GOLD MATADOR

GOLD MATADOR is a financially motivated cybercriminal threat group that currently operates as an affiliate of GOLD HAWTHORNE's Hive ransomware program. CTU researchers have observed GOLD MATADOR attempting to deploy Hive ransomware on victim environments since April 2022.

The group uses a variety of tools to meet its ultimate objectives of data exfiltration and network encryption, deploying ransomware through group policy objects (GPO) from domain controllers and scheduled tasks.

GOLD MATADOR gains access to networks using remote access services, such as SSL VPNs and RDP servers, using compromised credentials. After conducting reconnaissance to enumerate domains and harvest credentials, using tools like PCHunter64, SharpView and Mimikatz, the group moves laterally through remote desktop protocol (RDP). It deploys the SystemBC proxy tool to disguise network traffic and Cobalt Strike Beacon for command and control, installing it on numerous hosts. GOLD MATADOR explores directories and views specific files before using FileZilla for data exfiltration.