{ "id": "3cee0e5d-5386-48c7-864e-192108fc1297", "created_at": "2026-04-06T00:19:03.986037Z", "updated_at": "2026-04-10T13:12:19.981315Z", "deleted_at": null, "sha1_hash": "58376cc050037ca647bf95e4af056873f9f10fa7", "title": "Pinchy Spider, Gold Southfield - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 120831, "plain_text": "Pinchy Spider, Gold Southfield - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 13:42:56 UTC\nHome \u003e List all groups \u003e Pinchy Spider, Gold Southfield\n APT group: Pinchy Spider, Gold Southfield\nNames\nPinchy Spider (CrowdStrike)\nGold Southfield (SecureWorks)\nGold Garden (SecureWorks)\nG0115 (MITRE)\nCountry Russia\nMotivation Financial gain\nFirst seen 2018\nDescription\n(CrowdStrike) CrowdStrike Intelligence has recently observed Pinchy Spider affiliates deploying GandCrab\nransomware in enterprise environments, using lateral movement techniques and tooling commonly associated w\nnation-state adversary groups and penetration testing teams. This change in tactics makes Pinchy Spider and its\naffiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomwar\ndeployments known as “big game hunting.”\nPinchy Spider is the criminal group behind the development of the ransomware most commonly known as Gand\nwhich has been active since January 2018. Pinchy Spider sells access to use GandCrab ransomware under a par\nprogram with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to\ncustomer), as is common among eCrime actors, but Pinchy Spider is also willing to negotiate up to a 70-30 spli\n“sophisticated” customers.\nGandCrab and Sodinokibi have been observed to be distributed by DanaBot (operated by Scully Spider, TA547\nTaurus Loader (operated by Venom Spider, Golden Chickens).\nObserved Countries: Worldwide.\nTools used certutil, Cobalt Strike, GandCrab, Sodinokibi, VIDAR.\nOperations performed Apr 2019Sodinokibi ransomware exploits WebLogic Server vulnerability\nJun 2019\nYesterday night, a source in the malware community has told ZDNet that the GandCrab RaaS ope\nformally announced plans to shut down their service within a month.\nThe announcement was made in an official thread on a well-known hacking forum, where the Gan\nRaaS has advertised its service since January 2018, when it formally launched.\nAug 2019\nOver 20 Texas local governments hit in 'coordinated ransomware attack'\nDec 2019\nCyrusOne, one of the biggest data center providers in the US, has suffered a ransomware attack, Z\nhas learned.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2\nPage 1 of 7\n\nDec 2019\nSodinokibi Ransomware Behind Travelex Fiasco: Report\nDec 2019\nA crypto virus that attacked the Albany County Airport Authority's computer management provid\nduring the Christmas holiday period ended up infecting the authority's servers as well, encrypting\nand demanding a ransom payment.\nJan 2020\nNew Jersey Synagogue Suffers Sodinokibi Ransomware Attack\nJan 2020\nSodinokibi Ransomware Publishes Stolen Data for the First Time\nThey claim this data belongs to Artech Information Systems, who describe themselves as a 'minor\nwomen-owned diversity supplier and one of the largest IT staffing companies in the U.S', and that\nwill release more if a ransom is not paid.\nFeb 2020\nThe operators of the Sodinokibi Ransomware (REvil) have started urging affiliates to copy their v\ndata before encrypting computers so it can be used as leverage on a new data leak site that is bein\nlaunched soon.\nFeb 2020\nThe operators behind Sodinokibi Ransomware published download links to files containing what\nclaim is financial and work documents, as well as customers' personal data stolen from giant U.S.\nhouse Kenneth Cole Productions.\nMar 2020\nThe operators of the Sodinokibi Ransomware are threatening to publicly share a company's 'dirty'\nfinancial secrets because they refused to pay the demanded ransom.\nAs organizations decide to restore their data manually or via backups instead of paying ransoms,\nransomware operators are escalating their attacks.\nMar 2020\nRecently, the Sodinokibi Ransomware operators published over 12 GB of stolen data allegedly be\nto a company named Brooks International for not paying the ransom.\nApr 2020\nSodinokibi Ransomware to stop taking Bitcoin to hide money trail\nApr 2020\nSeaChange video platform allegedly hit by Sodinokibi ransomware\nMay 2020\nREvil ransomware threatens to leak A-list celebrities' legal docs\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2\nPage 2 of 7\n\nMay 2020\nREvil ransomware gang publishes 'Elexon staff's passports' after UK electrical middleman shrugs\nattack\nMay 2020\nHere come REvil ransomware operators with another massive data leak. In this instance, they leak\nconfidential data of Agromart Group, well-known crop production partners.\nJun 2020\nREvil ransomware creates eBay-like auction site for stolen data\nJun 2020\nREvil ransomware operators have been observed while scanning one of their victim's network for\nof Sale (PoS) servers by researchers with Symantec's Threat Intelligence team.\nJun 2020\nThe threat actor behind the Sodinokibi (REvil) ransomware is demanding a $14 million ransom fr\nBrazilian-based electrical energy company Light S.A.\nJul 2020\nA ransomware gang has infected the internal network of Telecom Argentina, one of the country's l\ninternet service providers, and is now asking for a $7.5 million ransom demand to unlock encrypt\nJul 2020\nAdministrador de Infraestructuras Ferroviarias (ADIF), a Spanish state-owned railway infrastruct\nmanager was hit by REVil ransomware operators.\nAug 2020\nBrown-Forman, one of the largest U.S. companies in the spirits and wine business, suffered a cyb\nattack. The intruders allegedly copied 1TB of confidential data.\nSep 2020\nREvil ransomware deposits $1 million in hacker recruitment drive\nOct 2020\nREvil ransomware gang claims over $100 million profit in a year\nOct 2020\nToday, the threat actors added GPI (Gaming Partners International) to their dedicated leak site. GP\ndescribes itself as a leading provider of casino currency and table game equipment worldwide.\nNov 2020\nManaged web hosting provider Managed.com has taken their servers and web hosting systems off\nthey struggle to recover from a weekend REvil ransomware attack.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2\nPage 3 of 7\n\nJan 2021\nPan-Asian retail giant Dairy Farm suffers REvil ransomware attack\nMar 2021\nRansomware gang plans to call victim's business partners about attacks\nMar 2021\nComputer giant Acer hit by $50 million ransomware attack\nMar 2021\nREvil ransomware has a new ‘Windows Safe Mode’ encryption mode\nMar 2021\nREvil ransomware can now reboot infected devices\nApr 2021\nAsteelflash electronics maker hit by REvil ransomware attack\nApr 2021\nREvil ransomware now changes password to auto-login in Safe Mode\nApr 2021\nLeading cosmetics group Pierre Fabre hit with $25 million ransomware attack\nApr 2021\nREvil gang tries to extort Apple, threatens to sell stolen blueprints\nApr 2021\nBrazil's Rio Grande do Sul court system hit by REvil ransomware\nMay 2021\nFBI: JBS ransomware attack was carried out by REvil\nJun 2021\nFujifilm confirms ransomware attack disrupted business operations\nJun 2021\nUS nuclear weapons contractor Sol Oriens has suffered a cyberattack allegedly at the hands of the\nransomware gang, which claims to be auctioning data stolen during the attack.\nJun 2021\nRelentless REvil, revealed: RaaS as variable as the criminals who use it\nJun 2021\nHealthcare giant Grupo Fleury hit by REvil ransomware attack\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2\nPage 4 of 7\n\nJun 2021\nFashion titan French Connection says 'FCUK' as REvil-linked ransomware makes off with data\nJul 2021\nSpanish telecom giant MasMovil hit by Revil ransomware gang\nJul 2021\nKaseya hijacked, thousands attacked by REvil, fix delayed again\nJul 2021\nREvil ransomware gang's web sites mysteriously shut down\nSep 2021\nUK VoIP telco receives 'colossal ransom demand', reveals REvil cybercrooks suspected of 'organi\nDDoS attacks on UK VoIP companies\nSep 2021\nREvil ransomware group returns following Kaseya attack\nSep 2021\nREvil ransomware is back in full attack mode and leaking data\nSep 2021\nREvil ransomware devs added a backdoor to cheat affiliates\nOct 2021\nHong Kong marketing firm Fimmick has been hit with a ransomware attack, according to a Britis\ncybersecurity firm monitoring the situation.\nJan 2022\nAfter Russian Arrests, REvil Implants Persist\nApr 2022\nREvil's TOR sites come alive to redirect to new ransomware operation\nMay 2022\nREvil ransomware returns: New malware sample confirms gang is back\nMay 2022\nREvil Resurgence? Or a Copycat?\nCounter operations\nJul 2020\nGandCrab ransomware operator arrested in Belarus\nSep 2021\nREvil Affiliates Confirm: Leadership Were Cheating Dirtbags\nOct 2021 REvil ransomware shuts down again after Tor sites were hijacked\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2\nPage 5 of 7\n\nOct 2021\nTwo ransomware operators arrested in Ukraine\nOct 2021\nGerman investigators identify REvil ransomware gang core member\nNov 2021\nREvil ransomware affiliates arrested in Romania and Kuwait\nNov 2021\nUS seizes $6 million from REvil ransomware, arrest Kaseya hacker\nNov 2021\nFive affiliates to Sodinokibi/REvil unplugged\nNov 2021\nU.S. offers $10 million reward for leaders of REvil ransomware\nNov 2021\nFBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs\nJan 2022\nRussia arrests REvil ransomware gang members, seize $6.6 million\nMay 2024\nSodinokibi/REvil Affiliate Sentenced for Role in $700M Ransomware Scheme\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2\nPage 6 of 7\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2" ], "report_names": [ "showcard.cgi?u=bdd28842-178b-4258-a37f-5c1c1bb71bb2" ], "threat_actors": [ { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "404bb014-d051-447e-90d8-1a4adc3409b0", "created_at": "2024-06-19T02:03:08.058292Z", "updated_at": "2026-04-10T02:00:03.679333Z", "deleted_at": null, "main_name": "GOLD GARDEN", "aliases": [ "" ], "source_name": "Secureworks:GOLD GARDEN", "tools": [ "GandCrab" ], "source_id": "Secureworks", "reports": null }, { "id": "7961bf6e-e429-484c-93e2-bd1d36fa5588", "created_at": "2023-01-06T13:46:39.275053Z", "updated_at": "2026-04-10T02:00:03.270128Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [], "source_name": "MISPGALAXY:GOLD SOUTHFIELD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02ef8063-7ad4-42ba-a646-97210000f6b5", "created_at": "2024-06-19T02:03:08.117993Z", "updated_at": "2026-04-10T02:00:03.614663Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "" ], "source_name": "Secureworks:GOLD SOUTHFIELD", "tools": [ "REvil" ], "source_id": "Secureworks", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3070c7b-c1e8-462c-94f1-62a0d2bdbc67", "created_at": "2023-01-06T13:46:39.116254Z", "updated_at": "2026-04-10T02:00:03.218594Z", "deleted_at": null, "main_name": "SCULLY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SCULLY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70268431-11ed-474f-9fbc-96f894684201", "created_at": "2023-01-06T13:46:39.26058Z", "updated_at": "2026-04-10T02:00:03.26462Z", "deleted_at": null, "main_name": "GOLD GARDEN", "aliases": [], "source_name": "MISPGALAXY:GOLD GARDEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434743, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/58376cc050037ca647bf95e4af056873f9f10fa7.pdf", "text": "https://archive.orkl.eu/58376cc050037ca647bf95e4af056873f9f10fa7.txt", "img": "https://archive.orkl.eu/58376cc050037ca647bf95e4af056873f9f10fa7.jpg" } }