{ "id": "1d7349ca-f841-46db-8941-d8bb69d0bb7e", "created_at": "2026-04-06T00:14:50.031238Z", "updated_at": "2026-04-10T03:34:54.777921Z", "deleted_at": null, "sha1_hash": "32b93358605116386f5d03bfb85d4dede4f88f8b", "title": "Threat Actor Profile: TA2719 Uses Colorful Lures to Deliver RATs in Local Languages | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 959223, "plain_text": "Threat Actor Profile: TA2719 Uses Colorful Lures to Deliver RATs\r\nin Local Languages | Proofpoint US\r\nBy August 26, 2020 The Proofpoint Threat Research Team\r\nPublished: 2020-08-25 · Archived: 2026-04-02 12:22:57 UTC\r\nIn late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and\r\nlater AsyncRAT, popular commodity remote access trojans (RATs). Dubbed TA2719 by Proofpoint, the actor uses\r\nlocalized lures with colorful images that impersonate local banks, law enforcement, and shipping services. To\r\ndate, Proofpoint has observed this actor send low volume campaigns to recipients in Austria, Chile, Greece,\r\nHungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay. \r\nBelow are recent lure examples, message volume, geo targeting, and payload details. While lures are customized\r\nfor various geographies and impersonate individuals associated with the spoofed entities, no vertical targeting has\r\nbeen observed. This actor typically delivers malware via malicious attachments, though URLs linking to\r\nmalicious files were used as a delivery mechanism in early campaigns. TA2719 often relies on widely\r\navailable resources, such as commodity malware and free hosting providers, to execute their campaigns.  \r\nLures \r\nMost lures observed appear to be from a real person with a connection to the spoofed organization. Even details\r\nlike the street address in the alleged sender’s signature are often accurate. Combined with the branding, these\r\ndetails attempt to boost legitimacy of the message. They could still appear legitimate to an intended recipient who\r\nchooses to search for the sender’s name or address before opening the attached file or clicking a link in the\r\nmessage. \r\nCampaigns observed during March-May 2020 were primarily law enforcement-themed. Using local languages and\r\nlogos from local law enforcement agencies, the subject lines often attempted to create urgency by claiming,\r\n“ข้อความด่วนจากสำ นักงานตำ รวจแห่งชาติ (Urgent message from the Royal Thai\r\nPolice),” or “Последната полициска покана пред апсењето (The last police invitation before the arrest)”\r\n(Figures 1, 2). \r\nhttps://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\r\nPage 1 of 11\n\nFigure 1: Email lure spoofing Royal Thai Police \r\nhttps://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\r\nPage 2 of 11\n\nFigure 2: Email lure impersonating the Police of North Macedonia, appearing to come from the State Secretary of\r\nthe North Macedonian Ministry of Internal Affairs \r\nIn addition to law enforcement-themed lures, some messages sent during this time spoofed shipping\r\nnotifications. One early campaign also preyed on COVID-19 fears and impersonated the Taiwan Centers for\r\nDisease Control (Figure 3). This campaign was notable not only because of the theme, but also because it\r\nleveraged both URLs and attachments to deliver the payload. Typically, TA2719 uses attachments or URLs, but\r\nrarely a mix of both in a single campaign.  \r\n \r\nhttps://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\r\nPage 3 of 11\n\nFigure 3: Email lure impersonating the Taiwan Centers for Disease Control and appearing to be from its\r\ndirector, Jih-Haw Chou \r\nhttps://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\r\nPage 4 of 11\n\nIn early June 2020, Proofpoint observed a shift away from law enforcement lures as TA2719 began to use more\r\ncommon bank, shipping, and purchase order lures (Figures 4, 5). \r\nFigure 4: Swedish email lure impersonating SEB, with subject, “incoming payment notification from a third\r\nparty bank” \r\nhttps://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\r\nPage 5 of 11\n\nFigure 5: Email lure with fraudulent purchase order from Orascom Trading \r\nLures continued to be bank-themed in late June, with subjects like, “Εισερχόμενη επιταγή πληρωμής (Incoming\r\npayment notification)” (Figure 6). \r\nhttps://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\r\nPage 6 of 11\n\nFigure 6: Email lure impersonating a Greek bank \r\nAs of mid-July, TA2719 shifted to exclusively using package delivery lures, impersonating shipping companies\r\nand using subject lines like, “Your parcel from Mrs. Garn has arrived at our office,” or “您从中国寄来的包裹已\r\n经到了我们办公室(陈先生的包裹)”(The package you sent from China has arrived at our office (Mr. Chen's\r\npackage)” (Figure 7). \r\nhttps://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\r\nPage 7 of 11\n\nFigure 7: Email lure with fraudulent package notification \r\nVolume \r\nCampaign message volume has been relatively low, with a few dozen or few hundred messages per campaign.\r\nTotal monthly message volume peaked in May but has since returned to levels closer to those observed in March\r\nand April. Since late March, Proofpoint has observed several TA2719 campaigns per month. The message volume\r\nspike in May was driven by fewer campaigns with over 2,000 messages each, rather than multiple smaller\r\ncampaigns seen in other months.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\r\nPage 8 of 11\n\nTargeting \r\nThough the campaigns don’t appear to have any vertical targeting, they are carefully crafted for specific\r\nregions. Various languages and references to legitimate local entities, such as banks or law enforcement\r\norganizations, have been observed: \r\nCountry  Language  Lure Themes Observed \r\nAustria  German  Police \r\nChile  Spanish  Shipping \r\nGreece  Greek  Police, banking \r\nHungary  Hungarian  Police, banking \r\nItaly  Italian  Police \r\nhttps://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\r\nPage 9 of 11\n\nNetherlands  Dutch  Police \r\nNorth Macedonia  Macedonian  Police, shipping \r\nSingapore  English  Police \r\nSpain  Spanish  Police, shipping \r\nSweden  Swedish  Police, banking \r\nTaiwan  Chinese  CDC, shipping \r\nThailand  Thai  Police \r\nUruguay  Spanish  Police \r\nUnited States  English  Shipping \r\nIntended recipients often have easily searchable profiles online, and TA2719 also sends to role-based email\r\naddresses. This suggests that there is little targeting at the individual recipient level, but that the recipient lists may\r\nbe more opportunistic in nature and compiled using basic OSINT techniques. \r\n \r\nDelivery and Payload \r\nFrom March to early July, NanoCore was distributed primarily\r\nthrough emailed ISO file attachments. Several campaigns instead used URLs linking to\r\nmalicious ISO files. Finally, sometimes the actor attempted to deliver a mix of attachments and URLs in the same\r\nemail. When using URLs, ISO files were hosted on compromised sites or file hosting services.  \r\nIn mid-July, the actor pivoted from distributing NanoCore to AsyncRAT, another commodity\r\nRAT. Like NanoCore, AsyncRAT has been advertised on forums and as of May 2020, appears to still be under\r\nactive development with new features released May 10, 2020.  \r\nAcross all campaigns observed by Proofpoint, the ISO files had a generic name, such as ‘Document.iso’ or\r\n‘pdf.iso’. Once the user opens the ISO–which opens like any other folder on the computer–they then must double\r\nhttps://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\r\nPage 10 of 11\n\nclick the malware executable file inside to run it. \r\nThe C\u0026C hostnames and IPs used by TA2719 appear to be relatively stable, changing roughly once per\r\nmonth. This actor sometimes uses free dynamic DNS (DDNS) providers for their C\u0026C. \r\nConclusion \r\nWhile not the most advanced lures we’ve seen, the localization and inclusion of legitimate street addresses\r\nand names of real individuals related to the spoofed entities demonstrate this actor’s attention to detail. Though\r\nTA2719 does not appear to target any particular industry, they tailor their messages to various geographies and\r\nsend medium-volume campaigns several times per month. Their use of free DDNS providers, reuse of\r\ninfrastructure, and reliance on commodity malware demonstrate the ease with which threat actors can begin and\r\nmaintain an operation.  \r\nIOCs \r\nNanoCore  \r\nAttachment SHA256: 6489bbcdd9e0588d6e4ee63e5f66346e7d690ac3b7ee5249436fb1db8abc6453 \r\nMalware SHA256:  1b93790c002d5216822277c6b8abb36dfd5daf9ebc14553135c992f64f8d949e \r\nC\u0026Cs: 172.111.188[.]199, megaida123.ddns.net \r\nAsyncRAT \r\nAttachment SHA256: 161eaa18e31aec64433158da81eea99e518659e06ed36e2052508a7cbeb688c6 \r\nMalware SHA256:  bcc0be90110b3b960230a366f1be67904704f87645ff5fde69536432d73feace \r\nC\u0026C: 194.5.98[.]8 \r\nET + ETPRO Signatures \r\nNanoCore: \r\nETPRO MALWARE NanoCore RAT Keep-Alive Beacon - 2816718 \r\nAsyncRAT: \r\nETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT Server) - 2836595 \r\n \r\nAdditional References \r\nVendetta-new threat actor from Europe \r\nFake emails in the name of the Spanish national police \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\r\nhttps://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages" ], "report_names": [ "threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages" ], "threat_actors": [ { "id": "40451441-a311-494f-8025-fdbad7a527d4", "created_at": "2024-02-06T02:00:04.114318Z", "updated_at": "2026-04-10T02:00:03.571851Z", "deleted_at": null, "main_name": "TA2719", "aliases": [], "source_name": "MISPGALAXY:TA2719", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0cfbbc-2acf-4cc8-afe1-1859679c522c", "created_at": "2022-10-25T16:07:24.373716Z", "updated_at": "2026-04-10T02:00:04.963615Z", "deleted_at": null, "main_name": "Vendetta", "aliases": [ "TA2719" ], "source_name": "ETDA:Vendetta", "tools": [ "AsyncRAT", "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "ReZer0", "Remcos", "RemcosRAT", "Remvio", "RoboSki", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434490, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32b93358605116386f5d03bfb85d4dede4f88f8b.pdf", "text": "https://archive.orkl.eu/32b93358605116386f5d03bfb85d4dede4f88f8b.txt", "img": "https://archive.orkl.eu/32b93358605116386f5d03bfb85d4dede4f88f8b.jpg" } }