GOLD CONCORD

GOLD CONCORD is a financially motivated cybercriminal threat group that operates Setcord, a large network of websites distributing malware disguised as pirated software cracks and key generators. The Setcord network uses search engine optimization (SEO) techniques to drive web traffic for popular commercial software to attacker-controlled websites. These websites redirect victims to pages where malware, frequently hosted on legitimate file sharing sites and content distribution networks (CDNs), is downloaded instead of the software, crack, or license key generator expected by the victim. The malware is frequently delivered as a password-protected archive that expands to a large (400 to 700 MB) executable or ISO image containing one or more information stealers, such as RedLine. The file may also be packaged with malware that monitors the victim's Windows clipboard and modifies copied cryptocurrency addresses in an attempt to misdirect transfers.

CTU researchers assess with moderate confidence that GOLD CONCORD distributes malware on behalf of paying customers. These customers frequently resell the stolen credentials on underground markets where they are used by a variety of threat actors in furtherance of attacks on victim's and their organizations. Credentials stolen via RedLine distributed by the Setcord network have been observed to be used by one or more affiliates of GOLD MYSTIC's LockBit ransomware-as-a-service (RaaS) platform to conduct attacks.