5 malware families

GOLD HARVEST

Also known asgold_harvest

GOLD HARVEST is a loosely organized, English-speaking cybercriminal collective associated with underground forums and encrypted chat channels tied to "The Com" ecosystem. It is also known as Scattered Spider. The group is known for social engineering-driven intrusions, particularly targeting IT help desks for initial access, and frequently abuses remote monitoring and management (RMM) tools and multi-factor authentication (MFA) bypass techniques. GOLD HARVEST is reported to steal bulk data and, in some cases, deploy ransomware. The group is also known to use commodity infostealers including Vidar and Raccoon to obtain browser-saved passwords, cookies, and session tokens. Reporting cited in the content states that GOLD HARVEST previously operated as a ransomware affiliate, deployed ALPHV ransomware in the 2023 MGM Resorts attack, and reportedly used RansomHub in attacks throughout 2024. Third-party reporting also linked the group to attacks on UK retailers in 2025; in the May 2025 Marks and Spencer incident, outside reporting publicly attributed the attack to GOLD HARVEST and stated that DragonForce ransomware was deployed, although official confirmation was not cited.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Consumer Discretionary Distribution & Retail

Where they target

Geographies tied to known operations.

🇬🇧 United Kingdom

MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics10 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1598

Phishing for Information

TA0001

Initial Access

1 technique

T1078

Valid Accounts

TA0003

Persistence

1 technique

T1078

Valid Accounts

TA0004

Privilege Escalation

1 technique

T1078

Valid Accounts

TA0005

Stealth

1 technique

T1078

Valid Accounts

TA0006

Credential Access

3 techniques

T1111

Multi-Factor Authentication Interception

T1539

Steal Web Session Cookie

T1555

Credentials from Password Stores

TA0011

Command and Control

1 technique

T1219

Remote Access Tools

TA0040

Impact

1 technique

T1486

Data Encrypted for Impact

ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BlackCatGOLD HARVEST has been known to operate as a ransomware affiliate, deploying ALPHV ransomware in attacks on MGM Resorts in 2023 and reportedly using RansomHub in attacks throughout 2024.1Jun 14, 2026

DragonForceWhen DragonForce emerged in August 2023, it offered a traditional RaaS scheme. On March 19, 2025, the group announced a rebrand as a ‘cartel’ to expand its reach, hoping to emulate the success of LockBit and other mature ransomware-as-a-service (RaaS) groups.1Jun 14, 2026

Raccoon StealerGOLD HARVEST is known to employ commodity infostealers such as Vidar and Raccoon, which collect browser-saved passwords, cookies, and session tokens.1Jun 14, 2026

RansomHubRansomHub is one of the most prolific groups to emerge following the LockBit disruption and ALPHV (also known as BlackCat) demise in 2024.1Jun 14, 2026

VidarGOLD HARVEST is known to employ commodity infostealers such as Vidar and Raccoon, which collect browser-saved passwords, cookies, and session tokens.1Jun 14, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

sophos otherNews

Jan 1, 2026

GOLD CRYSTAL | Threat Profile Detail | Sophos

English-speaking cybercriminal group noted only as having significant overlaps with GOLD CRYSTAL and affiliation to 'The Com' ecosystem.

sophos threat researchNews

Jan 1, 2026

DragonForce targets rivals in a play for dominance | SOPHOS

Loosely organized cybercriminal collective associated with The Com that conducts intrusions using social engineering, credential theft, RMM abuse, and MFA bypass. It reportedly deployed DragonForce in attacks on UK retailers and previously acted as an affiliate for ALPHV and RansomHub.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.