{
	"id": "44585b21-49ef-4257-83ca-8d64ed5cbb46",
	"created_at": "2026-04-06T00:12:53.467542Z",
	"updated_at": "2026-04-10T03:36:37.123089Z",
	"deleted_at": null,
	"sha1_hash": "08b18f428a4ffbfb0dc1490ccca75ed07a78e1d8",
	"title": "TA505 targets the US retail industry with personalized attachments | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 294164,
	"plain_text": "TA505 targets the US retail industry with personalized\r\nattachments | Proofpoint US\r\nBy December 06, 2018 Proofpoint Staff\r\nPublished: 2018-12-06 · Archived: 2026-04-05 18:20:47 UTC\r\nOverview\r\nSince November 15, 2018, Proofpoint began observing email campaigns from a specific actor targeting large retail\r\nchains, restaurant chains and grocery chains, as well as other organizations in the food and beverage industries.\r\nThese email campaigns attempted to deliver various malware families, including Remote Manipulator System\r\n(RMS) and FlawedAmmyy, among others.\r\nWe also observed personalization of attachments in one such campaign. These attachments included the targeted\r\ncompany’s logo in the body of the attachment to make messages more believable.\r\nWe attributed these campaigns to TA505, the actor behind the largest Dridex and Locky ransomware campaigns of\r\nthe last two years and more recently associated with distribution of remote access Trojans (RATs) and\r\ndownloaders. This change in tactics -- the use of personalized attachments in moderately large campaigns\r\ncombined with retail industry targeting -- arrives just in time for the holiday shopping season.\r\nCampaign Details\r\nOn December 3, 2018, we observed a TA505 campaign targeting almost exclusively retail, grocery, and restaurant\r\nchains. This campaign distributed tens of thousands of messages. \r\nMore interestingly, each intended target received a personalized attachment, a technique that TA505 has not\r\npreviously used. The email (Figure 1) purported to be sent from a Ricoh printer and contain a scanned document.\r\nThe bogus scan was actually a malicious Microsoft Word attachment (Figure 2). The document attached was\r\nunique to the targeted company, and even contained the targeted company’s logo in the document lure (blurred in\r\nthe figure with a black box).\r\nThe document contains macros that, if enabled, downloaded and executed an MSI file. The execution leads to the\r\ninstallation of Remote Manipulator System (RMS) with a settings file that contains a custom command and\r\ncontrol (C\u0026C) address.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments\r\nPage 1 of 5\n\nFigure 1: Email used in attempts to deliver malicious document on December 3\r\nThe lure shown in Figure 2 continues the social engineering introduced in the email, enticing recipients to enable\r\nmacros so that they can view the contents of the fake scanned document.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments\r\nPage 2 of 5\n\nFigure 2: Attached document with the logo blacked out and social engineering to trick recipients into enabling\r\nmacros\r\nConclusion\r\nTA505 has helped shape the threat landscape for years, largely because of the massive volumes associated with\r\ntheir campaigns through the end of 2017. When this group changes tactics, it tends to correspond to broader shifts\r\nand, throughout the year, we have seen both TA505 and a number of other actors focus on downloaders, RATs,\r\ninformation stealers, and banking Trojans, often in smaller, more targeted campaigns. Threat actors follow the\r\nmoney and, with dropping cryptocurrency values, the return on investment in better targeting, improved social\r\nengineering, and management of persistent infections now seems to be greater than that for large “smash and\r\ngrab” ransomware campaigns.\r\nGiven the ongoing holiday shopping season, the clear US retail and grocery targeting associated with these\r\ncampaigns, and the nature of the malware they are distributing -- RATs and backdoors -- TA505 appears poised to\r\ntake advantage of increased activity in this sector through the end of the year.\r\nIndicators of Compromise (IOCs)\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments\r\nPage 3 of 5\n\nIOC IOC Type Description\r\nhxxp://local365office[.]com/content URL\r\nDocument\r\npayload\r\n9206f08916ab6f9708d81a6cf2f916e2f606fd048a6b2355a39db97e258d0883 SHA256\r\nRMS MSI\r\ndropper\r\n06c637ac62cab511c5c42e142855ba0447a1c8ac8ee4b0f1f8b00faa5310fe9f SHA256\r\nSelf-extracting\r\nRAR\r\ncontaining\r\nRMS\r\n609b0a416f9b16a6df9b967dc32cd739402af31566e019a8fb8abdf3cb573e30 SHA256 RMS RAT\r\n89.144.25[.]32:5655 IP:Port\r\nRMS RAT\r\nC\u0026C\r\n0F 2B 44 E3 98 BA 76 C5 F5 77 79 C4 15 48 60 7B\r\nCertificate\r\nSerial\r\nSerial number\r\nof the code\r\nsigning\r\ncertificate\r\nDIGITAL DR String\r\nSubject name\r\nof the code\r\nsigning\r\ncertificate\r\nET and ETPRO Suricata/Snort Signatures\r\n2812668          ETPRO POLICY Remote Utilities Access Tool Activity\r\nSubscribe to the Proofpoint Blog\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments\r\nPage 4 of 5\n\nSource: https://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments"
	],
	"report_names": [
		"ta505-targets-us-retail-industry-personalized-attachments"
	],
	"threat_actors": [
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434373,
	"ts_updated_at": 1775792197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/08b18f428a4ffbfb0dc1490ccca75ed07a78e1d8.pdf",
		"text": "https://archive.orkl.eu/08b18f428a4ffbfb0dc1490ccca75ed07a78e1d8.txt",
		"img": "https://archive.orkl.eu/08b18f428a4ffbfb0dc1490ccca75ed07a78e1d8.jpg"
	}
}