Gadolinium

Gadolinium is a sophisticated threat actor group, operating on a global scale for nearly a decade with a particular focus on the maritime and health industries. Historically, Gadolinium has utilized custom-crafted malware families that analysts could identify and defend against. However, as security practitioners have adapted their tools and techniques to counter these threats, Gadolinium has shown its adaptability by altering its methods in response. In recent years, it has begun to modify parts of its toolchain to use open-source toolkits, making its activities more difficult to track and obfuscating its malicious operations. In April 2020, Microsoft's Identity Security team took significant action against Gadolinium by suspending 18 Azure Active Directory applications identified as part of Gadolinium’s PowerShell Empire infrastructure. This proactive measure was beneficial to customers, providing protection without requiring any action on their end. Despite such interventions, Gadolinium continues to evolve its tactics in pursuit of its objectives, demonstrating a persistent threat to cybersecurity worldwide. The group's modus operandi often involves installing web shells on legitimate websites for command and control or traffic redirection purposes. As with most threat groups, Gadolinium keeps an eye on the tools and techniques of security practitioners, seeking new methods they can adopt or modify to create novel exploit methods. The continual evolution of Gadolinium's tactics underscores the need for ongoing vigilance and innovation among security practitioners to protect against this pernicious threat.