GoldenJackal

Threat Actor updated 8 days ago (2024-10-08T12:00:59.543Z)

Download STIX

Preview STIX

GoldenJackal is a threat actor group known for its sophisticated cyber-espionage activities. The group utilizes spear-phishing, vulnerability exploitation, and a .NET malware toolset to establish persistence in victims' machines, spread across systems, and exfiltrate sensitive information such as account credentials, system information, browser history, and user files. GoldenJackal's toolset provides capabilities to copy files from air-gapped systems and move them to connected systems via USB drives for exfiltration. They use various encryption algorithms such as XOR, Fernet, and AES to encrypt configuration files and files to be exfiltrated. Additionally, they have been observed to execute PowerShell scripts to download the JackalControl malware from compromised WordPress websites. The GoldenJackal APT group has been linked to a series of attacks targeting air-gapped systems at governmental organizations. Kaspersky has noted similarities between the GoldenJackal malware and Kazuar, a Trojan used by the Russian state cyberespionage group Turla, also known as Uroburos, Snake, and Venomous Bear. However, Kaspersky stops short of definitively connecting GoldenJackal with any known threat actor. The group uses legitimate tools like Plink and PsExec for post-compromise operations and Google Drive to store exfiltrated files and legitimate tools. GoldenJackal develops its own custom malware and has used compromised WordPress sites for Command & Control (C&C) infrastructure, utilized by the JackalControl and JackalSteal malware. In terms of infrastructure, GoldenJackal has likely acquired servers for their operations. They probably procured a server to use as a primary C&C server for the GoldenDealer malware and a Virtual Private Server (VPS) to serve as a secondary C&C server for the same malware. The secondary C&C server was reportedly in use by GoldenJackal as early as August 9, 2019. This group's activities pose significant threats to government organizations and other high-value targets, necessitating robust cybersecurity measures to counter their sophisticated tactics.

Description last updated: 2024-10-08T11:32:25.270Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Turla is a possible alias for GoldenJackal. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the GoldenJackal Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	2 days ago	14th October – Threat Intelligence Report - Check Point Research
ESET	4 days ago	GoldenJackal jumps the air gap … twice – Week in security with Tony Anscombe
ESET	8 days ago	Mind the (air) gap: GoldenJackal gooses government guardrails
InfoSecurity-magazine	9 days ago	Advanced Threat Group GoldenJackal Exploits Air-Gapped Systems
BankInfoSecurity	a year ago	GoldenJackal APT Targeting South Asian Government Agencies