{ "id": "0eee3ef2-297d-476e-aade-fc5c76a923f1", "created_at": "2026-04-06T00:11:44.663629Z", "updated_at": "2026-04-10T03:25:21.787784Z", "deleted_at": null, "sha1_hash": "1d15e85684e715a98299cf8b07bc58f047e9e693", "title": "TA575 criminal group using 'Squid Game' lures for Dridex malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47443, "plain_text": "TA575 criminal group using 'Squid Game' lures for Dridex\r\nmalware\r\nBy Written by Jonathan Greig, ContributorContributor Oct. 29, 2021 at 1:36 p.m. PT\r\nArchived: 2026-04-05 15:52:52 UTC\r\nZDNET Recommends\r\nCybersecurity firm Proofpoint has found evidence of a prolific cybercrime group using the popularity of Netflix\r\nhit \"Squid Game\" to spread the Dridex malware. \r\nIn a blog post, Proofpoint said TA575 -- a \"large cybercrime actor\" -- has sent emails pretending to be someone\r\nworking on the show, urging people to download malicious attachments or fill out forms with sensitive\r\ninformation. \r\nThe emails come with subject lines saying things like: \"Squid Game is back, watch new season before anyone\r\nelse,\" \"Invite for Customer to access the new season,\" \"Squid game new season commercials casting preview,\"\r\nand \"Squid game scheduled season commercials talent cast schedule.\"\r\nProofpoint said it found thousands of emails using the lures that targeted a variety of industries in the US. Some of\r\nthe emails try to lure victims in by saying they could be in the show if they download a document and fill it out. \r\nimage-20211028123421-1.jpg\r\nProofpoint\r\n\"The attachments are Excel documents with macros that, if enabled, will download the Dridex banking trojan\r\naffiliate id '22203' from Discord URLs,\" Proofpoint researchers Axel F and Selena Larson wrote. \r\nSherrod DeGrippo, vice president of threat detection and response at Proofpoint, told ZDNet that Dridex is a\r\nbanking trojan used to siphon money directly from the victim's bank account.\r\n\"But Dridex is also used for information gathering or as a malware loader that can lead to follow-on infections\r\nsuch as ransomware,\" DeGrippo added. \r\nProofpoint has been tracking TA575 since late 2020, noting that the group typically distributes Dridex through\r\n\"malicious URLs, Microsoft Office attachments, and password-protected files.\" The gang uses a variety of lures to\r\nget victims to click on links or download documents, often playing off of pop culture or deploying invoice-related\r\nlanguage in emails. \r\n\"On average, TA575 sends thousands of emails per campaign, impacting hundreds of organizations. TA575 also\r\nuses the Discord content delivery network (CDN) to host and distribute Dridex,\" the Proofpoint researchers said,\r\nadding that Discord has become a \"popular malware-hosting service for cybercriminals.\" \r\nhttps://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/\r\nPage 1 of 2\n\nCybersecurity experts like ThreatModeler CEO Archie Agarwal said the TA575 criminal group is made up of\r\nprolific, financially-motivated opportunists who specialize in Dridex malware and operate swaths of Cobalt Strike\r\nservers. \r\nBoth the Dridex malware and Cobalt Strike servers are examples of repurposing the work of others, Agarwal said,\r\nexplaining that Dridex dates back as far as 2015 and was known for specializing in banking credentials theft. \r\nHank Schless, Lookout senior manager of security solutions, said that throughout the COVID-19 pandemic,\r\ncybercriminals have used a variety of hooks related to the vaccine or government aid as a lure for emails with\r\nmalicious attachments. \r\nLookout data shows threat actors are heavily targeting users through mobile channels such as SMS, social media\r\nplatforms, third-party messaging apps, gaming, and even dating apps. He added that one of the most interesting\r\nparts of the report is that TA575 uses the Discord CDN to host and deliver the malware. \r\n\"This practice of using legitimate services as an intermediary command and control server is becoming more\r\ncommon. We frequently see it with data storage platforms like Dropbox as well. Attackers do this because it may\r\nhelp them slip by any detections more easily if the traffic looks legitimate,\" Schless said. \r\nSecurity\r\nSource: https://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/\r\nhttps://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/" ], "report_names": [ "ta575-criminal-group-using-squid-game-lures-for-dridex-malware" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "7583fbd4-2bc9-458d-81da-50b27b84e136", "created_at": "2023-02-15T02:01:49.565258Z", "updated_at": "2026-04-10T02:00:03.349283Z", "deleted_at": null, "main_name": "TA575", "aliases": [], "source_name": "MISPGALAXY:TA575", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434304, "ts_updated_at": 1775791521, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d15e85684e715a98299cf8b07bc58f047e9e693.pdf", "text": "https://archive.orkl.eu/1d15e85684e715a98299cf8b07bc58f047e9e693.txt", "img": "https://archive.orkl.eu/1d15e85684e715a98299cf8b07bc58f047e9e693.jpg" } }