{
	"id": "9a065e62-d1b4-476c-8b4a-87b17c2687e8",
	"created_at": "2026-04-06T00:12:11.666013Z",
	"updated_at": "2026-04-10T03:36:07.865699Z",
	"deleted_at": null,
	"sha1_hash": "4d89975444b0e90c05325555142efb6970a8eb74",
	"title": "Boss Spider, Gold Lowell - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59076,
	"plain_text": "Boss Spider, Gold Lowell - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 14:48:04 UTC\r\nHome \u003e List all groups \u003e Boss Spider, Gold Lowell\r\n APT group: Boss Spider, Gold Lowell\r\nNames\r\nBoss Spider (CrowdStrike)\r\nGold Lowell (SecureWorks)\r\nCTG-0007 (SecureWorks)\r\nCountry Iran\r\nMotivation Financial gain\r\nFirst seen 2015\r\nDescription\r\n(SecureWorks) In late 2015, Secureworks Counter Threat Unit (CTU) researchers\r\nbegan tracking financially motivated campaigns leveraging SamSam ransomware (also\r\nknown as Samas and SamsamCrypt). CTU researchers associate this activity with the\r\nGold Lowell threat group. Gold Lowell typically scans for and exploits known\r\nvulnerabilities in Internet-facing systems to gain an initial foothold in a victim’s\r\nnetwork. The threat actors then deploy the SamSam ransomware and demand payment\r\nto decrypt the victim’s files. The consistent tools and behaviors associated with\r\nSamSam intrusions since 2015 suggest that Gold Lowell is either a defined group or a\r\ncollection of closely affiliated threat actors. Applying security updates in a timely\r\nmanner and regularly monitoring for anomalous behaviors on Internet-facing systems\r\nare effective defenses against these tactics. Organizations should also create and test\r\nresponse plans for ransomware incidents and use backup solutions that are resilient to\r\ncorruption or encryption attempts.\r\nObserved Sectors: Education, Government, Healthcare.\r\nTools used Mimikatz, PsExec, SamSam, SDelete.\r\nCounter operations Nov 2018\r\nTwo Iranian Men Indicted for Deploying Ransomware to Extort\r\nHospitals, Municipalities, and Public Institutions, Causing Over $30\r\nMillion in Losses\r\n\u003chttps://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public\u003e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=cdf69db4-97ac-4cd2-a705-a4d5ab2d302e\r\nPage 1 of 2\n\nInformation\nLast change to this card: 26 April 2021\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=cdf69db4-97ac-4cd2-a705-a4d5ab2d302e\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=cdf69db4-97ac-4cd2-a705-a4d5ab2d302e\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=cdf69db4-97ac-4cd2-a705-a4d5ab2d302e"
	],
	"report_names": [
		"showcard.cgi?u=cdf69db4-97ac-4cd2-a705-a4d5ab2d302e"
	],
	"threat_actors": [
		{
			"id": "4116df25-aff6-46ee-a5dd-926254a78e89",
			"created_at": "2023-01-06T13:46:38.894033Z",
			"updated_at": "2026-04-10T02:00:03.137353Z",
			"deleted_at": null,
			"main_name": "BOSS SPIDER",
			"aliases": [
				"GOLD LOWELL"
			],
			"source_name": "MISPGALAXY:BOSS SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1b20199b-07ae-42f1-ad22-bbe2dd471df8",
			"created_at": "2024-06-04T02:03:07.872554Z",
			"updated_at": "2026-04-10T02:00:03.613698Z",
			"deleted_at": null,
			"main_name": "GOLD LOWELL",
			"aliases": [
				"Boss Spider ",
				"CTG-0007 "
			],
			"source_name": "Secureworks:GOLD LOWELL",
			"tools": [
				"Samas"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "eb8697fd-882a-4323-9eb8-8e20222cfd91",
			"created_at": "2022-10-25T16:07:23.416834Z",
			"updated_at": "2026-04-10T02:00:04.589943Z",
			"deleted_at": null,
			"main_name": "Boss Spider",
			"aliases": [
				"Boss Spider",
				"CTG-0007",
				"Gold Lowell"
			],
			"source_name": "ETDA:Boss Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"SDelete",
				"SamSam",
				"Samas"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434331,
	"ts_updated_at": 1775792167,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d89975444b0e90c05325555142efb6970a8eb74.pdf",
		"text": "https://archive.orkl.eu/4d89975444b0e90c05325555142efb6970a8eb74.txt",
		"img": "https://archive.orkl.eu/4d89975444b0e90c05325555142efb6970a8eb74.jpg"
	}
}