Skip to content


GOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.123

Item Value
ID G0115
Associated Names
Version 1.1
Created 22 September 2020
Last Modified 26 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.4
enterprise T1190 Exploit Public-Facing Application GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.1
enterprise T1133 External Remote Services GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.1
enterprise T1027 Obfuscated Files or Information GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.4
enterprise T1566 Phishing GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim’s machines.1
enterprise T1219 Remote Access Software GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool “ConnectWise Control” to deploy REvil.4
enterprise T1113 Screen Capture GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim’s machines.4
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.123
enterprise T1199 Trusted Relationship GOLD SOUTHFIELD has breached Managed Service Providers (MSP’s) to deliver malware to MSP customers.1


ID Name References Techniques
S0591 ConnectWise 54 PowerShell:Command and Scripting Interpreter Screen Capture Video Capture
S0496 REvil - Create Process with Token:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Data Destruction Data Encrypted for Impact Deobfuscate/Decode Files or Information Drive-by Compromise Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify Tools:Impair Defenses Safe Mode Boot:Impair Defenses File Deletion:Indicator Removal on Host Ingress Tool Transfer Inhibit System Recovery Match Legitimate Name or Location:Masquerading Modify Registry Native API Obfuscated Files or Information Domain Groups:Permission Groups Discovery Spearphishing Attachment:Phishing Process Injection Query Registry Service Stop System Information Discovery System Language Discovery:System Location Discovery System Service Discovery Malicious File:User Execution Windows Management Instrumentation


Back to top