Skip to content

G0127 TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. 3 The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. 2

Item Value
ID G0127
Associated Names GOLD CABIN, Shathak
Version 1.2
Created 19 March 2021
Last Modified 16 April 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
GOLD CABIN 3
Shathak 12

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols TA551 has used HTTP for C2 communications.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell TA551 has used cmd.exe to execute commands.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding TA551 has used encoded ASCII text for initial C2 communications.1
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms TA551 has used a DGA to generate URLs from executed macros.23
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses TA551 has used spoofed company emails that were acquired from email clients on previously infected hosts to target other individuals.2
enterprise T1105 Ingress Tool Transfer TA551 has retrieved DLLs and installer binaries for malware execution from C2.2
enterprise T1036 Masquerading TA551 has masked malware DLLs as dat and jpg files.2
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.003 Steganography TA551 has hidden encoded data for malware DLLs in a PNG.2
enterprise T1027.010 Command Obfuscation TA551 has used obfuscated variable names in a JavaScript configuration file.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment TA551 has sent spearphishing attachments with password protected ZIP files.123
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta TA551 has used mshta.exe to execute malicious payloads.2
enterprise T1218.010 Regsvr32 TA551 has used regsvr32.exe to load malicious DLLs.1
enterprise T1218.011 Rundll32 TA551 has used rundll32.exe to load malicious DLLs.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File TA551 has prompted users to enable macros within spearphishing attachments to install malware.2

Software

ID Name References Techniques
S0483 IcedID 6123 Domain Account:Account Discovery Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Domain Trust Discovery Drive-by Compromise Asymmetric Cryptography:Encrypted Channel Exfiltration Over Asymmetric Encrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Match Legitimate Resource Name or Location:Masquerading Native API Network Share Discovery Embedded Payloads:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Steganography:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Permission Groups Discovery Spearphishing Attachment:Phishing Process Hollowing:Process Injection Asynchronous Procedure Call:Process Injection Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Msiexec:System Binary Proxy Execution Rundll32:System Binary Proxy Execution System Information Discovery System Language Discovery:System Location Discovery System Network Configuration Discovery Malicious File:User Execution Virtualization/Sandbox Evasion Windows Management Instrumentation
S0650 QakBot 5 Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Brute Force PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Domain Trust Discovery Domain Generation Algorithms:Dynamic Resolution Local Email Collection:Email Collection Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel Exploitation of Remote Services File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL:Hijack Execution Flow Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Masquerade File Type:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Binary Padding:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information HTML Smuggling:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information Obfuscated Files or Information Indicator Removal from Tools:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Peripheral Device Discovery Local Groups:Permission Groups Discovery Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Process Hollowing:Process Injection Process Injection Protocol Tunneling External Proxy:Proxy Remote System Discovery Replication Through Removable Media Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery Software Discovery Steal Web Session Cookie Code Signing:Subvert Trust Controls Mark-of-the-Web Bypass:Subvert Trust Controls Regsvr32:System Binary Proxy Execution Msiexec:System Binary Proxy Execution Rundll32:System Binary Proxy Execution System Information Discovery Internet Connection Discovery:System Network Configuration Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery Malicious Link:User Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Time Based Checks:Virtualization/Sandbox Evasion Windows Management Instrumentation
S0633 Sliver 4 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Application Layer Protocol PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Steganography:Data Obfuscation Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Ingress Tool Transfer Obfuscated Files or Information Compile After Delivery:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Injection Internal Proxy:Proxy Screen Capture Golden Ticket:Steal or Forge Kerberos Tickets System Network Configuration Discovery System Network Connections Discovery
S0386 Ursnif 6123 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data Encoding Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Exfiltration Over C2 Channel Hidden Window:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Credential API Hooking:Input Capture Component Object Model:Inter-Process Communication Match Legitimate Resource Name or Location:Masquerading Modify Registry Native API Encrypted/Encoded File:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information Process Discovery Thread Local Storage:Process Injection Process Hollowing:Process Injection Multi-hop Proxy:Proxy Proxy Query Registry Replication Through Removable Media Screen Capture System Information Discovery System Service Discovery Taint Shared Content Time Based Checks:Virtualization/Sandbox Evasion Windows Management Instrumentation
S0476 Valak 6123 Domain Account:Account Discovery Local Account:Account Discovery Web Protocols:Application Layer Protocol Automated Collection JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Credential Manager:Credentials from Password Stores Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Remote Email Collection:Email Collection Exfiltration Over C2 Channel Fallback Channels NTFS File Attributes:Hide Artifacts Ingress Tool Transfer Dynamic Data Exchange:Inter-Process Communication Modify Registry Multi-Stage Channels Obfuscated Files or Information Software Packing:Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Discovery Query Registry Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Regsvr32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery Credentials in Registry:Unsecured Credentials Malicious File:User Execution Windows Management Instrumentation

References

  1. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. 

  2. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021. 

  3. Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021. 

  4. Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025. 

  5. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  6. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.