GOLD MELODY uses a variety of tools and techniques, including web shells, RATs, and tunneling tools, to facilitate their malicious activities within compromised environments.

Whiffy Recon works by checking for the WLAN AutoConfig service (WLANSVC) on the infected system and terminating itself if the service name doesn't exist. Persistence is achieved by means of a shortcut that's added to the Windows Startup folder.

The use of stolen credentials can then be detected when a logging event deviates from the baseline. A similar approach could be applied to detect AWS credentials stolen from other services.

Despite Secureworks CTU researchers publicly disclosing COBALT MIRAGE tactics, techniques, and procedures (TTPs) in May 2022, the threat actors continue to demonstrate many of the same behaviors.

Secureworks CTU researchers shared their findings with Microsoft on May 10, 2022. Microsoft responded on July 2 that PTA is working as intended and gave no indication of plans to address the reported flaws.

CTU researchers identified over 1,200 Elasticsearch databases that contained the ransom note. It is likely that some databases belong to the same organization, but identifying specific victims was not possible in most cases.

Attacks that exploit QR codes are known as ‘Qshing’ (QR code phishing). In January 2022, the U.S. Federal Bureau of Investigation (FBI) warned QR code users about tampering and cited increased reports of stolen credentials and monetary loss.

Threat actors frequently use OSINT to perform reconnaissance. Secureworks CTU researchers identified several APIs that access the internal information of any organization that uses Azure AD.

First observed in 2019, JSSLoader is used by the GOLD NIAGARA cybercrime group. An Excel add-in extends Excel functionality, typically uses the '.xll' file extension, and functions similar to a DLL.

The threat actors attempted to misdirect attribution using inauthentic metadata and used publicly available crimeware services and code to minimize the amount of custom code involved in the attack.