Gold Melody [1] [2] [3] [5] [6] [7], also known as Prophet Spider and UNC961 [1] [3] [5], is an initial access broker (IAB) that has successfully evaded capture for seven years. Despite being closely monitored by researchers [2], Gold Melody specializes in compromising organizations through vulnerabilities in publicly exposed servers [1]. They sell access to these compromised organizations to third-party cybercriminals for financial gain [1]. This article provides a detailed description of Gold Melody’s activities and offers recommendations for mitigating the threat they pose.


Gold Melody targets organizations by exploiting vulnerabilities in publicly exposed servers, including JBoss Messaging [3], Citrix ADC [3], Oracle WebLogic [1] [3], GitLab [1] [3], and Apache Log4j [3]. They have been active since at least 2017 and primarily target industries such as retail, healthcare [1] [3], energy [1] [3], financial [1] [3] [4] [5], and high-tech organizations in North America [3], Northern Europe [1] [3], and Western Asia [1] [3]. Their motives are solely financial and not linked to state actions.

To gain control, Gold Melody utilizes their own tools [1], such as Gotroj and Barnwork [1], for remote access [1] [3]. They possess a wide range of tools [1], including operating system software [3], remote access trojans (RATs) [3], and tunneling tools [3]. Gold Melody establishes persistence using Jakarta Server Pages (JSP) Web shells and conducts reconnaissance on the victim environment [6]. They also employ tools like Mimikatz to harvest credentials and have access to other open source and underground tools.

Once in control, Gold Melody collaborates with ransomware actors [2], leading to the deployment of ransomware programs like Egregor, MountLocker [6] [7], and CryptoDefense [6] [7]. Secureworks has identified five separate intrusions by Gold Melody between July 2020 and July 2022 [6].

Mitigation measures are crucial to counter the threat posed by Gold Melody. Early detection and vulnerability management are key [6]. The group exploits recently disclosed vulnerabilities using publicly available exploit code [3], making it essential for organizations to patch their systems and practice effective vulnerability management. Gold Melody conducts extensive scanning to understand a victim’s environment and engages in credential harvesting [3], lateral movement [3], and data exfiltration [3]. By taking proactive measures [2], organizations can protect themselves and prevent subsequent ransomware attacks facilitated by groups like Gold Melody. It is crucial for companies to have broad visibility across their endpoints [7], network connections [7], and cloud solutions to detect and mitigate Gold Melody’s activities early [7].


Gold Melody’s activities have significant impacts on targeted organizations, including financial losses and reputational damage. To mitigate these risks, organizations must prioritize early detection and vulnerability management. By promptly patching systems and practicing effective vulnerability management [2], organizations can reduce the likelihood of falling victim to Gold Melody’s attacks. Additionally, maintaining broad visibility across endpoints [7], network connections [7], and cloud solutions is crucial for detecting and mitigating Gold Melody’s activities early. By implementing these measures, organizations can protect themselves and prevent future ransomware attacks facilitated by groups like Gold Melody.