{ "id": "573e24d4-6ef8-456c-823f-1fbc4b238eba", "created_at": "2026-04-06T00:16:34.050514Z", "updated_at": "2026-04-10T03:37:26.681526Z", "deleted_at": null, "sha1_hash": "35546374d21fa7ceabada074c60afb6369450ce0", "title": "Holiday lull? Not so much | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 112939, "plain_text": "Holiday lull? Not so much | Proofpoint US\r\nBy January 12, 2018 Proofpoint Staff\r\nPublished: 2018-01-12 · Archived: 2026-04-05 16:08:46 UTC\r\nOverview\r\nFor at least the last two years, Proofpoint researchers have observed a seasonal lull in activity around the\r\nThanksgiving holiday and during the weeks between Christmas and Russian Orthodox Christmas (January 7).\r\nActivity during the Thanksgiving 2017 holiday, however, was higher than in previous years, with multiple\r\ncampaigns targeting a variety of regions. Examining year-over-year differences in malicious message volumes for\r\nthe period of December 15 through January 12 revealed that, while activity dropped during this period, it\r\nremained significantly higher than what we observed the previous year and returned to near pre-holiday levels\r\nmore quickly after January 7 than in 2017.\r\nAnalysis\r\nFigure 1 shows a year-over-year comparison of message volume for the period of December 15-January 12. The\r\nweek leading up to Christmas 2016 had significantly higher volumes than during the same week in 2017,\r\nprimarily due to Locky ransomware campaigns distributed by TA505. Just before, we observed a slight jump in\r\ntraffic around Christmas 2017 relative to both previous weeks in 2017 and the same week in 2017. Unlike in 2016,\r\nsome actors seemingly worked through that week during which we generally expect very limited activity.\r\nFigure 1: 2016 vs 2017 volumes for malicious messages during the holidays\r\nhttps://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much\r\nPage 1 of 3\n\nBecause the activities of threat actor TA505 tend to obscure the campaigns of other threat actors, breaking down\r\nactivity during this period by actor gives a better sense of the nature and diversity of malware involved in these\r\ncampaigns over the holidays. The following actors were actively conducting campaigns after December 22, 2017,\r\nbut were inactive the year before between December 22, 2016, and January 2, 2017:\r\nTA542 – We began tracking the actors behind Emotet in April of 2017 and as a result, did not track them during\r\nthe 2016 holiday season. TA542 campaigns have appeared consistently since they emerged in April and, during\r\nthe Christmas week, we observed Emotet distributed via URLs that led to malicious Microsoft Word documents\r\nwith embedded macros used to download the malware. On at least one occasion during the Christmas week,\r\nEmotet also downloaded Zeus Panda. This instance of Zeus Panda primarily targeted online retail sites during the\r\nholiday season.\r\nTA505 - The actors behind the massive Locky and Dridex campaigns of the last two years also passed up the full\r\ntwo-week Christmas break this year, relying heavily on malicious VBScript and JavaScript files in 7-Zip archives\r\nto deliver primarily GlobeImposter ransomware, with two separate large campaigns on December 27 and 28.  In\r\nearly 2017, TA505 took a nearly three month hiatus before resuming campaigns; this year, their campaigns\r\nresumed on January 11 after less than a two-week break around the Russian Orthodox Christmas.  It is worth\r\nnoting that TA505 activity is highly dependent on the Necurs botnet, so some of their quiet periods may relate to\r\nbotnet disruptions or maintenance. However, we observed increases in activity from multiple actors this season,\r\nsuggesting that this is not an artifact exclusively related to TA505 distribution.\r\nTA544 – We observed a campaign targeting Japanese users dropping URLZone from malicious Microsoft Excel\r\ndocuments, which eventually led to a final Ursnif payload.  This was the first time in several months that we had\r\nseen this particular infection chain.\r\nTA543 – We identified another Ursnif campaign, this time targeting Australian users, via malicious Microsoft\r\nWord documents during the Christmas season.  The campaign utilized a familiar theme, namely a billing\r\nnotification lure using stolen branding for a widely recognized New Zealand-based accounting software company.\r\nConclusion\r\nFor years, threat actors typically avoided sending large, broad-based campaigns on major American and UK\r\nholidays and weekends. However, that tendency appears to be changing, perhaps because of widening\r\ngeographical targets, attempts to have malspam waiting in crowded inboxes when users return from holidays, or\r\nattempts to deliver malware when defenders within organizations are more likely to be out of the office.\r\nMoreover, the heightened threat actor activity of the 2017-2018 holiday period reflects the broader trend of 2017\r\nas whole, a year that saw fewer sustained disruptions in campaign activity by major threat actors. Whatever the\r\nreason for the change, it appears that some seasonal trends may be shifting such that defenders and end users\r\nshould be prepared at all times to deal with both high-volume and targeted campaigns across geographies. Of\r\nparticular note are campaigns from TA505 -- because this actor frequently drives a large percentage of global\r\nmalicious spam, their much more rapid return to activity following the Russian Orthodox Christmas compared to\r\n2016-2017 as well as higher levels of activity around the western Christmas holiday at the end of 2017 stands out\r\nas a potential indicator of a change in tactics.\r\nSubscribe to the Proofpoint Blog\r\nhttps://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much\r\nPage 2 of 3\n\nSource: https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much\r\nhttps://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much" ], "report_names": [ "holiday-lull-not-so-much" ], "threat_actors": [ { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "1998ad13-b343-4409-9a37-b1930d156a28", "created_at": "2023-09-17T02:00:09.948891Z", "updated_at": "2026-04-10T02:00:03.372224Z", "deleted_at": null, "main_name": "Storm-0324", "aliases": [ "DEV-0324", "Sagrid", "TA543" ], "source_name": "MISPGALAXY:Storm-0324", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434594, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/35546374d21fa7ceabada074c60afb6369450ce0.pdf", "text": "https://archive.orkl.eu/35546374d21fa7ceabada074c60afb6369450ce0.txt", "img": "https://archive.orkl.eu/35546374d21fa7ceabada074c60afb6369450ce0.jpg" } }