Cyber Resilience

Threat actor · all actors

Mustard TempestG1020 unknown

aka Mustard Tempest, DEV-0206, TA569, GOLD PRELUDE, UNC1543

Last updated: 2026-07-03

0attributed CVEs
18ATT&CK techniques
0.0IDF score (tooling uniqueness)
0exclusive CVEs
years active

About this actor

[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access for the download of additional malware including LockBit, [WastedLocker](https://attack.mitre.org/software/S0612), and remote access tools.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks Gold Prelude Profile)(Citation: SocGholish-update)

Source: MITRE ATT&CK

Activity timeline

No activity events recorded.

Profile

CVERiskCVSSEPSSPublishedProducts
No attributed CVEs.

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
CA-78 / 1844%
CM-28 / 1844%
CM-68 / 1844%
SI-38 / 1844%
SI-48 / 1844%
AC-46 / 1833%
SC-76 / 1833%
CM-75 / 1828%
IA-94 / 1822%
SC-444 / 1822%
SI-24 / 1822%
SI-74 / 1822%
SI-84 / 1822%
AC-63 / 1817%
SI-103 / 1817%

Co-occurring actors

None.

Similar actors

Similar TTPs