>samit_hota
Back to adversary profiles
G1020HighActive

Threat Profile: Mustard Tempest (G1020)

Samit Hota·
Suspected Origin
Unknown
Motivation
Financial Gain
Aliases
DEV-0206, TA569, GOLD PRELUDE, UNC1543
Target Sectors
Academic, Healthcare, Legal, Media, NGO, Retail, Financial, Government, Technology, Manufacturing, Unspecified
Associated Malware
SocGholish, LockBit, WastedLocker, BurnsRAT, NetSupport RAT, ParrotTDS, Dridex, BitPaymer, Hades Ransomware, DoppelPaymer, PhoenixLocker, Macaw, RansomHub, Cobalt Strike, GhoLoader, BumbleBee, IcedID, Truebot
#threat-actor#g1020

Overview

Mustard Tempest, tracked by MITRE ATT&CK as G1020, is a highly active and financially motivated initial access broker (IAB) that has operated since at least 2017. The group is widely known for its sophisticated SocGholish distribution network, which serves as a primary infection vector for other cybercriminal enterprises. Mustard Tempest, also identified by aliases such as DEV-0206, TA569, GOLD PRELUDE, and UNC1543, specializes in gaining unauthorized access to victim environments and then selling or leasing this access to other threat actors, effectively functioning as a “Malware-as-a-Service” (MaaS) provider. Their operations are designed to provide preliminary footholds for a wide range of follow-on attacks, most notably ransomware deployments.

The group’s motivation is purely financial. They profit by compromising systems at scale and offering this initial access to other criminal groups, making them a crucial enabler within the broader cybercrime ecosystem. While a specific country of origin is not definitively attributed, their partnerships and activities, particularly with groups like Indrik Spider (Evil Corp), suggest potential ties to Russian cybercrime. Mustard Tempest has been observed targeting a wide array of sectors globally, including academic, healthcare, legal, media, non-governmental organizations (NGOs), retail, financial, government, technology, and manufacturing industries.

Tactics & Techniques

Mustard Tempest’s primary tactic revolves around the “FakeUpdate” technique, leveraging social engineering and drive-by compromise to deliver their initial payload, SocGholish. They achieve this by compromising legitimate websites and injecting malicious JavaScript code into them. When a user visits one of these compromised websites, a sophisticated traffic distribution system (TDS) redirects them, often presenting a convincing, full-screen fake browser update prompt (e.g., for Chrome, Flash Player). If the victim’s environment meets specific criteria (such as being a domain-joined system, indicating a corporate network), they are prompted to download a malicious archive file, typically a ZIP, containing the SocGholish JavaScript payload. This initial access to corporate networks is particularly valuable for Mustard Tempest’s customers.

The group employs several techniques to enhance its operations and evade detection:

  • Acquire Infrastructure: Mustard Tempest acquires servers to host second-stage payloads that can remain active for extended periods. They also use malvertising, posting fake advertisements for software packages and browser updates to distribute malware.
  • Compromise Infrastructure: They operate a global network of compromised websites that redirect victims through their TDS.
  • Drive-by Compromise: This is their hallmark initial infection vector, often involving fake browser updates.
  • Ingress Tool Transfer: They deploy secondary payloads and third-stage implants to compromised hosts.
  • Masquerading: Mustard Tempest uses filenames like “AutoUpdater.js” to mimic legitimate update files and has been observed using Cyrillic homoglyph characters to obscure filenames such as “Сhrome.Updаte.zip”.
  • Phishing: They have sent spearphishing emails containing links to compromised websites.
  • SEO Poisoning: The group has also poisoned search engine results to return fake software updates, further broadening their reach.

Once executed, the SocGholish JavaScript establishes a command-and-control (C2) channel to relay system information and can deploy additional malware, including remote access tools (RATs) and loaders for further exploitation.

Notable Campaigns

Mustard Tempest’s operations are largely defined by its continuous use of the SocGholish distribution network. A key aspect of their activity is their partnership with other prominent cybercrime groups. They have been observed providing initial access to Indrik Spider (G0119), also known as Evil Corp (DEV-0243, UNC2165, Manatee Tempest). This collaboration facilitates the deployment of various ransomware families.

A notable development in 2022 was the observation of DEV-0206 (Mustard Tempest) utilizing access provided by the Raspberry Robin Windows worm to deploy the FakeUpdates malware. This indicated a potential expansion of their initial access methods beyond compromised websites, demonstrating their adaptability in leveraging diverse infection chains.

In recent years, security researchers have continued to highlight the widespread impact of SocGholish infections, noting frequent leads to the deployment of various ransomware families, including RansomHub. The longevity and adaptability of their SocGholish operations make nearly any sustained SocGholish campaign a notable incident due to its potential for severe downstream consequences.

Associated Malware & Tools

Mustard Tempest’s primary tool is the SocGholish (S1124) JavaScript-based loader, which acts as a preliminary foothold on victim networks. SocGholish is highly obfuscated and uses traffic distribution systems (TDS) like Parrot TDS and Keitaro TDS to filter and redirect victims.

Once initial access is gained via SocGholish, Mustard Tempest provides this access to other criminal groups, who then deploy their preferred secondary payloads. Malware and tools observed in follow-on attacks include:

  • Ransomware: LockBit, WastedLocker, Hades Ransomware, DoppelPaymer, BitPaymer, PhoenixLocker, Macaw, and RansomHub.
  • Remote Access Trojans (RATs): NetSupport RAT and BurnsRAT.
  • Loaders/Backdoors: GhoLoader and Cobalt Strike beacons.
  • Other Malware: Dridex, BumbleBee, IcedID, and Truebot.

Their ability to facilitate the deployment of such a wide array of malware underscores their critical role as an initial access broker in the cybercrime ecosystem. They have also been seen using PowerShell and Windows Command Shell for execution and discovery, as well as tools like Mimikatz and Kerberoasting for credential access in post-compromise activity.

Current Status

Mustard Tempest remains an Active threat. The group’s operations have been persistent since at least 2017 and have continued to evolve. Recent international law enforcement efforts, such as “Operation Endgame” in June 2026, specifically targeted the infrastructure associated with SocGholish and its operator, TA569 (Mustard Tempest). This operation reportedly disrupted infrastructure, took down over 100 servers and domains, and remediated nearly 15,000 compromised websites used to distribute SocGholish.

Despite these significant disruptions, threat actors like Mustard Tempest often attempt to rebuild and retool their operations. While a major blow, such actions increase their operational costs and provide valuable intelligence for defenders, but do not necessarily signal an end to their activities. Security researchers continue to track their activity, observing SocGholish as a prominent loader in recent campaigns, leading to various post-exploitation activities and ransomware deployments. Given their role as a prolific IAB and MaaS provider, Mustard Tempest will likely continue to adapt its methods to sustain its financially motivated operations.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call