GOLD TAHOE

GOLD TAHOE is a financially motivated cybercriminal threat group active since at least 2015 that is frequently referred to as TA505 or FIN11. GOLD TAHOE historically operated as a malware distribution ("loads") service that made itself available to numerous threat groups. GOLD TAHOE has distributed GOLD DRAKE's Dridex and GOLD BLACKBURN's TrickBot malware, frequently through GOLD RIVERVIEW's now defunct Necurs spam botnet. CTU researchers assess with high confidence that GOLD TAHOE operates independently of these threat groups but public reporting has frequently associated activity from these groups with that of TA505. Since late 2018, GOLD TAHOE focused largely on distributing their own malware such as Get2, SDBbot, GraceWire, TrueBot, and FlawedAmmy, which are then used to facilitate lateral movement within victim networks.

On June 16, 2021, Ukrainian media began to report that six individuals associated with Clop ransomware operations had been arrested following an international law enforcement operation involving Ukraine, United States, South Korea, and Interpol. The involvement of South Korean police in this operation is thought connected to attacks in 2019 when four South Korean companies were infected with Clop ransomware. The precise role of the arrested individuals remains unclear, with some reporting suggesting that they were involved in moving ransom money rather than core malware development and ransomware operations.

Since 2020, GOLD TAHOE has focused on large-scale attacks that use zero-day or recently published vulnerabilities in publicly facing network services of victims. The goal of these intrusions is the bulk exfiltration of sensitive data and less frequently the deployment of the Clop ransomware to a maximum number of endpoints. From December 2020 to January 2021, multiple vulnerabilities in Accellion File Transfer Appliance (FTA) devices across at least 25 organizations were exploited by GOLD TAHOE. No ransomware was deployed, and the intrusions appear to have been limited to only accessing the data stored on the vulnerable FTA devices. Beginning in October 2021, GOLD TAHOE exploited a vulnerability (CVE-2021-35211) in SolarWinds Serv-U products to deploy Cobalt Strike to victim networks. Similar attacks were conducted throughout the first half of 2023 targeting GoAnywhere MFT (CVE-2023-0669), PaperCut MF/NG (CVE-2023–27350 and CVE-2023–27351), and Progress MOVEit Transfer (CVE-2023-34362).

In March 2023, CTU researchers observed an intrusion deploying Clop ransomware stemming from a Qakbot infection that we attribute with moderate confidence to GOLD NIAGARA. GOLD TAHOE is not thought to operate Clop as a ransomware-as-a-service but has been known to cooperate with trusted outside threat groups.

Shortly after an attack, victim organizations appear on the 'CL0P^_- LEAKS' Tor site and the victims receive extortion demands from a group identifying itself as the 'CLOP ransomware team.' In addition to victims being threatened with public disclosure of their data, GOLD TAHOE also contacts customers and partners of breach victims via email to apply additional pressure.