Threat actor · all actors
GOLD SOUTHFIELDG0115 unknown
aka GOLD SOUTHFIELD, Pinchy Spider
Last updated: 2026-07-03
About this actor
[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
CM-6 | 10 / 12 | 83% |
SI-4 | 9 / 12 | 75% |
AC-3 | 8 / 12 | 67% |
CM-7 | 8 / 12 | 67% |
SI-3 | 8 / 12 | 67% |
CM-2 | 7 / 12 | 58% |
RA-5 | 7 / 12 | 58% |
SI-2 | 7 / 12 | 58% |
SI-7 | 7 / 12 | 58% |
AC-6 | 6 / 12 | 50% |
CA-7 | 6 / 12 | 50% |
AC-4 | 5 / 12 | 42% |
CM-8 | 5 / 12 | 42% |
SC-7 | 5 / 12 | 42% |
SI-10 | 5 / 12 | 42% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- SolarWinds Compromise 1 shared CVEs
- APT38 1 shared CVEs
- Tonto Team 1 shared CVEs
- Ember Bear 1 shared CVEs
- Aquatic Panda 1 shared CVEs
- APT28 1 shared CVEs
- Sandworm Team 1 shared CVEs
- Ajax Security Team 1 shared CVEs
- FIN7 1 shared CVEs
Similar actors
Similar TTPs
- Gallmaker 0.21
- MoustachedBouncer 0.21
- Pikabot Distribution February 2024 0.20
- C0018 0.19
- TA459 0.18
Active in same years
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- Ke3chang 1.00