GOLD HIDEAWAY

GOLD HIDEAWAY is a financially motivated crime group that has been active since at least June 2021. It acts as an affiliate in ransomware operations, and has been observed delivering LockBit and conducting precursor activity to a REvil deployment.

The group uses search engine optimization poisoning (SEO) to direct victims to compromised WordPress websites hosting malicious Javascript files in ZIP archives. Opening the Javascript files starts an infection chain resulting in the installation of Cobalt Strike Beacon. A similar method has been observed in Gootkit deployments.

In addition to Cobalt Strike, GOLD HIDEAWAY uses Advanced IP scanner for reconnaissance, Free Files Sync for data exfiltration and attempts defense evasion by disabling anti-virus services before deploying ransomware.

CTU researchers assess with moderate confidence that GOLD HIDEAWAY began working with GOLD MYSTIC to deploy LockBit ransomware in response to GOLD SOUTHFIELD temporarily shuttering its REvil operation in July 2021.