GOLD CAMOUFLAGE

GOLD CAMOUFLAGE is a financially motivated cybercriminal threat group operating a malware crypter service that has been active since at least June 2020 and possibly as far back as 2015. The crypter leveraged by GOLD CAMOUFLAGE in their operation has been named DarkTortilla by Secureworks® Counter Threat Unit™ (CTU) researchers. DarkTortilla is a complex .NET-based crypter that typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, CTU researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. The crypter is highly configurable and can deliver additional malicious payloads and benign decoy documents/executables as “addon packages”. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.