GOLD MATADOR

GOLD MATADOR is a financially motivated cybercriminal threat group that operated as an affiliate of GOLD HAWTHORNE's Hive ransomware-as-a-service (RaaS) program. CTU researchers observed GOLD MATADOR attempting to deploy Hive ransomware on victim environments from April 2022. It is not known whether the group continued its operations with a different RaaS scheme after the demise of Hive in January 2023.

The group uses a variety of tools to meet its ultimate objectives of data exfiltration and network encryption, deploying ransomware through group policy objects (GPO) from domain controllers and scheduled tasks.

GOLD MATADOR gains access to networks using remote access services, such as SSL VPNs and RDP servers, using compromised credentials. After conducting reconnaissance to enumerate domains and harvest credentials, using tools like PCHunter64, SharpView and Mimikatz, the group moves laterally through remote desktop protocol (RDP). It deploys the SystemBC proxy tool to disguise network traffic and Cobalt Strike Beacon for command and control, installing it on numerous hosts. GOLD MATADOR explores directories and views specific files before using FileZilla for data exfiltration.