Financial and Motivated Group Gold Melody Identified as Broker of Initial Access
Gold Melody, a financial and motivated group, has recently been identified as a broker of initial access (IAB). They sell access to compromised organizations to third-party cybercriminals for subsequent attacks, according to a report by SecureWorks(source).
The group is also known by the names Prophet Spider (Crowdstrike) and “Unc961”. Gold Melody hackers have been active since 2017 and specialize in hacking organizations through vulnerabilities in publicly exposed servers. Their attacks primarily target financial gain and are not linked to state actions.
Prior to this report, Gold Melody was associated with attacks on servers such as JBOSS MESSAGING, CITRIX ADC, Oracle Weblogic, Apache Log4j, and Gitlab(source).
In mid-2020, the group expanded their actions and began targeting organizations in the retail, healthcare, energy, financial transactions, and high-tech sectors. Their geographical focus now includes North America, Northern Europe, and Western Asia.
Mandiant analysts have noted that UNC961’s actions often precede the deployment of programs like MAZE and Egregor. Gold Melody possesses a varied range of tools and frequently utilizes their own tools for remote access, such as Gotroj and Barnwork.
Between July 2020 and July 2022, SecureWorks has linked Gold