Goldenhowl

Threat Actor updated 23 days ago (2024-11-29T13:57:16.306Z)
Download STIX
Preview STIX
GoldenHowl is a sophisticated threat actor known for its diverse set of malicious capabilities. Identified as part of a broader campaign alongside GoldenDealer and GoldenRobo, this modular backdoor showcases various functionalities that pose significant threats to compromised systems. Its primary function involves acting as a conduit for communication, leveraging HTTPS for both command and control (C&C) and file exfiltration. Furthermore, it contains a module that can generate a detailed listing of files and directories on the compromised system, aiding in targeted data theft. The threat actor's tactics demonstrate advanced persistent threat (APT) characteristics, including the ability to maintain persistence through scheduled tasks such as Microsoft\Windows\Multimedia\SystemSoundsService2. GoldenHowl also exhibits lateral movement capabilities, scanning IP ranges to discover other systems, checking for Windows SMB remote code execution vulnerabilities, and assessing whether targets are susceptible to EternalBlue malware. This allows it to exploit these vulnerabilities for further infiltration. Additionally, it can forward packets and messages via an SSH tunnel, acting as a proxy and extending its reach within a network. The campaign involving GoldenHowl utilized three main components: GoldenDealer for delivering executables to air-gapped systems via USB monitoring, GoldenHowl itself for backdoor access and control, and GoldenRobo for file collection and exfiltration. The Python-scripted malicious modules within GoldenHowl enhance its functionality and threat level. As such, organizations need to deploy robust cybersecurity measures to detect and neutralize this potent threat actor effectively.
Description last updated: 2024-10-17T12:36:34.416Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Turla is a possible alias for Goldenhowl. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The GoldenJackal Threat Actor is associated with Goldenhowl. GoldenJackal is a threat actor known for its advanced persistent threat (APT) activities, targeting air-gapped systems in government and diplomatic entities across Europe, the Middle East, and South Asia. The group utilizes spear-phishing, vulnerability exploitation, and a .NET malware toolset to esUnspecified
2
The MoustachedBouncer Threat Actor is associated with Goldenhowl. MoustachedBouncer, a threat actor first detailed in August 2023, is known for its cyberespionage activities primarily targeting foreign diplomats in Belarus. The group has been linked to at least four attacks on foreign embassies in Belarus since 2014, including two European nations, one from South Unspecified
2
Source Document References
Information about the Goldenhowl Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more