Threat Actor Profile
High
APT
Description
Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Secureworks Gold Prelude Profile)(Citation: SocGholish-update)
Confidence Score
Known Aliases
Mustard Tempest
DEV-0206
TA569
GOLD PRELUDE
UNC1543
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (12)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Mustard Tempest', 'DEV-0206', 'TA569', 'GOLD PRELUDE', 'UNC1543'],
'created': '2023-12-06T19:00:11.581Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Mustard Tempest](https://attack.mitre.org/groups/G1020) is '
'an initial access broker that has operated the '
'[SocGholish](https://attack.mitre.org/software/S1124) '
'distribution network since at least 2017. [Mustard '
'Tempest](https://attack.mitre.org/groups/G1020) has partnered '
'with [Indrik Spider](https://attack.mitre.org/groups/G0119) '
'to provide access for the download of additional malware '
'including LockBit, '
'[WastedLocker](https://attack.mitre.org/software/S0612), and '
'remote access tools.(Citation: Microsoft Ransomware as a '
'Service)(Citation: Microsoft Threat Actor Naming July '
'2023)(Citation: Secureworks Gold Prelude Profile)(Citation: '
'SocGholish-update)',
'external_references': [{'external_id': 'G1020',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G1020'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'DEV-0206'},
{'description': '(Citation: Secureworks Gold Prelude '
'Profile)',
'source_name': 'TA569'},
{'description': '(Citation: Secureworks Gold Prelude '
'Profile)',
'source_name': 'GOLD PRELUDE'},
{'description': '(Citation: Secureworks Gold Prelude '
'Profile)',
'source_name': 'UNC1543'},
{'description': 'Andrew Northern. (2022, November '
'22). SocGholish, a very real threat '
'from a very fake update. Retrieved '
'February 13, 2024.',
'source_name': 'SocGholish-update',
'url': 'https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update'},
{'description': 'Microsoft . (2023, July 12). How '
'Microsoft names threat actors. '
'Retrieved November 17, 2023.',
'source_name': 'Microsoft Threat Actor Naming July '
'2023',
'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
{'description': 'Microsoft. (2022, May 9). Ransomware '
'as a service: Understanding the '
'cybercrime gig economy and how to '
'protect yourself. Retrieved March '
'10, 2023.',
'source_name': 'Microsoft Ransomware as a Service',
'url': 'https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/'},
{'description': 'Secureworks. (n.d.). GOLD PRELUDE . '
'Retrieved March 22, 2024.',
'source_name': 'Secureworks Gold Prelude Profile',
'url': 'https://www.secureworks.com/research/threat-profiles/gold-prelude'}],
'id': 'intrusion-set--0d4ac089-ced4-4cc4-a989-174d08e6d030',
'modified': '2024-03-25T21:23:15.556Z',
'name': 'Mustard Tempest',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.0'}