{
	"id": "46b21a67-c58a-48b2-895a-ca622ee6bf65",
	"created_at": "2026-04-06T00:12:16.549835Z",
	"updated_at": "2026-04-10T03:37:26.692306Z",
	"deleted_at": null,
	"sha1_hash": "58051aab28e9126e554f2c9bd5758ea17deba9c4",
	"title": "Security Brief: TA544 Targets Italian Organizations with Ursnif Malware | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 238458,
	"plain_text": "Security Brief: TA544 Targets Italian Organizations with Ursnif\r\nMalware | Proofpoint US\r\nBy September 29, 2021 Selena Larson and Proofpoint Staff\r\nPublished: 2021-09-28 · Archived: 2026-04-05 16:01:44 UTC\r\nProofpoint threat researchers identified an increase in targeted threats impacting Italian organizations in 2021.\r\nThis spike in observed threats is largely driven by a group called TA544 leveraging the Ursnif banking trojan.\r\nProofpoint has observed nearly 20 notable campaigns distributing hundreds of thousands of messages targeting\r\norganizations in Italy so far this year, which equals 80% of the total number of similar campaigns in the entirety of\r\n2020. As many as 2,000 organizations were targeted in each of the Italian-language campaigns.\r\nTA544 is a cybercriminal threat actor that distributes banking malware and other payloads in various geographic\r\nregions including Italy and Japan. Proofpoint has tracked this actor since 2017. Typically, this group varies its\r\npayloads which appear to be targeted by region – for example, in 2021, all TA544 Ursnif campaigns have\r\nspecifically targeted Italian organizations while Dridex payloads associated with this threat actor do not have\r\nspecific geographic targeting.  \r\nUrsnif is a trojan that can be used to steal data from websites, with the help of web injections, proxies and VNC\r\nconnections; steal data such as stored passwords; and download updates, modules, or other malware. Although\r\nthis malware is used by multiple cybercriminal threat actors, TA544’s activity targeting Italy differentiates it from\r\nother actors. Between January and August 2021, the number of observed Ursnif campaigns impacting Italian\r\norganizations surpassed the total number of observed Ursnif campaigns targeting this region in all of 2020.\r\nCampaign Details\r\nIn recently observed campaigns, TA544 purports to be Italian courier or energy organizations soliciting payments\r\nfrom the targeted individual.\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware\r\nPage 1 of 4\n\nFigure 1: Phishing email masquerading as logistics/courier service BRT.\r\nAttached to the emails are malicious Microsoft Office documents containing macros. If the macros are enabled,\r\nthe document will download Ursnif malware.\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware\r\nPage 2 of 4\n\nFigure 2: Malicious Excel document distributing Ursnif.\r\nIn the observed campaigns, TA544 often uses geofencing techniques to detect whether recipients are in targeted\r\ngeographic regions before infecting them with the malware. For example, in recent campaigns, the document\r\nmacro generates and executes an Excel 4 macro written in Italian, and the malware conducts location checks on\r\nthe server side via IP address. If the user was not in the target area, the malware command and control would\r\nredirect to an adult website. So far in 2021, Proofpoint has observed nearly half a million messages associated\r\nwith this threat targeting Italian organizations.\r\nAccording to Proofpoint data, Ursnif is currently the most frequently observed malware targeting Italian\r\norganizations based on campaign data. Earlier this year, Proofpoint researchers observed multiple Emotet\r\ncampaigns targeting the region as well – however, following the disruption of the Emotet botnet in January 2021,\r\nall Emotet activity has disappeared and this malware is no longer an ongoing threat. Credential phishing is also a\r\nfrequently observed threat targeting Italian organizations, and threat actors have attempted to steal credentials\r\nrelating to logistics or banking services, for example.\r\nWeb Injects\r\nRecent TA544 Ursnif campaigns included activity that targeted multiple sites with web injects and redirections\r\nonce the Ursnif payload was installed on the target machine. Web injects refer to malicious code injected to a\r\nuser’s web browser that attempts to steal data from certain targeted websites. The list included dozens of targeted\r\nsites. For example, the list of impacted sites includes login portals related to:\r\nUniCredit Group\r\nAgenziabpb\r\nING\r\nBNL\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware\r\nPage 3 of 4\n\nEbay\r\nAmazon\r\nPaypal\r\nBanca Sella\r\nCheBanca!\r\nIBK\r\nThe identified web injects are designed to steal credentials from a wide variety of sites and services likely to be\r\nused by Italian users. Although Ursnif has previously leveraged web inject capability to infect targeted users. This\r\nindicates TA544 is not interested exclusively in obtaining banking credentials, but also usernames and passwords\r\naffiliated with websites associated with major retailers.\r\nConclusion\r\nToday’s threats – like TA544’s campaigns targeting Italian organizations – target people, not infrastructure. That’s\r\nwhy you must take a people-centric approach to cybersecurity. That includes user-level visibility into\r\nvulnerability, attacks and privilege and tailored controls that account for individual user risk.\r\nHere’s what we recommend as a starting point.\r\nTrain users to spot and report malicious email. Regular training and simulated attacks can stop many\r\nattacks and help identify people who are especially vulnerable. The best simulations mimic real-world\r\nattack techniques. Look for solutions that tie into real-world attack trends and the latest threat intelligence.\r\nThreat actors frequently distribute documents that require macros to be enabled to deploy the malicious\r\npayload. Ensure macros are disabled for all employees and include macro-laden attack simulations in\r\nsecurity training demonstrations.\r\nAt the same time, assume that users will eventually click some threats. Attackers will always find new\r\nways to exploit human nature. Find a solution that spots and blocks inbound email threats targeting\r\nemployees before they reach the inbox. Invest in a solution can manage the entire spectrum of email\r\nthreats, not just malware-based threats. Some threats—including business email compromise (BEC) and\r\nother forms of email fraud—can be hard to detect with conventional security tools. Your solution should\r\nanalyze both external and internal email—attackers may use compromised accounts to trick users within\r\nthe same organization. Web isolation can be a critical safeguard for unknows and risky URLs.\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware"
	],
	"report_names": [
		"ta544-targets-italian-organizations-ursnif-malware"
	],
	"threat_actors": [
		{
			"id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd",
			"created_at": "2023-01-06T13:46:39.110148Z",
			"updated_at": "2026-04-10T02:00:03.216613Z",
			"deleted_at": null,
			"main_name": "NARWHAL SPIDER",
			"aliases": [
				"GOLD ESSEX",
				"TA544",
				"Storm-0302"
			],
			"source_name": "MISPGALAXY:NARWHAL SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "956fc691-b6c6-4b09-b69d-8f007c189839",
			"created_at": "2025-08-07T02:03:24.860251Z",
			"updated_at": "2026-04-10T02:00:03.656547Z",
			"deleted_at": null,
			"main_name": "GOLD ESSEX",
			"aliases": [
				"Narwhal Spider ",
				"Storm-0302 ",
				"TA544 "
			],
			"source_name": "Secureworks:GOLD ESSEX",
			"tools": [
				"Cutwail",
				"Pony",
				"Pushdo"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4",
			"created_at": "2022-10-25T16:07:24.453427Z",
			"updated_at": "2026-04-10T02:00:04.997515Z",
			"deleted_at": null,
			"main_name": "Bamboo Spider",
			"aliases": [
				"Bamboo Spider",
				"TA544"
			],
			"source_name": "ETDA:Bamboo Spider",
			"tools": [
				"AndroKINS",
				"Bebloh",
				"Chthonic",
				"DELoader",
				"Dofoil",
				"GozNym",
				"Gozi ISFB",
				"ISFB",
				"Nymaim",
				"PandaBanker",
				"Pandemyia",
				"Sharik",
				"Shiotob",
				"Smoke Loader",
				"SmokeLoader",
				"Terdot",
				"URLZone",
				"XSphinx",
				"ZLoader",
				"Zeus OpenSSL",
				"Zeus Panda",
				"Zeus Sphinx",
				"ZeusPanda",
				"nymain"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434336,
	"ts_updated_at": 1775792246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58051aab28e9126e554f2c9bd5758ea17deba9c4.pdf",
		"text": "https://archive.orkl.eu/58051aab28e9126e554f2c9bd5758ea17deba9c4.txt",
		"img": "https://archive.orkl.eu/58051aab28e9126e554f2c9bd5758ea17deba9c4.jpg"
	}
}