Threat Actor Profile
High APT
Description

TA551 is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. (Citation: Unit 42 TA551 Jan 2021)

Confidence Score
90%
Known Aliases
TA551 GOLD CABIN Shathak
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (14)
T1071.001 - Web Protocols
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1132.001 - Standard Encoding
Command and Control
T1568.002 - Domain Generation Algorithms
Command and Control
T1027.003 - Steganography
Defense Evasion
T1027.010 - Command Obfuscation
Defense Evasion
T1036 - Masquerading
Defense Evasion
T1218.005 - Mshta
Defense Evasion
T1218.010 - Regsvr32
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1059.003 - Windows Command Shell
Execution
T1204.002 - Malicious File
Execution
T1566.001 - Spearphishing Attachment
Initial Access
T1589.002 - Email Addresses
Reconnaissance
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['TA551', 'GOLD CABIN', 'Shathak'],
 'created': '2021-03-19T21:04:00.692Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[TA551](https://attack.mitre.org/groups/G0127) is a '
                'financially-motivated threat group that has been active since '
                'at least 2018. (Citation: Secureworks GOLD CABIN) The group '
                'has primarily targeted English, German, Italian, and Japanese '
                'speakers through email-based malware distribution campaigns. '
                '(Citation: Unit 42 TA551 Jan 2021)',
 'external_references': [{'external_id': 'G0127',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0127'},
                         {'description': '(Citation: Secureworks GOLD CABIN)',
                          'source_name': 'GOLD CABIN'},
                         {'description': '(Citation: Unit 42 Valak July '
                                         '2020)(Citation: Unit 42 TA551 Jan '
                                         '2021)',
                          'source_name': 'Shathak'},
                         {'description': 'Duncan, B. (2020, July 24). '
                                         'Evolution of Valak, from Its '
                                         'Beginnings to Mass Distribution. '
                                         'Retrieved August 31, 2020.',
                          'source_name': 'Unit 42 Valak July 2020',
                          'url': 'https://unit42.paloaltonetworks.com/valak-evolution/'},
                         {'description': 'Duncan, B. (2021, January 7). TA551: '
                                         'Email Attack Campaign Switches from '
                                         'Valak to IcedID. Retrieved March 17, '
                                         '2021.',
                          'source_name': 'Unit 42 TA551 Jan 2021',
                          'url': 'https://unit42.paloaltonetworks.com/ta551-shathak-icedid/'},
                         {'description': 'Secureworks. (n.d.). GOLD CABIN '
                                         'Threat Profile. Retrieved March 17, '
                                         '2021.',
                          'source_name': 'Secureworks GOLD CABIN',
                          'url': 'https://www.secureworks.com/research/threat-profiles/gold-cabin'}],
 'id': 'intrusion-set--94873029-f950-4268-9cfd-5032e15cb182',
 'modified': '2025-04-16T20:37:36.634Z',
 'name': 'TA551',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Shuhei Sasada, Cyber Defense Institute, Inc',
                          'Ryo Tamura, SecureBrain Corporation',
                          'Shotaro Hamamoto, NEC Solution Innovators, Ltd',
                          'Yusuke Niwa, ITOCHU Corporation',
                          'Takuma Matsumoto, LAC Co., Ltd'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.2'}
Quick Actions
Related TTPs (14)
Web Protocols
Command and Control
Ingress Tool Transfer
Command and Control
Standard Encoding
Command and Control
Domain Generation Algorithms
Command and Control
Steganography
Defense Evasion
View All 14 TTPs
Back to Threat Actors
Dashboard Home