Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
Financially Motivated5 malware familiesExploits CVEs in the wild

GOLD SOUTHFIELD

Also known asGOLD SOUTHFIELDPinchy Spider

GOLD SOUTHFIELD, also known as PINCHY SPIDER, is a financially motivated threat actor associated in the provided content with ransomware deployment, exploitation of public-facing applications, PowerShell-based execution, command obfuscation, software supply chain compromise, and use of legitimate remote management tooling. The content states that GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts and is associated with ATT&CK techniques including T1059.001 (PowerShell), T1129 (Shared Modules), T1027.010 (Command Obfuscation), T1190 (Exploit Public-Facing Application), T1505.003 (Web Shell), T1505.004 (IIS Components), and T1219 (Remote Access Tools). Reported activity in the content includes exploiting Oracle WebLogic vulnerabilities for initial compromise, using web shells and IIS components for persistence, and using the cloud-based remote management and monitoring tool ConnectWise Control to deploy REvil. The content also states that GOLD SOUTHFIELD distributed ransomware by backdooring software installers through a strategic web compromise of the site hosting Italian WinRAR, indicating software supply chain compromise activity.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

33 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics38 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1592
Gather Victim Host Information
T1595
Active Scanning
TA0042
Resource Development
1 technique
T1608×2
Stage Capabilities
T1608.001
Upload Malware
T1608.002
Upload Tool
TA0001
Initial Access
4 techniques
T1133×8
External Remote Services
T1190×30
Exploit Public-Facing Application
T1199×2
Trusted Relationship
T1566×2
Phishing
TA0002
Execution
4 techniques
T1059×2
Command and Scripting Interpreter
T1059.001×19
PowerShell
T1129
Shared Modules
T1204
User Execution
T1204.002
Malicious File
T1574
Hijack Execution Flow
TA0003
Persistence
2 techniques
T1133×8
External Remote Services
T1505
Server Software Component
T1505.003×4
Web Shell
T1505.004
IIS Components
TA0004
Privilege Escalation
1 technique
T1055
Process Injection
TA0005
Stealth
4 techniques
T1027
Obfuscated Files or Information
T1027.005
Indicator Removal from Tools
T1027.010
Command Obfuscation
T1055
Process Injection
T1140
Deobfuscate/Decode Files or Information
T1574
Hijack Execution Flow
TA0007
Discovery
3 techniques
T1012
Query Registry
T1482
Domain Trust Discovery
T1518
Software Discovery
TA0008
Lateral Movement
1 technique
T1570
Lateral Tool Transfer
TA0009
Collection
2 techniques
T1005
Data from Local System
T1113
Screen Capture
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1219×7
Remote Access Tools
TA0040
Impact
3 techniques
T1486
Data Encrypted for Impact
T1490
Inhibit System Recovery
T1531
Account Access Removal
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
REvilGOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil.4Apr 30, 2026
Brute Ratel C4This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.1Mar 17, 2026
CarbanakAnnotations ID Technique Tactic T1219 Remote Access Tools Command And Control BlackByte Carbanak Cobalt Group1Mar 17, 2026
Cobalt StrikeDetects the PowerShell pattern used at the end of a Cobalt Strike PowerShell loader to perform the decompression of the executable. This loader is used in attacks such as scripted web delivery. Cobalt Strike is a legitimate, commercial penetration testing tool that has been largely co-opted by ransomware gangs to launch attacks. Cobalt Strike's popularity is mainly due to its beacons or payload being stealthy, and easily customizable. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands.1May 6, 2026
RemcosThis activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording.1Mar 17, 2026
WEAPONIZED

Associated vulnerabilities

10 CVEs this actor has used in observed campaigns. 10 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2021-31207Post-auth Arbitrary File Write in Microsoft Exchange Server (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34473ProxyShell pre-auth SSRF in Microsoft Exchange AutodiscoverIn the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34523Microsoft Exchange PowerShell Backend Elevation of Privilege (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2022-26134Atlassian Confluence Server and Data Center OGNL Injection RCEIn the wildEvidence1

The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence... This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise.

5 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Jun 14, 2026
Detection: PTC Windchill Gateway Command Execution | Splunk Security Content

Listed as an associated threat actor in the detection annotation for exploitation of the public-facing PTC Windchill vulnerability CVE-2026-4681.

Read more
malpediaNews
May 14, 2026
Turla (Threat Actor)

Named threat actor referenced in global threat reporting.

Read more
splunk researchNews
May 12, 2026
Detection: Powershell Defender Threat Actions Set to Allow | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection.

Read more
splunk researchNews
Apr 22, 2026
Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

Read more
+156 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping33

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs10

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.