GoldenJackal

Threat Actor updated 23 days ago (2024-11-29T13:56:53.203Z)
Download STIX
Preview STIX
GoldenJackal is a threat actor known for its advanced persistent threat (APT) activities, targeting air-gapped systems in government and diplomatic entities across Europe, the Middle East, and South Asia. The group utilizes spear-phishing, vulnerability exploitation, and a .NET malware toolset to establish persistence in victims' machines, spread across systems, and exfiltrate valuable information such as account credentials, system information, browser history, and user files. GoldenJackal's attacks have been notably intricate, deploying custom-made malware and using legitimate tools like Plink and PsExec for post-compromise operations. The group has developed unique capabilities that allow it to copy files from air-gapped systems and move them to connected systems via USB drives for exfiltration. Encryption algorithms such as XOR, Fernet, and AES are used to encrypt configuration files and files to be exfiltrated, adding an extra layer of complexity to their operations. GoldenJackal's toolset, which includes the JackalControl and JackalSteal malware, was deployed through compromised WordPress websites, demonstrating their ability to exploit existing infrastructures for their operations. Researchers at ESET have been tracking GoldenJackal's activities, providing crucial insights into their tactics, techniques, and procedures (TTPs). The threat actor has demonstrated considerable adaptability and sophistication, developing its own custom malware and using cloud storage services like Google Drive to store exfiltrated files. This highlights the group's capacity to leverage both malicious software and legitimate tools to conduct their operations effectively. As GoldenJackal continues to evolve, it poses a significant threat to governmental organizations and necessitates ongoing vigilance and robust cybersecurity measures.
Description last updated: 2024-11-01T23:02:36.103Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Turla is a possible alias for GoldenJackal. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Eset
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Goldenhowl Threat Actor is associated with GoldenJackal. GoldenHowl is a sophisticated threat actor known for its diverse set of malicious capabilities. Identified as part of a broader campaign alongside GoldenDealer and GoldenRobo, this modular backdoor showcases various functionalities that pose significant threats to compromised systems. Its primary fuUnspecified
2
Source Document References
Information about the GoldenJackal Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more