{ "id": "0921afd2-d595-4e0c-90aa-1ddcc6d094b2", "created_at": "2026-04-06T00:17:15.03878Z", "updated_at": "2026-04-10T03:37:26.642049Z", "deleted_at": null, "sha1_hash": "5be6fa644617618d3181738d727fb7e8f5d8b9d8", "title": "TA544's Threat Actor Profile | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2942283, "plain_text": "TA544's Threat Actor Profile | Proofpoint US\r\nBy July 11, 2019 Proofpoint Threat Insight Team\r\nPublished: 2019-07-04 · Archived: 2026-04-05 14:06:26 UTC\r\nOverview\r\nProofpoint researchers began tracking an actor (referred to as TA544) in February of 2017 when reports first\r\nemerged about malicious email campaigns targeting Italian customers using the Panda Banker malware.\r\nTo date, this highly financially-motivated actor has delivered more than six unique malware payloads (in several\r\nvariations of each) in high-volume campaigns (hundreds of thousands of messages per day) to victims across\r\nwestern Europe and Japan, where it now focuses on the distribution of the Ursnif banking Trojan and URLZone\r\nbanker.\r\nAlso Read:\r\nHoliday Lull? No So Much\r\nURLZone top malware in Japan, while Emotet and LINE Phishing round out the landscape\r\nFigure 1: Relative TA544 message volume between February 2017 and June 2019\r\nUrsnif: The preferred malware payload of TA544\r\nUrsnif is a common banking Trojan that can:\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware\r\nPage 1 of 11\n\nSteal stored data including passwords from banking websites via web injections, proxies and VNC\r\nconnections\r\nUpdate itself or install modules remotely\r\nUrsnif has many variants and names such as Dreambot, ISFB, Gozi, and Papras; it is typically distributed in high\r\nvolume campaigns (hundreds of thousands or millions of messages). \r\nUrsnif 1000\r\nUrsnif 1000, the affiliate ID that is most closely associated with TA544, is typically distributed in high-volume\r\ncampaigns (hundreds of thousands of messages per day) that often target the IT, technology, and marketing/\r\nindustries in Japan.\r\nMost Ursnif 1000 campaigns use a robust combination of geofencing techniques to verify that users are located in\r\nJapan. Messages from these campaigns drop their payloads via Microsoft Excel documents with macros, that\r\nwhen enabled, download URLZone (another banking Trojan), which, in turn, download Ursnif 1000.\r\nUrsnif 4779\r\nUrsnif 4779 is typically distributed in moderate volume campaigns (tens of thousands of messages per day) that\r\noften target technology, manufacturing, and IT verticals in Italy. Like Ursnif 1000, this variant is also associated\r\nwith TA544.\r\nAdditionally, Ursnif 4779 shares much of its geofencing locale/language check techniques with Ursnif 1000.\r\nUrsnif 4779 is deployed via one of two primary methods: (1) Microsoft Excel attachments with malicious macros,\r\nthat, when enabled, install Ursnif along with a complex symmetric block cipher that is referred to as a “serpent\r\nkey”, or (2) steganographic images that conceal malicious PowerShell commands which install Ursnif.\r\nDelivery\r\nUrsnif delivery methods vary by circumstance, depending on the targeted vertical and geography. Ursnif shares\r\ncode with many other banking Trojans and the source code for an earlier version was distributed on online forums\r\nfor free. Often, malware authors modify or adapt Ursnif code to serve particular purposes.\r\nUrsnif can be deployed as a primary or secondary payload. It may be delivered via password-protected Zip\r\nfiles; Microsoft Office document attachments with malicious macros; or compressed JScript, JavaScripts, or\r\nVisual Basic scripts. However, the most common vectors for TA544 campaigns are messages with Microsoft\r\nOffice documents that contain macros, that, when enabled, install URLZone and/or Ursnif.\r\nTrends\r\nAs of 2019, Ursnif is one of the most prevalent banking Trojans in the threat landscape. In Q4 2018, we observed\r\nUrsnif consistently reaching peak message volume.\r\nBecause of Ursnif’s variable nature, it is difficult to identify trends in delivery strategies. Payload delivery is\r\nlargely dependent on the threat actor, geography, and targeted verticals. However, recent TA544 campaigns\r\ntypically deploy Ursnif via Microsoft Office attachments equipped with malicious macros that install the Ursnif\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware\r\nPage 2 of 11\n\nbanking trojan. Ursnif is sometimes delivered as a standalone payload, but as in the case of TA544 with its\r\ncampaigns in Japan, it is more often deployed with other malware including URLZone.\r\nObjectives\r\nTA544 is a financially motivated actor that uses a variety of payloads to target both European and Asian\r\ngeographies. Proofpoint researchers have been able to identify commonalities between the European and Asian\r\ncampaigns, despite the differences in targeting and geographic location.\r\nOne notable characteristic of TA544 is their use of steganography, which is the process of concealing code within\r\nimages. TA544 has implemented this strategy in recent Japanese and Italian campaigns, embedding\r\nsteganographic images of pop culture references into attached Microsoft Office Documents. When the user\r\nenables the document macro, the obfuscated code downloads and installs malware, usually URLZone and/or\r\nUrsnif as noted above.\r\nTargeting\r\nTA544 has historically targeted Italy (ongoing), Japan (ongoing), Germany (defunct), Poland (defunct), and Spain\r\n(defunct). In addition to malware specifically chosen for each country, each region is targeted with appropriate\r\nlanguage translations in email bodies, subjects, filenames, and geographically relevant branding. Known targeted\r\ncountries are listed in Table 1 below:\r\nCountry Language Malware Volume Verticals Notes\r\nItaly\r\n(Active)\r\n Italian\r\nPanda\r\n(Multiple\r\nVersions),\r\nChthonic,\r\nSmoke\r\nLoader,\r\nUrsnif\r\n(Multiple\r\nAffids)\r\nMedium\r\nVolume\r\nManufacturing and\r\nRetail\r\nProofpoint researchers\r\nbegan tracking of\r\nTA544 with campaigns\r\ntargeting Italy in\r\nFebruary of 2017 where\r\nit was initially\r\ndiscovered. Italy has\r\nbeen regularly targeted\r\nsince.\r\nPoland\r\n(Defunct)\r\nPolish Nymaim\r\nMedium\r\nVolume\r\nManufacturing\r\nCampaigns began\r\nregularly in March of\r\n2017 and appear to\r\nhave gone on hiatus in\r\nMay of 2018.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware\r\nPage 3 of 11\n\nGermany\r\n(Defunct)\r\nGerman\r\nUrsnif\r\n(1001),\r\nUrsnif\r\n(1002),\r\nMedium\r\nVolume\r\nTechnology,\r\nManufacturing, \u0026\r\nHospitality\r\nCampaigns began\r\nexperimentally in\r\nFebruary of 2017 and\r\nended in March of\r\n2017.\r\nSpain\r\n(Defunct)\r\nCastilian ZLoader\r\nMedium\r\nVolume\r\nTechnology,\r\nManufacturing \u0026\r\nHospitality\r\nCampaigns began\r\nexperimentally in\r\nAugust of 2017 and\r\nended in September of\r\n2017.\r\nJapan\r\n(Active)\r\nJapanese\r\nURLZone\r\nUrsnif\r\nHigh\r\nVolume\r\nMarketing/advertising,\r\nTechnology, and IT\r\nCampaigns began\r\nexperimentally in\r\nDecember of 2017\r\nusing Ursnif and have\r\nbeen regularly targeted\r\nusing URLZone and\r\nUrsnif as of June of\r\n2019.\r\nTable 1: Description of the countries with observed email campaigns.\r\nCampaign History\r\nFigure 2 illustrates a high-level overview of TA544 campaign history in the five most impacted geographies:\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware\r\nPage 4 of 11\n\nFigure 2: TA544 campaign history\r\nProofpoint researchers began observing TA544 in Italy at the end of 2017, primarily leveraging Panda Banker. In\r\nMarch of 2017, TA544 briefly experimented in Germany with Ursnif variants but ceased activity in the region\r\nafter only a short one-month period. Similarly, TA544 also targeted Spanish audiences with ZLoader during the\r\nsummer of 2018. During these experimental phases, TA544 conducted ongoing campaigns that targeted Polish\r\naudiences with Nymaim.\r\nBy September of 2018, TA544 began to focus its attacks on Japan, using standalone Ursnif variants and/or\r\nURLZone which leads to Ursnif 1000 specifically. URLZone to Ursnif 1000 remains the primary strategy for\r\nTA544 campaigns that target Japanese audiences. During these ongoing Japanese-focused campaigns, TA544\r\ngradually began replacing Panda payloads with Ursnif.  The most recent Ursnif variants that TA544 uses to target\r\nItalian audiences are derivatives of Ursnif 4000 (4777, 4778, 4779, 4780; collectively referred to as 4XXX).\r\nCampaigns\r\nTA544 campaigns that target Japan often distribute messages with payment-themed subject lines such as:\r\n\"Re: 請求書の送付\" (\"Send invoice\")\r\n\"Re: 請求書送付のお願い\" (\"Request for billing\")\r\n\"契約書雛形のご送付\" (\"Sending the contract form\")\r\n\"ご案内[お支払い期限:06月18日]\" (\"Information [Payment Deadline: Jun. 18]\")\r\n\"請求書の件です。\" (\"Invoice\")\r\n\"請求書送付\" (\"Invoicing\")\r\nThese messages often contain a short, generic message about upcoming payment deadlines, and typically contain\r\nMicrosoft Excel Documents with macros, that when enabled, download and install URLZone and/or Ursnif 1000.\r\nThese Excel document file names are usually a random collection of numbers:\r\n\"12345_0001.xls\" (random digits)\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware\r\nPage 5 of 11\n\n\"1234_56_007.XLS\" (random digits)\r\n\"0001_123_4567.XLS\" (random digits)\r\nFigure 3: An email with Microsoft Excel attachment that contains macros, that when enabled, download and\r\ninstall URLZone which leads to Ursnif 1000 (Japan, April 2019)\r\nSome of these messages may also contain attached steganographic images of notable Japanese pop culture\r\nreferences. These images contain scripts that can fetch and install malware (usually URLZone or Ursnif 1000)\r\nfrom malicious websites controlled by TA544.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware\r\nPage 6 of 11\n\nFigure 4: Steganographic image that contains scripts that fetch Ursnif 1000 payloads from malicious websites\r\ncontrolled by TA544 (Japan, April 2019)\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware\r\nPage 7 of 11\n\nFigure 5: Steganographic image that contains scripts that fetch Ursnif 1000 payloads from malicious websites\r\ncontrolled by TA544 (Japan, May 2019)\r\nTA544 uses many of the same strategies to target Italian audiences. These campaigns utilize simple social\r\nengineering mechanisms including payment themed subject lines.\r\nSome examples of subject lines include:\r\n\"documenti sig.\"\r\n\"Fattura per bonifico\"\r\n\"Fatturazione 123456\" (random digits)\r\n\"fatture scadute\"\r\nThese messages often contain a short, generic message about upcoming payment deadlines, scanned invoices, or\r\nupcoming bill payments, and typically contain Microsoft Excel Documents with macros, that when enabled,\r\ndownload and install Ursnif 4XXX. These Excel document file names are usually a random collection of numbers\r\npaired with upcoming dates:\r\n\"(9)__2019__03_8765432F.XLS\" (random digit, month, random digits)\r\n\"20190321 D O C 98765_43.xls\" (today's date, random digits)\r\n\"FtDiff0000 000000D_M_S_987654.XLS\" (random digits)\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware\r\nPage 8 of 11\n\nFigure 6: An email with Microsoft Excel attachment that contains macros, that when enabled, download and\r\ninstall Ursnif 4XXX (Italy, May 2019)\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware\r\nPage 9 of 11\n\nFigure 7: Microsoft Excel attachment that contains macros, that when enabled, download and install Ursnif 4XXX\r\n(Italy, June 2019)\r\nSome of these messages may also contain attached or linked steganographic images of notable Italian pop culture\r\nreferences. These images contain scripts that can fetch and install an Ursnif payload from malicious websites\r\ncontrolled by TA544.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware\r\nPage 10 of 11\n\nFigure 8: Steganographic image that contains scripts that fetch Ursnif 4XXX payloads from malicious websites\r\ncontrolled by TA544 (Italy, June 2019)\r\nConclusion\r\nSince early 2017, TA544 has emerged as one of the most prolific and geographically focused threat actors in the\r\nthreat landscape, distributing tens of millions of malicious messages across eight countries within the last two\r\nyears. To date, TA544 has delivered more than six unique malware payloads (in several variations of each) in\r\nhigh-volume campaigns (hundreds of thousands of messages per day) to victims across western Europe and Japan.\r\nOriginally specializing in the Panda banking malware in Italy, it has since branched out to Poland, Germany,\r\nSpain, and Japan, using a variety of other malware including Chthonic, Smoke Loader, Nymaim, ZLoader, and\r\nfinally URLZone in combination with Ursnif, both banking Trojans. TA544 currently targets\r\nmarketing/advertising, technology, and IT verticals in Japan, and manufacturing and retail verticals in Italy. \r\nGiven their recent behavior, we can expect TA544 to remain a prominent threat in Japanese and Italian\r\ngeographies. There is no indication of TA544 abandoning their primary payload delivery mechanism (malicious\r\nMicrosoft Office VBA macros), although we have seen an increase in the use of steganographic images.\r\nSource: https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware" ], "report_names": [ "threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware" ], "threat_actors": [ { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434635, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5be6fa644617618d3181738d727fb7e8f5d8b9d8.pdf", "text": "https://archive.orkl.eu/5be6fa644617618d3181738d727fb7e8f5d8b9d8.txt", "img": "https://archive.orkl.eu/5be6fa644617618d3181738d727fb7e8f5d8b9d8.jpg" } }