{
	"id": "1c3bbd24-ddf4-4d8d-a1e8-6a47aff19149",
	"created_at": "2026-04-06T00:17:16.860967Z",
	"updated_at": "2026-04-10T03:37:23.874134Z",
	"deleted_at": null,
	"sha1_hash": "4063513e26a7a5034dabaae4cfe93e9c3e4f24f7",
	"title": "TA551: Email Attack Campaign Switches from Valak to IcedID",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3662544,
	"plain_text": "TA551: Email Attack Campaign Switches from Valak to IcedID\r\nBy Brad Duncan\r\nPublished: 2021-01-07 · Archived: 2026-04-05 13:33:18 UTC\r\nExecutive Summary\r\nTA551 (also known as Shathak) is an email-based malware distribution campaign that often targets English-speaking\r\nvictims. The campaign discussed in this blog has targeted German, Italian and Japanese speakers. TA551 has historically\r\npushed different families of information-stealing malware like Ursnif and Valak. After mid-July 2020, this campaign has\r\nexclusively pushed IcedID malware, another information stealer.\r\nThis blog provides an overview of TA551, as well as previous activity from this campaign. We also examine changes from\r\nthis campaign since our previous blog about TA551 pushing Valak in July 2020.\r\nPalo Alto Networks Next-Generation Firewall customers are protected from this threat with the Threat Prevention security\r\nsubscription, which detects the malware. AutoFocus customers can track this activity using the TA551 and IcedID tags.\r\nTA551 Switches to IcedID\r\nWe have a GitHub repository where we track recent TA551 activity. The repository contains information on each wave of\r\nattack from TA551 since July 6, 2020. Starting on July 14, 2020, we have only seen IcedID malware from these waves of\r\nattack.\r\nSince July 14, 2020, these waves of malspam consistently targeted English-speaking victims until Oct. 27, 2020, when we\r\nstarted seeing Japanese templates for the Word documents. TA551 consistently targeted Japanese-speaking victims from Oct.\r\n27-Nov. 20, 2020. After approximately three weeks of Japanese-focused attacks, TA551 switched back to English-speaking\r\nvictims starting on Nov. 24, 2020.\r\nRegardless of the targeted group, TA551 continues to push IcedID as its malware payload.\r\nHistory of TA551\r\nWe have traced TA551 as far back as February 2019, and since that time, we have noted the following characteristics:\r\nTA551 has distributed different families of malware, including Ursnif (Gozi/ISFB), Valak and IcedID.\r\nTA551 malspam spoofs legitimate email chains based on data retrieved from previously infected Windows hosts. It\r\nsends copies of these email chains to recipients of the original email chain.\r\nThe spoofed email includes a short message as the most recent item in the chain. This is a generic statement asking\r\nthe recipient to open an attached ZIP archive using the supplied password.\r\nFile names for the ZIP archives use the name of the company being spoofed in the email. For example, if the spoofed\r\nsender is someone@companyname.com, the ZIP attachment would be named companyname.zip.\r\nIn 2020, we also started seeing emails with info.zip or request.zip as the attached ZIP archive names.\r\nThese password-protected ZIP attachments contain a Word document with macros to install malware.\r\nFile names for the extracted Word documents follow noticeable patterns that have evolved as this campaign has\r\nprogressed.\r\nURLs generated by the associated Word macros also follow noticeable patterns that have also evolved as this\r\ncampaign has progressed.\r\nTA551 in 2019\r\nFigure 8 shows the earliest email we can confirm from this campaign, dated Feb. 4, 2019. It targeted an English-speaking\r\nrecipient and pushed Ursnif malware.\r\nhttps://unit42.paloaltonetworks.com/ta551-shathak-icedid/\r\nPage 1 of 9\n\nFigure 8. Example of TA551 malspam from February 2019.\r\nThe following files are associated with the above example:\r\nSHA256 hash: 3dab8a906b30e1371b9aab1895cd5aef75294b747b7291d5c308bb19fbc5db10\r\nFile size: 157,696 bytes\r\nFile name: Request11.doc\r\nFile description: Word doc with macro for Ursnif (Gozi/ISFB)\r\nSHA256 hash: 3afc28d4613e359b2f996b91eeb0bbe1a57c7f42d2d4b18e4bb6aa963f58e3ff\r\nFile size: 284,160 bytes\r\nFile location: hxxp://gou20lclair[.]band/xap_102b-AZ1/704e.php?l=zyteb12.gas\r\nFile description: Example of Windows EXE retrieved by Word macro – an installer for Ursnif\r\nFigure 9 shows an email from this campaign dated April 2, 2019. It targeted an Italian-speaking recipient and pushed Ursnif\r\nmalware.\r\nFigure 9. Example of TA551 malspam from April 2019.\r\nhttps://unit42.paloaltonetworks.com/ta551-shathak-icedid/\r\nPage 2 of 9\n\nThe following files are associated with the above example:\r\nSHA256 hash: 582213137bebc93192b0429f6687c859f007ef03e6a4c620eada8d98ca5d76ba\r\nFile size: 91,136 bytes\r\nFile name: doc_02.04.doc\r\nFile description: Word doc with macro for Ursnif\r\nSHA256 hash: 8c72d5e5cb81f7a7c2b4881aff3be62cdc09caa52f93f9403166af74891c256e\r\nFile size: 606,208 bytes\r\nFile location: hxxp://seauj35ywsg[.]com/2poef1/j.php?l=zepax4.fgs\r\nFile description: Example of Windows EXE to install Ursnif retrieved by a macro associated with this wave of Word\r\ndocuments\r\nFigure 10 shows an email from this campaign dated Oct. 30, 2019. It targeted a German-speaking recipient and pushed\r\nUrsnif malware.\r\nFigure 10. Example of TA551 malspam from October 2019.\r\nThe following files are associated with the above example:\r\nSHA256 hash: 10ed909ab789f2a83e4c6590da64a6bdeb245ec9189d038a8887df0dae46df2a\r\nFile size: 269,312 bytes\r\nFile name: info_10_30.doc\r\nFile description: Word doc with macro for Ursnif\r\nSHA256 hash: 9e5008090eaf25c0fe58e220e7a1276e5501279da4bb782f92c90f465f4838cc\r\nFile size: 300,032 bytes\r\nFile location: hxxp://onialisati[.]com/deamie/ovidel.php?l=brelry2.cab\r\nFile description: Example of Windows EXE retrieved by Word macro – an installer for Ursnif\r\nNote how the URL from the above example ends in .cab. This pattern was fairly consistent for URLs generated by macros\r\nfrom TA551 Word docs until late October 2020.\r\nFigure 11 shows an email from this campaign dated Dec. 17, 2019. It targeted a Japanese-speaking recipient and pushed\r\nUrsnif malware.\r\nhttps://unit42.paloaltonetworks.com/ta551-shathak-icedid/\r\nPage 3 of 9\n\nFigure 11. Example of TA551 malspam from December 2019.\r\nThe following files are associated with the above example:\r\nSHA256 hash: 3b28f3b1b589c9a92940999000aa4a01048f2370d03c4da0045aabf61f9e4bb6\r\nFile size: 101,528 bytes\r\nFile name: info_12_18.doc\r\nFile description: Word doc with macro for Ursnif\r\nSHA256 hash: 3a22d206858773b45b56fc53bed5ee4bb8982bb1147aad9c2a7c57ef6c099512\r\nFile size: 1,650,176 bytes\r\nFile location: hxxp://vestcheasy[.]com/koorsh/soogar.php?l=weecum5.cab\r\nFile description: Example of Windows EXE retrieved by Word macro – an installer for Ursnif\r\nNote that Ursnif-infected hosts occasionally retrieve follow-up malware. For example, on Dec. 19, 2019, a Windows host\r\ninfected with Ursnif by way of TA551 was also infected with IcedID and Valak as follow-up malware.\r\nTA551 in 2020\r\nFigure 12 shows an email from TA551 dated March 26, 2020. It targeted a German-speaking recipient and pushed ZLoader\r\n(Silent Night) malware.\r\nhttps://unit42.paloaltonetworks.com/ta551-shathak-icedid/\r\nPage 4 of 9\n\nFigure 12. Example of TA551 malspam from March 2020.\r\nThe following files are associated with the above example:\r\nSHA256 hash: 62ecc8950e8be104e250304fdc32748fcadaeaa677f7c066be1baa17f940eda8\r\nFile size: 127,757 bytes\r\nFile name: information_03.26.doc\r\nFile description: Word doc with macro for ZLoader (Silent Night)\r\nSHA256 hash: 9b281a8220a6098fefe1abd6de4fc126fddfa4f08ed1b90d15c9e0514d77e166\r\nFile size: 486,400 bytes\r\nFile location: hxxp://x0fopmxsq5y2oqud[.]com/kundru/targen.php?l=swep7.cab\r\nFile description: Windows DLL for ZLoader retrieved by Word macro\r\nFigure 13 shows an email from this campaign dated April 28, 2020. It targeted an English-speaking recipient and pushed\r\nValak malware.\r\nFigure 13. Example of TA551 malspam from April 2020.\r\nhttps://unit42.paloaltonetworks.com/ta551-shathak-icedid/\r\nPage 5 of 9\n\nThe following files are associated with the above example:\r\nSHA256 hash: bd58160966981dd4b04af8530e3320edbddfc2b83a82b47a76f347d0fb4ca93a\r\nFile size: 61,233 bytes\r\nFile name: docs,04.20.doc\r\nFile description: Word doc with macro for Valak\r\nSHA256 hash: 9ce4835ef1842b7407b3c8777a6495ceb1b69dac0c13f7059c2fec1b2c209cb1\r\nFile size: 418,816 bytes\r\nFile location: hxxp://qut6oga5219bf00e[.]com/we20lo85/aio0i32p.php?l=nok4.cab\r\nFile description: Example of Windows DLL retrieved by Word macro -- an installer for Valak\r\nAt this point, the document names had changed format. This is when we started seeing several different names for the\r\nextracted Word documents from each day of attack.\r\nFigure 14 shows an email from this campaign dated May 22, 2020. It targeted an English-speaking recipient and pushed\r\nValak malware.\r\nFigure 14. Example of TA551 malspam from May 2020.\r\nThe following files are associated with the above example:\r\nSHA256 hash: 3562023ab563fc12d17981a1328f22a3d3e4c358535b9a0c28173a6e4ad869ba\r\nFile size: 74,338 bytes\r\nFile name: file_05.20.doc\r\nFile description: Word doc with macro for Valak\r\nSHA256 hash: 4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a\r\nFile size: 184,832 bytes\r\nFile location: hxxp://s6oo5atdgmtceep8on[.]com/urvave/cennc.php?l=haao1.cab\r\nFile description: Example of Windows DLL retrieved by Word macro -- an installer for Valak\r\nBy this time, the password format for ZIP attachments changed to three digits followed by two letters, and the template style\r\nhad also been updated.\r\nWe continued to see Valak pushed by TA551 through early July 2020. Of note, Valak is a malware downloader, and we\r\nfrequently saw IcedID as follow-up malware from these infections.\r\nHowever, by mid-July 2020, TA551 started pushing IcedID directly from the Word document macros.\r\nhttps://unit42.paloaltonetworks.com/ta551-shathak-icedid/\r\nPage 6 of 9\n\nRecent Developments\r\nIn recent weeks, TA551 has changed traffic patterns. For several months prior to Oct. 19, 2020, URLs generated by Word\r\nmacros to retrieve installer binaries followed a noticeable pattern. This pattern includes:\r\n.php?l= in the URL path\r\nURLs end with .cab\r\nSince Oct. 20, 2020, these patterns have changed dramatically. Table 1 shows the changes starting in October.\r\nDate URL example\r\n2020-\r\n10-14\r\nGET /docat/hyra.php?l=dybe18.cab\r\n2020-\r\n10-16\r\nGET /muty/sohaq.php?l=tali18.cab\r\n2020-\r\n10-19\r\nGET /biwe_zibofyra/ripy_lani.php?l=qedux18.cab\r\n2020-\r\n10-20\r\nGET /_bxlzcpjlmpxlkzblf_zhlsplspz/wtlmwrqnnxfwgzzlkvzdbvnp_mphdqpggxfljvffj_.php?\r\nl=chfon4.ppt\u0026lhe=hcqjvtfezhsogtrdxdfs\r\n2020-\r\n10-27\r\nGET /update/qqOQccpolFmwCmTnTmURcfZPByI_lqzPNvPfTfvLQjqdJtpOYeWT/WRFlVYjJTKqWAf_KhCjsSselY/tbqxj\r\n2020-\r\n10-28\r\nGET /update/djMqKxc_BZCF_BJlRmjKmdcihghiSj/wJuzcnBhc/MD/qE_ZWFKbwfWZMCCWgfHU_DNxAcBRlHncRHr/c\r\n2020-\r\n10-29\r\nGET /update/XTZrbyvClXzcfZcJGZSmDWBthSBXjRKw/chti6\r\n2020-\r\n11-03\r\nGET /update/VvZWoYOIotoWV_KUywQtEUVUPjvNYMYYnLnvWWOLA/fZcXYRwGyzMRZcvzHZrDe/gzlov4\r\n2020-\r\n11-04\r\nGET /update/JvYqBVMJCxSDX/nNBk/XhEfjPMvaV_dDFlXqGZNCDTLhTXlPWxEsGjTdzfQBUZCvkBqWOgjo/xrei12\r\n2020-\r\n11-05\r\nGET\r\n/update/jcja/yCGHnwRmyMVTeCqljgln/JTHBIgVESrNVdrgJMGGNdiqqGxCNACjXDBjkMJKFPKvJNYXFVbcxYvbS/iuy\r\n2020-\r\n11-19\r\nGET /share/ZSzE0sjR23GkF3VwZi_nqFH2B5lqPUVKxwNC/ahtap3\r\n2020-\r\n11-24\r\nGET /share/kvNqzh1tF4Y8zyxtL/HQpK6K42Wr8SP9PLJSqxc5h/ROwPcKsG/dbULREqlb1Kj0_RRT/Dfnj/lxnt10\r\nTable 1. URL patterns generated by macros from Word docs distributed by TA551.\r\nBy Oct. 27, 2020, URLs generated by TA551 macros include English terms like update or share at the beginning of the\r\nHTTP GET request. These URLs end with a series of four to six lowercase English letters followed by a number as low as 1\r\nto as high as 18. These URLs are not consistent in length, and they can be very short or very long.\r\nSince November 2020, we have also noticed minor changes in artifacts generated during IcedID infections, including those\r\noutside of the TA551 campaign.\r\nFor example, through early November 2020, IcedID DLLs created by installer DLLs were initially saved to the victim’s\r\nAppData\\Local\\Temp directory, and the file name started with a tilde (~) and ended with .dll as illustrated earlier in Figure 6.\r\nhttps://unit42.paloaltonetworks.com/ta551-shathak-icedid/\r\nPage 7 of 9\n\nIn November 2020, we started to see a change: the initial IcedID DLLs saved to the victim’s AppData\\Local directory with a\r\nfile name ending in .dat as shown in Figure 15.\r\nFigure 15. Artifacts seen from a TA551 IcedID infection on Nov. 24, 2020.\r\nThese changes may be an effort by malware developers to evade detection. At the very least, they might confuse someone\r\nconducting forensic analysis on an infected host.\r\nSuch changes are commonly seen in malware families as they evolve over time. We can expect to see more changes with\r\nIcedID malware and the TA551 campaign during the coming months.\r\nFinally, the run method for installer DLLs retrieved by TA551 Word macros changed during November 2020:\r\nOld method: regsvr32.exe [installer DLL filename]\r\nNew method: rundll32.exe [installer DLL filename],ShowDialogA -r\r\nHowever, up-to-date information is necessary to ensure proper detection for a constantly-evolving campaign like TA551.\r\nConclusion\r\nTA551 has evolved since we last reviewed this threat actor deploying Valak malware in July 2020. We frequently saw\r\nIcedID as follow-up malware in previous months from Valak and Ursnif infections installed by TA551. This threat actor\r\nappears to have eliminated malware downloaders like Valak and Ursnif and is now deploying IcedID directly.\r\nAlthough TA551 has settled on IcedID as its malware payload, we continue to see changes in traffic patterns and infection\r\nartifacts as this campaign evolves.\r\nOrganizations with adequate spam filtering, proper system administration and up-to-date Windows hosts have a much lower\r\nrisk of infection. Palo Alto Networks Next-Generation Firewall customers are further protected from this threat with the\r\nThreat Prevention security subscription, which detects the malware. AutoFocus customers can track this activity using\r\nthe TA551 and IcedID tags.\r\nIndicators of Compromise\r\nThis GitHub repository currently has more than 50 text files containing various indicators associated with TA551 from mid-July 2020-November 2020. Each text file represents a specific day the campaign was active, and it contains SHA256 hashes,\r\ndocument names, associated URLs and other related data, some of which we’ve also shared through our Twitter handle\r\n@Unit42_Intel.\r\nhttps://unit42.paloaltonetworks.com/ta551-shathak-icedid/\r\nPage 8 of 9\n\nSource: https://unit42.paloaltonetworks.com/ta551-shathak-icedid/\r\nhttps://unit42.paloaltonetworks.com/ta551-shathak-icedid/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/ta551-shathak-icedid/"
	],
	"report_names": [
		"ta551-shathak-icedid"
	],
	"threat_actors": [
		{
			"id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f",
			"created_at": "2022-10-25T15:50:23.579601Z",
			"updated_at": "2026-04-10T02:00:05.360509Z",
			"deleted_at": null,
			"main_name": "TA551",
			"aliases": [
				"TA551",
				"GOLD CABIN",
				"Shathak"
			],
			"source_name": "MITRE:TA551",
			"tools": [
				"QakBot",
				"IcedID",
				"Valak",
				"Ursnif"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "40b623c7-b621-48db-b55b-dd4f6746fbc6",
			"created_at": "2024-06-19T02:03:08.017681Z",
			"updated_at": "2026-04-10T02:00:03.665818Z",
			"deleted_at": null,
			"main_name": "GOLD CABIN",
			"aliases": [
				"Shathak",
				"TA551 "
			],
			"source_name": "Secureworks:GOLD CABIN",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "90f216f2-4897-46fc-bb76-3acae9d112ca",
			"created_at": "2023-01-06T13:46:39.248936Z",
			"updated_at": "2026-04-10T02:00:03.260122Z",
			"deleted_at": null,
			"main_name": "GOLD CABIN",
			"aliases": [
				"Shakthak",
				"TA551",
				"ATK236",
				"G0127",
				"Monster Libra"
			],
			"source_name": "MISPGALAXY:GOLD CABIN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68",
			"created_at": "2022-10-25T16:07:24.578896Z",
			"updated_at": "2026-04-10T02:00:05.039955Z",
			"deleted_at": null,
			"main_name": "TA551",
			"aliases": [
				"G0127",
				"Gold Cabin",
				"Monster Libra",
				"Shathak",
				"TA551"
			],
			"source_name": "ETDA:TA551",
			"tools": [
				"BokBot",
				"CRM",
				"Gozi",
				"Gozi CRM",
				"IceID",
				"IcedID",
				"Papras",
				"Snifula",
				"Ursnif",
				"Valak",
				"Valek"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434636,
	"ts_updated_at": 1775792243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4063513e26a7a5034dabaae4cfe93e9c3e4f24f7.pdf",
		"text": "https://archive.orkl.eu/4063513e26a7a5034dabaae4cfe93e9c3e4f24f7.txt",
		"img": "https://archive.orkl.eu/4063513e26a7a5034dabaae4cfe93e9c3e4f24f7.jpg"
	}
}