Insider Threat Alert: Meet Gold Melody – The Cybercrime Group Selling Your Company's Secrets!

Introducing Gold Melody, a financially motivated cybercrime group that goes by names like Prophet Spider (CrowdStrike) and UNC961 (Mandiant). Dating back to 2017, they have compromised organizations by exploiting vulnerabilities in unpatched internet-facing servers.

Mandiant’s analysis has unveiled UNC961’s modus operandi, often setting the stage for Maze and Egregor ransomware attacks by other actors. Their initial access tactics are both resourceful and cost-effective, frequently relying on publicly available exploit code.

Gold Melody’s focus appears to be more about seizing financial opportunities. Their track record includes attacks exploiting security flaws across various servers, solidifying their presence in the cybersecurity landscape.

Gold Melody has targeted organizations spanning retail, healthcare, energy, finance, and high-tech sectors across North America, Northern Europe, and Western Asia. Since 2020, their operations have been expanding in these regions.

Armed with a versatile toolkit encompassing web shells, operating system software, and utilities, they also make use of proprietary RATs and tunneling tools. This arsenal enables them to execute commands, gather critical data, and establish reverse tunnels while conducting extensive scanning to gain insights into a victim’s environment.

Gold Melody’s typical strategy involves gaining initial access through diverse vulnerabilities, followed by deploying web shells to ensure persistence and prepare the tools needed for their infection chain. While they are thorough in reconnaissance, all their attempts thus far have been unsuccessful.

Interestingly, Gold Melody doesn’t aim for the long haul; they operate as an Initial Access Broker (IAB). Their business? Selling access to other threat actors who often monetize it through ransomware attacks.