GOLD BARONDALE

GOLD BARONDALE is a financially motivated cybercriminal threat group active since at least 2022. The group establishes initial access to victim networks via opportunistic scanning and exploitation of known vulnerabilities in internet-facing servers. CTU researchers observed multiple incidents where GOLD BARONDALE deployed a custom PowerShell remote access trojan (RAT), HTA Shell and a HTran variant for command and control.

CTU researchers assess with moderate confidence that GOLD BARONDALE is based in China due to the group’s use of tactics, techniques, and procedures (TTPs) that have been developed by China-based researchers and scripts containing Chinese-language comments.