat types: Ransomware, Intrusion, Data Leak
Unknown
Updated: 2026-02-23
Created: 2025-10-22
Progress: 44% Completeness: 33% Freshness: 70%
Operation zone:
Aliases Limited alias preview
FIN11 GOLD TAHOE
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked. Ref: https://attack.mitre.org/groups/G0115/


Technique Technique name Tactics Evidence
T1027.010 Command Obfuscation TA0005
  • Obfuscated Files or Information: Command Obfuscation - GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts. · ref
T1195.002 Compromise Software Supply Chain TA0001
  • Supply Chain Compromise: Compromise Software Supply Chain - GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.