GOLD SWATHMORE

GOLD SWATHMORE is a financially motivated cybercriminal threat group that operated the IcedID (aka BokBot) malware from April 2017 through November 2023. This group previously operated the Catch malware (also known as Gozi Neverquest or Vawtrak) until the arrest of that malware's principal author in January 2017. IcedID, which its authors refer to internally as Anubis, was originally designed to facilitate financial fraud but was repurposed to near exclusively provide initial access to networks for post-intrusion style ransomware deployments. IcedID is modular malware that can retrieve additional plugins, such as those that provide a backconnect proxy or VNC access, to extend its capabilities. Typically, new infections are immediately instructed to execute nearly a dozen system and network reconnaissance commands and transmit their output to C2 servers. This information is then used by GOLD SWATHMORE and its partners to select potential high-value targets and may prompt the execution of additional malware such as Cobalt Strike Beacon.

On November 4, 2023, the IcedID infrastructure was disabled by GOLD SWATHMORE and no new IcedID campaigns have been observed since. In October 2023, the group began experimenting with a new loader named Latrodectus and have distributed it during infrequent campaigns through mid-2024.