S0535: Golden Cup
Golden Cup is Android spyware that has been used to target World Cup fans.[1]
Analyst context for executives and security teams
Golden Cup matters because it represents Android spyware with behaviors that cross from device compromise into privacy, executive safety, and operational risk. The ATT&CK relationships show a mobile collection profile: discovering device, app, file, and network details; capturing audio, video, location, contacts, SMS, and local data; archiving collected data; and communicating over web protocols. For leaders, the decision point is whether mobile security, privacy controls, and incident response processes can see and contain sensitive data collection from Android devices, especially where employee-owned or event-related apps are allowed.
Executive priority
Prioritize this as a mobile spyware readiness issue rather than a single malware family problem. Organizations should ask whether Android devices used by executives, travelers, high-risk staff, or personnel handling regulated data are governed by enforceable app, permission, network, and incident response controls. The business risk is not only malware installation; it is loss of sensitive conversations, location patterns, contacts, SMS content, files, and device context that could affect privacy, investigations, compliance evidence, and continuity during travel or public events.
Technical view
SOC, detection engineering, and IR teams should validate coverage around the ATT&CK-linked Android behaviors: runtime code download, installed application enumeration, file and directory discovery, network and system information discovery, microphone/camera/location access, contact and SMS access, local data collection, archiving, and HTTP/HTTPS-style command-and-control traffic. Because MITRE provides no official detection text for Golden Cup, teams should base validation on mobile device telemetry, application permission review, mobile threat defense events, network egress, and forensic artifacts rather than assuming signature-based coverage.
Likely telemetry
- Android application inventory and installation source records
- Application manifest and runtime permission grants, especially microphone, camera, location, contacts, SMS, storage, and background location where applicable
- Mobile device management or enterprise mobility management compliance and device posture data
- Mobile threat defense alerts for suspicious app behavior, dynamic code loading, spyware-like collection, or risky network activity
- Device network telemetry showing HTTP/HTTPS connections from mobile applications to remote services
Detection direction
- Do not rely on the malware name alone; map detections to the related behaviors such as Download New Code at Runtime, discovery, capture, collection, archive, and web-protocol communication.
- Validate whether mobile telemetry can distinguish normal app permission use from abnormal combinations, such as a non-business app requesting or using location, microphone, camera, contacts, SMS, and storage access.
- Review visibility gaps for personal/BYOD Android devices, travel devices, and unmanaged event-related app installs, since those are often outside standard endpoint monitoring.
- Tune network analytics carefully because web protocols such as HTTP and HTTPS are common; useful context comes from app identity, destination reputation, unusual timing, device role, and co-occurring collection behaviors.
- Correlate discovery activity with collection indicators. Application, file, network, and system discovery can be preparatory behavior that helps explain later access to local data, contacts, SMS, audio, video, or location.
Mitigation priorities
- Start with mobile governance: define which Android devices may access sensitive business data and require managed enrollment or equivalent controls for high-risk users.
- Restrict installation from untrusted sources and review the business need for event-themed, consumer, or travel-related applications on devices used for corporate access.
- Use least-privilege app permission practices, with special scrutiny of microphone, camera, location, contacts, SMS, and storage permissions.
- Maintain Android patching, device posture checks, and compliance enforcement for devices accessing enterprise services.
- Deploy or validate mobile threat detection and response capabilities where business risk justifies it, especially for executives, travelers, and regulated-data users.
Analyst notes and limits
The supplied ATT&CK object identifies Golden Cup as Android spyware used to target World Cup fans and links it to multiple mobile techniques associated with discovery, collection, capture, archiving, runtime code loading, and web-protocol communications. The strongest defensive value is to use this object as a test case for mobile spyware coverage across managed detection, incident response, mobile security governance, and privacy/compliance readiness.
MITRE supplies no official detection guidance, no aliases, no tactics, and only Android as the malware platform. This take does not assert current activity, attribution, customer exposure, specific infrastructure, or guaranteed detection. Local device ownership model, mobile telemetry, app inventory, permission data, and network evidence are required to determine actual risk and coverage.
Golden Cup
Golden Cup is Android spyware that has been used to target World Cup fans.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1426 | System Information Discovery | Golden Cup can collect various pieces of device information, such as serial number and product information.CitationSymantec GoldenCup |
| Mobile | T1407 | Download New Code at Runtime | Golden Cup has been distributed in two stages.CitationSymantec GoldenCup |
| Mobile | T1429 | Audio Capture | Golden Cup can record audio from the microphone and phone calls.CitationSymantec GoldenCup |
| Mobile | T1437.001 | Web Protocols Sub-technique | Golden Cup has communicated with the C2 using MQTT and HTTP.CitationSymantec GoldenCup |
| Mobile | T1512 | Video Capture | Golden Cup can take pictures with the camera.CitationSymantec GoldenCup |
| Mobile | T1422 | System Network Configuration Discovery | Golden Cup can collect the device’s phone number and IMSI.CitationSymantec GoldenCup |
| Mobile | T1533 | Data from Local System | Golden Cup can collect images, videos, and attacker-specified files.CitationSymantec GoldenCup |
| Mobile | T1430 | Location Tracking | Golden Cup can track the device’s location.CitationSymantec GoldenCup |
| Mobile | T1636.003 | Contact List Sub-technique | Golden Cup can collect the device’s contact list.CitationSymantec GoldenCup |
| Mobile | T1420 | File and Directory Discovery | Golden Cup can collect a directory listing of external storage.CitationSymantec GoldenCup |
| Mobile | T1636.004 | SMS Messages Sub-technique | Golden Cup can collect sent and received SMS messages.CitationSymantec GoldenCup |
| Mobile | T1532 | Archive Collected Data | Golden Cup has encrypted exfiltrated data using AES in ECB mode.CitationSymantec GoldenCup |
| Mobile | T1418 | Software Discovery | Golden Cup can obtain a list of installed applications.CitationSymantec GoldenCup |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7e1a7b757a32… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec GoldenCup
R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.
Open source URL -
[2]
mitre-attack S0535Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.