{ "id": "feaac033-c50e-462a-945a-05a955e7f8fc", "created_at": "2026-04-06T00:14:48.075202Z", "updated_at": "2026-04-10T03:25:21.7903Z", "deleted_at": null, "sha1_hash": "10ad6789cbd72b0cd159ec6eca0faed42b2f189e", "title": "TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 848525, "plain_text": "TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware |\r\nProofpoint US\r\nBy October 28, 2021 Axel F and Selena Larson\r\nPublished: 2021-10-28 · Archived: 2026-04-02 11:03:02 UTC\r\nProofpoint identified the large cybercrime actor TA575 distributing Dridex malware using Squid Game lures. The\r\nthreat actor is purporting to be entities associated with the Netflix global phenomenon using emails enticing\r\ntargets to get early access to a new season of Squid Game or to become a part of the TV show casting. \r\nOn October 27, 2021, Proofpoint observed thousands of emails targeting all industries primarily in the United\r\nStates. The emails used subjects such as: \r\nSquid Game is back, watch new season before anyone else. \r\nInvite for Customer to access the new sesason. [sic]\r\nSquid game new season commercials casting preview \r\nSquid game scheduled season commercials talent cast schedule \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware\r\nPage 1 of 5\n\nFigure 1: Netflix Squid Game email lure inviting customers to get early access to a new season \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware\r\nPage 2 of 5\n\nFigure 2: Netflix Squid Game email lure soliciting actors and background talent to apply to be on the show or\r\nshow commercials \r\nThe emails tell the victim to fill out either an attached document to get early access to the new season of the show\r\nor a talent form to become part of the background casting. The attachments are Excel documents with macros that,\r\nif enabled, will download the Dridex banking trojan affiliate id “22203” from Discord URLs. Dridex is a prolific\r\nbanking trojan distributed by multiple affiliates that can lead to data theft and installation of follow-on malware\r\nsuch as ransomware. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware\r\nPage 3 of 5\n\nFigure 3: One of the several Excel attachment lures observed in this campaign  \r\nTA575 is a Dridex affiliate tracked by Proofpoint since late 2020. This group distributes malware via malicious\r\nURLs, Microsoft Office attachments, and password-protected files. On average, TA575 sends thousands of emails\r\nper campaign impacting hundreds of organizations. TA575 also uses the Discord content delivery network (CDN)\r\nto host and distribute Dridex. Discord, a communications platform with consumer and enterprise uses, is an\r\nincreasingly popular malware hosting service for cybercriminals.  \r\nTA575 themes generally include invoicing and payments, but occasionally include popular news, events, and\r\ncultural references. Cybercriminal threat actors in general have pounced on Squid Game as a popular lure\r\nand malware theme. This makes sense; as Squid Game is Netflix’s “biggest ever” series, the pool of potential\r\nvictims who would inadvertently interact with malicious content associated with it is higher than a general lure\r\ntheme. TA575 is betting the invitation to be part of the upcoming season will entice more users to interact with the\r\nmalicious Microsoft Excel file.  \r\nProofpoint observed the following indicators of compromise:\r\nIndicator    Description  \r\n85d2fe6405aac0816f7286bc26174151ae69a08210aec78fea5628862489d8ac  Dridex SHA256 \r\n149[.]202[.]179[.]100:443  Dridex C2 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware\r\nPage 4 of 5\n\n66[.]147[.]235[.]11:6891  Dridex C2 \r\n81[.]0[.]236[.]89:13786  Dridex C2 \r\nhxxps[:]//cdn[.]discordapp[.]com/ \r\nattachments/902882967184113677/902908322359959602/xEljRErMuphgnb[.]dll \r\nExcel Payload \r\nhxxps[:]//cdn[.]discordapp[.]com/ \r\nattachments/902882967184113677/902903501724725280/TgrWe[.]dll \r\nExcel Payload \r\nhxxps[:]//cdn[.]discordapp[.]com/ \r\nattachments/902882967184113677/902907845887012875/nmQxwiMDXToNFO[.]dll \r\nExcel Payload \r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware\r\nhttps://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware" ], "report_names": [ "ta575-uses-squid-game-lures-distribute-dridex-malware" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "7583fbd4-2bc9-458d-81da-50b27b84e136", "created_at": "2023-02-15T02:01:49.565258Z", "updated_at": "2026-04-10T02:00:03.349283Z", "deleted_at": null, "main_name": "TA575", "aliases": [], "source_name": "MISPGALAXY:TA575", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434488, "ts_updated_at": 1775791521, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/10ad6789cbd72b0cd159ec6eca0faed42b2f189e.pdf", "text": "https://archive.orkl.eu/10ad6789cbd72b0cd159ec6eca0faed42b2f189e.txt", "img": "https://archive.orkl.eu/10ad6789cbd72b0cd159ec6eca0faed42b2f189e.jpg" } }