G1020: Mustard Tempest
Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.[1][2][3][4]
Analyst context for executives and security teams
Mustard Tempest matters because ATT&CK describes it as an initial access broker tied to the SocGholish distribution network and downstream malware delivery. For leaders, the key risk is not just one malware family; it is the handoff model where an initial foothold can enable additional remote access tools or ransomware-related activity by other actors.
Executive priority
Prioritize validation of controls around web browsing, phishing links, fake update lures, malware download prevention, and early incident escalation. This object is useful for risk discussions because it connects initial access activity to business-continuity concerns: if early access is missed, responders may face a broader intrusion involving secondary tooling. Evidence of coverage should come from email, web, endpoint, DNS/proxy, and incident-response workflows rather than from a single alert type.
Technical view
ATT&CK provides no official detection text for Mustard Tempest, so SOC teams should derive coverage from the related software and techniques: SocGholish, Cobalt Strike, Drive-by Compromise, Spearphishing Link, Malicious Link, Ingress Tool Transfer, System Information Discovery, and resource-development behaviors such as malvertising, SEO poisoning, domains, servers, drive-by targets, and uploaded malware. Validate whether telemetry can connect the chain from user web or email interaction to script/loader execution, outbound download activity, suspicious domain or ad-driven referral patterns, and any follow-on remote access tooling.
Likely telemetry
- Email security logs for messages containing links and user click events
- Web proxy, secure web gateway, browser, and DNS logs for drive-by, fake update, malvertising, SEO, and download activity
- Endpoint detection telemetry for script execution, loader behavior, file creation, process ancestry, and system discovery commands
- Network telemetry for outbound connections, file transfer, and command-and-control-like sessions
- Threat intelligence records for domains, servers, and staged malware infrastructure observed in local incidents
Detection direction
- Do not rely on a Mustard Tempest group label alone; map detections to observable behaviors from the ATT&CK relationships.
- Tune for linked sequences: link click or browsing event, JavaScript/loader execution, external payload retrieval, system information discovery, and follow-on tool transfer.
- Review blind spots in unmanaged browsers, personal webmail, ad traffic, encrypted web traffic, DNS visibility, and endpoints without EDR coverage.
- Treat fake software update activity and unusual downloads after ad/search referrals as higher-priority triage context, while accounting for legitimate software update noise.
- Correlate any Cobalt Strike-like or remote access tooling alerts with preceding SocGholish-like web or email access events where telemetry exists.
Mitigation priorities
- Strengthen web and email filtering for malicious links, suspicious redirects, and download lures.
- Maintain endpoint controls that inspect script execution, downloaded files, and suspicious process chains.
- Harden user-facing software and browsers through patching and controlled update paths, especially where fake update lures could be effective.
- Limit the impact of initial access with least privilege, network segmentation, and rapid containment procedures.
- Ensure IR playbooks explicitly investigate downstream access brokering risk when SocGholish-like activity or related initial access behaviors are found.
Analyst notes and limits
The most decision-relevant point is the access-broker role described by ATT&CK: early activity may be a precursor to other malware or remote access tooling. Detection engineering should therefore focus on behavior-chain coverage and escalation criteria, not only static indicators or aliases such as DEV-0206, TA569, GOLD PRELUDE, or UNC1543.
ATT&CK does not provide official detection guidance, tactics, or platforms directly on the Mustard Tempest intrusion-set object. Platform and behavior context here comes from supplied relationships to software and techniques. Local telemetry, exposure, and confirmed activity must be validated in the customer environment.
Mustard Tempest
Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1583.008 | Malvertising Sub-technique | Mustard Tempest has posted false advertisements including for software packages and browser updates in order to distribute malware.CitationMicrosoft Ransomware as a Service |
| Enterprise | T1608.001 | Upload Malware Sub-technique | Mustard Tempest has hosted payloads on acquired second-stage servers for periods of either days, weeks, or months.CitationSentinelOne SocGholish Infrastructure November 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Mustard Tempest has used the filename `AutoUpdater.js` to mimic legitimate update files and has also used the Cyrillic homoglyph characters С `(0xd0a1)` and а `(0xd0b0)`, to produce the filename `Сhrome.Updаte.zip`.CitationRed Canary SocGholish March 2024CitationSocGholish-update |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Mustard Tempest has sent victims emails containing links to compromised websites.CitationSocGholish-update |
| Enterprise | T1584.001 | Domains Sub-technique | Mustard Tempest operates a global network of compromised websites that redirect into a traffic distribution system (TDS) to select victims for a fake browser update page.CitationSecureworks Gold Prelude ProfileCitationSocGholish-updateCitationSentinelOne SocGholish Infrastructure November 2022CitationRed Canary SocGholish March 2024 |
| Enterprise | T1608.006 | SEO Poisoning Sub-technique | Mustard Tempest has poisoned search engine results to return fake software updates in order to distribute malware.CitationMicrosoft Ransomware as a ServiceCitationSocGholish-update |
| Enterprise | T1608.004 | Drive-by Target Sub-technique | Mustard Tempest has injected malicious JavaScript into compromised websites to infect victims via drive-by download.CitationSocGholish-updateCitationSentinelOne SocGholish Infrastructure November 2022CitationRed Canary SocGholish March 2024CitationSecureworks Gold Prelude Profile |
| Enterprise | T1189 | Drive-by Compromise | Mustard Tempest has used drive-by downloads for initial infection, often using fake browser updates as a lure.CitationSocGholish-updateCitationSentinelOne SocGholish Infrastructure November 2022CitationRed Canary SocGholish March 2024CitationSecureworks Gold Prelude Profile |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Mustard Tempest has lured users into downloading malware through malicious links in fake advertisements and spearphishing emails.CitationMicrosoft Ransomware as a ServiceCitationSocGholish-update |
| Enterprise | T1082 | System Information Discovery | Mustard Tempest has used implants to perform system reconnaissance on targeted systems.CitationMicrosoft Ransomware as a Service |
| Enterprise | T1583.004 | Server Sub-technique | Mustard Tempest has acquired servers to host second-stage payloads that remain active for a period of either days, weeks, or months.CitationSentinelOne SocGholish Infrastructure November 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Mustard Tempest has deployed secondary payloads and third stage implants to compromised hosts.CitationMicrosoft Ransomware as a Service |
Groups, software, and campaigns
S1124: SocGholish
SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.[1][2][3][4]
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d8e84132cd2a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Ransomware as a Service
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Open source URL -
[2]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[3]
Secureworks Gold Prelude Profile
Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
Open source URL -
[4]
SocGholish-update
Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
Open source URL -
[5]
DEV-0206
(Citation: Microsoft Threat Actor Naming July 2023)
-
[6]
GOLD PRELUDE
(Citation: Secureworks Gold Prelude Profile)
-
[7]
TA569
(Citation: Secureworks Gold Prelude Profile)
-
[8]
UNC1543
(Citation: Secureworks Gold Prelude Profile)
-
[9]
mitre-attack G1020Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.