GOLD CAMOUFLAGE

GOLD CAMOUFLAGE is a financially motivated cybercriminal threat group operating a malware crypter service that has been active since at least June 2020 and possibly as far back as 2015. The crypter leveraged by GOLD CAMOUFLAGE in their operation has been named DarkTortilla by Secureworks® Counter Threat Unit™ (CTU) researchers.

DarkTortilla is a complex .NET-based crypter that delivers a steadily evolving array of payloads, typically popular information stealers and remote access trojans (RATs). These include QuasarRAT, LummaC2, AsyncRAT, Remcos, AgentTesla, NanoCore, and XWorm. While it appears to primarily deliver commodity malware, CTU researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. In mid-2024, CTU researchers observed DarkTortilla deliver a version of the LockBit 3.0 ransomware that was based on the leaked builder code.

The crypter is highly configurable and can deliver additional malicious payloads and benign decoy documents/executables as “addon packages”. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.