Skip to main content
Mallory
Back to threat actors
Financially Motivated5 malware familiesExploits CVEs in the wild

GOLD SOUTHFIELD

Also known asGOLD SOUTHFIELDPinchy Spider

GOLD SOUTHFIELD, also referred to as PINCHY SPIDER, is the threat actor identified in the content as the group better known as REvil. The content associates the actor with ransomware operations and multiple intrusion techniques. Reported activity includes staging and executing PowerShell scripts on compromised hosts; using PowerShell for execution; exploiting public-facing applications for initial access, including Oracle WebLogic vulnerabilities; using web shells and IIS components for persistence; using command and scripting interpreters; using command obfuscation; creating or abusing shared modules; and using remote access tools for command and control. The content also states that GOLD SOUTHFIELD used the cloud-based remote management and monitoring tool ConnectWise Control to deploy REvil. It further links the actor to software supply chain-style distribution activity, specifically distributing ransomware by backdooring software installers through a strategic web compromise of the site hosting Italian WinRAR. ATT&CK techniques directly mentioned in the content for GOLD SOUTHFIELD include T1059.001 (PowerShell), T1129 (Shared Modules), T1190 (Exploit Public-Facing Application), T1505.003 (Web Shell), T1505.004 (IIS Components), T1027.010 (Command Obfuscation), T1219 (Remote Access Tools), T1608.001 (Upload Malware), and T1608.002 (Upload Tool).

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

33 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics39 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1592
Gather Victim Host Information
T1595
Active Scanning
TA0042
Resource Development
1 technique
T1608×2
Stage Capabilities
T1608.001
Upload Malware
T1608.002
Upload Tool
TA0001
Initial Access
5 techniques
T1133×8
External Remote Services
T1190×30
Exploit Public-Facing Application
T1195
Supply Chain Compromise
T1195.002
Compromise Software Supply Chain
T1199×2
Trusted Relationship
T1566×2
Phishing
TA0002
Execution
4 techniques
T1059
Command and Scripting Interpreter
T1059.001×20
PowerShell
T1129
Shared Modules
T1204
User Execution
T1204.002
Malicious File
T1574
Hijack Execution Flow
TA0003
Persistence
2 techniques
T1133×8
External Remote Services
T1505
Server Software Component
T1505.003×4
Web Shell
T1505.004
IIS Components
TA0004
Privilege Escalation
1 technique
T1055
Process Injection
TA0005
Stealth
4 techniques
T1027
Obfuscated Files or Information
T1027.005
Indicator Removal from Tools
T1027.010
Command Obfuscation
T1055
Process Injection
T1140
Deobfuscate/Decode Files or Information
T1574
Hijack Execution Flow
TA0007
Discovery
3 techniques
T1012
Query Registry
T1482
Domain Trust Discovery
T1518
Software Discovery
TA0008
Lateral Movement
1 technique
T1570
Lateral Tool Transfer
TA0009
Collection
1 technique
T1113
Screen Capture
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1219×7
Remote Access Tools
TA0040
Impact
3 techniques
T1486
Data Encrypted for Impact
T1490
Inhibit System Recovery
T1531
Account Access Removal
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
REvilGOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil.4Apr 30, 2026
Brute Ratel C4This activity is significant as it may indicate the presence of Brute Ratel C4, a sophisticated remote access tool used for credential dumping and other malicious activities.1Mar 17, 2026
CarbanakAnnotations ID Technique Tactic T1219 Remote Access Tools Command And Control BlackByte Carbanak Cobalt Group1Mar 17, 2026
Cobalt StrikeDetects the PowerShell pattern used at the end of a Cobalt Strike PowerShell loader to perform the decompression of the executable. This loader is used in attacks such as scripted web delivery. Cobalt Strike is a legitimate, commercial penetration testing tool that has been largely co-opted by ransomware gangs to launch attacks. Cobalt Strike's popularity is mainly due to its beacons or payload being stealthy, and easily customizable. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands.1May 6, 2026
RemcosThis activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording.1Mar 17, 2026
WEAPONIZED

Associated vulnerabilities

9 CVEs this actor has used in observed campaigns. 9 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2021-31207Post-auth arbitrary file write in Microsoft Exchange Server (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34473ProxyShell pre-auth SSRF/authentication bypass in Microsoft Exchange AutodiscoverIn the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34523Microsoft Exchange PowerShell Backend Elevation of Privilege (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2022-26134Atlassian Confluence Server and Data Center OGNL Injection RCEIn the wildEvidence1

The following analytic detects attempts to exploit CVE-2022-26134, an unauthenticated remote code execution vulnerability in Confluence... This activity is significant as it allows attackers to execute arbitrary code on the Confluence server without authentication, potentially leading to full system compromise.

4 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
malpediaNews
May 14, 2026
Turla (Threat Actor)

Named threat actor referenced in global threat reporting.

Read more
splunk researchNews
Apr 22, 2026
Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

Read more
splunk researchNews
Apr 20, 2026
Detection: PowerShell Environment Variable Execution | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows TeamCity Payload Execution from Temp Directory | Splunk Security Content

Listed as a threat actor associated with the TeamCity payload execution detection covering exploitation of a public-facing application, web shell persistence, and command/scripting interpreter execution.

Read more
+154 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping33

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs9

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.