{
	"id": "a9198fc7-7f44-4441-8a93-5c4beb3d754d",
	"created_at": "2026-04-06T00:19:55.919309Z",
	"updated_at": "2026-04-10T03:35:43.290438Z",
	"deleted_at": null,
	"sha1_hash": "2517b9dc1faec3aeabe8e958f17c8dcf82b6c530",
	"title": "Beyond “North America” - Threat actors target Canada specifically | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 525579,
	"plain_text": "Beyond “North America” - Threat actors target Canada\r\nspecifically | Proofpoint US\r\nBy May 23, 2019 Proofpoint Threat Insight Team\r\nPublished: 2019-05-23 · Archived: 2026-04-05 18:10:39 UTC\r\nOverview\r\nBetween January 1, 2019, to May 1, 2019, threat actors conducted thousands of malicious email campaigns,\r\nhundreds of which were sent to Canadian organizations. While discussions of threats in this region often focus on\r\n“North America” generally or just the United States, nearly 100 campaigns during this period were either\r\nspecifically targeted at Canadian organizations or were customized for Canadian audiences. Much of this is due to\r\nEmotet. TA542, the primary actor behind Emotet, is known for the development of lures and malicious mail\r\nspecific to given regions. However, we also saw customization ranging from French-language lures to brand abuse\r\nfrom a number of actors geo-targeting Canada.\r\nIn these campaigns, Proofpoint researchers observed stolen branding from several notable Canadian companies\r\nand agencies including major shipping and logistics organizations, national banks, and large government agencies.\r\nTop affected industries in Canada include financial services, energy/utilities, manufacturing, healthcare, and\r\ntechnology.\r\nIn addition to campaigns that are specifically geo-targeted at Canada, we frequently observe Canadian\r\norganizations being affected by global or multinational campaigns. These campaigns are typically sent by\r\nfinancially motivated cybercriminals, but can also be orchestrated/sent by national, state-sponsored threat actors\r\nknown as Advanced Persistent Threats (APT). Overall, the majority of malware being distributed to Canadian\r\ncustomers affects banking and financial services most directly.\r\nBelow is a brief of high-risk malware payloads that frequently impact Canadian interests.\r\nEmotet\r\nEmotet is a type of general-purpose malware that evolved from a well-known banking Trojan, “Cridex”,  which\r\nwas first discovered in 2014. Originally targeting Western European banks, it has since been developed into a\r\nrobust global botnet that is comprised of several modules, each of which equips Emotet with different spamming,\r\nemail logging, information stealing, bank fraud, downloading, and DDoS, among others.\r\nEmotet activity in 2019 included several high-volume campaigns that collectively distributed tens of millions of\r\nmessages primarily targeting the manufacturing and healthcare industries. Beginning in mid-January 2019, TA542\r\ndistributed millions of Emotet-laden emails in both English and German.\r\nhttps://www.proofpoint.com/us/threat-insight/post/beyond-north-america-threat-actors-target-canada-specifically\r\nPage 1 of 5\n\nFigure 1: Word Document with macros, that once enabled, install Emotet\r\nThe messages were sent with attached malicious Microsoft Word documents and/or URLs that linked to malicious\r\ndocuments. The Word documents contained macros that, when enabled, installed an instance of Emotet. In this\r\nparticular campaign, TA542 also spoofed Amazon invoices, which included links to malicious Word documents.\r\nUrsnif\r\nUrsnif is a Trojan that can be used to steal data from users of online banking websites, with the help of web\r\ninjects, proxies, and VNC (remote access software) connections. It can steal data such as stored passwords as well\r\nas download updates, modules, or other malware on victim PCs.\r\nThere are now multiple variants of Ursnif in the wild, following the release of an earlier version’s source code\r\n(version 2.13.241). Variants include Dreambot, Gozi ISFB, and Papras.\r\nOthers\r\nWhile Emotet and Ursnif are the most common threats that geotarget North American countries including Canada,\r\nProofpoint researchers are tracking several other malware strains with significantly smaller footprints that remain\r\nnoteworthy threats for Canadian organizations. These include:\r\nhttps://www.proofpoint.com/us/threat-insight/post/beyond-north-america-threat-actors-target-canada-specifically\r\nPage 2 of 5\n\nIcedID\r\nIcedID is a banking Trojan that Proofpoint researchers originally observed being distributed by Emotet in April of\r\n2017. Since then, it has also been distributed by other unaffiliated actors. IcedID is international in scope and\r\naffects countries including the US, Canada, Italy, and others.\r\nBetween January 1 to May 1, 2019, several IcedID affiliates appeared to target Canadian organizations at higher\r\nrates than other geographies.\r\nThe Trick\r\nThe Trick is a modular banking Trojan. The main bot enables persistent infections, downloading of additional\r\nmodules, loading affiliate payloads, and loading updates for the malware. The Trick initially will attempt to\r\ndisable any antivirus-related services by abusing PowerShell.\r\nGandCrab\r\nGandCrab is a type of ransomware that encrypts users' files, typically appending a \".gdcb\" extension and leaving a\r\nransom note \"GDCB-DECRYPT.txt\" in each directory of the client machine’s hard disk.\r\nThis malware appears to be shared among threat actors using an affiliate business model and is deployed via\r\nmalicious advertising and malicious email attachments. While ransomware is now relatively rare in email,\r\nGandCrab has consistently appeared in email campaigns this year.\r\nGandCrab displays a ransom note  instructing the user to visit a payment portal that is located on a TOR (\"dark\r\nweb\") site in order to pay the ransom\r\nFigure 2: GandCrab Ransom note deposited as a TXT file on the client hard disks.\r\nDanabot\r\nhttps://www.proofpoint.com/us/threat-insight/post/beyond-north-america-threat-actors-target-canada-specifically\r\nPage 3 of 5\n\nDanaBot is a Trojan that includes banking site web injections and stealer functions. Proofpoint researchers\r\nobserved one DanaBot affiliate (Affid 11) specifically targeting Canada with “Canada Post” themed lures between\r\nJanuary 1 and May 1, 2019.\r\nFormbook\r\nFormBook is a browser form stealer/keylogger that is under active development. This malware is notable in its use\r\nof \"decoy domains\" in its command and control (C\u0026C) communications; typically it will connect to 15 randomly\r\nselected domains, one of which is replaced by the correct C\u0026C.\r\nDridex\r\nDridex is a banking Trojan that steals personal banking information and credentials for other sites, such as social\r\nmedia platforms and webmail. First spotted in November 2014, Dridex is considered to be a successor of Cridex, a\r\nsimilar banking Trojan.\r\nThe malware appears to be under the control of one group and is sold as a service to others. Each Dridex affiliate\r\ndistributes the malware in a different manner. The distribution varies in sophistication and frequency. Observed\r\ndelivery mechanisms include:\r\nMicrosoft Word documents arriving as an email attachment that utilizes social engineering and macros to\r\ninfect users\r\nMIME-formatted Microsoft Word or Excel email attachments utilizing malicious macros\r\nSpammed URLs leading to zipped executables. The URLs may utilize a public redirector service such as\r\ngoogle.com with the final payload hosted on another site such as dropbox.com or copy.com\r\nExploit Kits\r\nConclusion\r\nWhile this blog is focused specifically on malware threats affecting Canada, often among other regions,\r\nubiquitous phishing attacks, Business Email Compromise (BEC), and other forms of imposter attacks remain\r\nongoing threats, both internationally and in Canada. Organizations in Canada and elsewhere should remain\r\nvigilant of the following:\r\nCredential Phishing, which the most common threat observed by Proofpoint researchers, is a type of\r\nphishing that specifically targets a victim’s login credentials such as usernames and passwords. These\r\ncampaigns are usually high-volume emails with linked or embedded spoofs of login pages for reputable\r\nentities including banks, universities, electronic signature services, and social media and file sharing\r\nplatforms.\r\nMalicious emails with the intent of attempting to impersonate a person, commercial entity, or respected\r\nbrand, such as a bank or an internet service provider. This type of imposter activity could be used for\r\nfinancial fraud, including business email compromise (BEC), in conjunction with other social engineering\r\nmechanisms to achieve their desired result, whether delivery of malware, credential phishing, or further\r\nnetwork compromise.\r\nhttps://www.proofpoint.com/us/threat-insight/post/beyond-north-america-threat-actors-target-canada-specifically\r\nPage 4 of 5\n\nI\r\nFigure 3: An example of a threat actor engaging in business email compromise (BEC), which is a type of known\r\nimposter activity. \r\nConclusion\r\nIn 2019, threats specific to Canadian interests, whether abusing Canadian brands, or affecting Canadian\r\norganizations through specific geo-targeting mean that defenders at Canadian companies must be cognizant of\r\nthreats far more targeted than “North America.” Banking Trojan and the Emotet botnet lead the pack, creating\r\nrisks for organizations and individuals with compelling lures and carefully crafted social engineering. While\r\nCanada-targeted threats are not new, Emotet in particular, with its frequent region-specific email campaigns, is\r\nbringing new attention to geo-targeting in Canada and beyond.\r\nSource: https://www.proofpoint.com/us/threat-insight/post/beyond-north-america-threat-actors-target-canada-specifically\r\nhttps://www.proofpoint.com/us/threat-insight/post/beyond-north-america-threat-actors-target-canada-specifically\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/beyond-north-america-threat-actors-target-canada-specifically"
	],
	"report_names": [
		"beyond-north-america-threat-actors-target-canada-specifically"
	],
	"threat_actors": [
		{
			"id": "e8e18067-f64b-4e54-9493-6d450b7d40df",
			"created_at": "2022-10-25T16:07:24.515213Z",
			"updated_at": "2026-04-10T02:00:05.018868Z",
			"deleted_at": null,
			"main_name": "Mummy Spider",
			"aliases": [
				"ATK 104",
				"Gold Crestwood",
				"Mummy Spider",
				"TA542"
			],
			"source_name": "ETDA:Mummy Spider",
			"tools": [
				"Emotet",
				"Geodo",
				"Heodo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40",
			"created_at": "2023-01-06T13:46:38.870883Z",
			"updated_at": "2026-04-10T02:00:03.128317Z",
			"deleted_at": null,
			"main_name": "MUMMY SPIDER",
			"aliases": [
				"TA542",
				"GOLD CRESTWOOD"
			],
			"source_name": "MISPGALAXY:MUMMY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9",
			"created_at": "2024-06-19T02:03:08.024653Z",
			"updated_at": "2026-04-10T02:00:03.672512Z",
			"deleted_at": null,
			"main_name": "GOLD CRESTWOOD",
			"aliases": [
				"Mummy Spider ",
				"TA542 "
			],
			"source_name": "Secureworks:GOLD CRESTWOOD",
			"tools": [
				"Emotet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434795,
	"ts_updated_at": 1775792143,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2517b9dc1faec3aeabe8e958f17c8dcf82b6c530.pdf",
		"text": "https://archive.orkl.eu/2517b9dc1faec3aeabe8e958f17c8dcf82b6c530.txt",
		"img": "https://archive.orkl.eu/2517b9dc1faec3aeabe8e958f17c8dcf82b6c530.jpg"
	}
}