{ "id": "9fc99b1f-6d34-4bd2-97c4-48e5002ad158", "created_at": "2026-04-06T00:17:21.05704Z", "updated_at": "2026-04-10T03:34:22.683769Z", "deleted_at": null, "sha1_hash": "5e5faec00f51ee063b925d21d820804bec696dcd", "title": "TA450 Uses Scam Emails with PDF Attachments to Phish | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 257747, "plain_text": "TA450 Uses Scam Emails with PDF Attachments to Phish |\r\nProofpoint US\r\nBy March 21, 2024 Joshua Miller and the Proofpoint Threat Research Team\r\nPublished: 2024-03-21 · Archived: 2026-04-05 22:41:12 UTC\r\nShare with your network!\r\nWhat happened \r\nProofpoint researchers recently observed new activity by the Iran-aligned threat actor TA450 (also known as\r\nMuddyWater, Mango Sandstorm, and Static Kitten), in which the group used a pay-related social engineering lure\r\nto target Israeli employees at large multinational organizations. TA450 is known for targeting Israeli entities\r\nparticularly since at least October 2023 with the start of the Israel-Hamas war and this continues that trend with a\r\nfocus on global manufacturing, technology, and information security companies. \r\nIn the phishing campaign, which started 7 March and continued through the week of 11 March 2024, TA450 sent\r\nemails with PDF attachments that contained malicious links. While this method is not foreign to TA450, the threat\r\nactor has more recently relied on including malicious links directly in email message bodies instead of adding in\r\nthis extra step. Proofpoint researchers observed the same targets receive multiple phishing emails with PDF\r\nattachments that had slightly different embedded links. The links were to a variety of file-sharing sites, including\r\nEgnyte, Onehub, Sync and TeraBox. The emails also used a likely compromised .IL sender account, which is\r\nconsistent with this threat actor’s recent activity.  \r\nAs seen in Figures 1 and 2, if a target opened the attachment and clicked on the included link, it would lead to the\r\ndownload of a ZIP archive containing a compressed MSI that ultimately would install AteraAgent, remote\r\nadministration software that is known to be abused by TA450. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign\r\nPage 1 of 4\n\nFigure 1. Opened PDF attachment with malicious link (Machine translation: Document title: Pay Slip; Body of\r\nPDF: Hello, From now on receive your pay slip through the following software). \r\nFigure 2. ZIP archive via Onehub that leads to the download of remote administration software. \r\nAttribution \r\nProofpoint researchers attribute this campaign to TA450 based on known TA450 tactics, techniques, and\r\nprocedures, campaign targeting, and malware analysis. In January 2022, the United States Cyber\r\nCommand attributed this group to Iran's Ministry of Intelligence and Security. \r\nWhy it matters \r\nThis activity is notable for several reasons, including that it marks a turn in TA450’s tactics. While this campaign\r\nis not the first observed instance of TA450 using attachments with malicious links as part of the threat actor’s\r\nattack chain, it is the first time Proofpoint researchers have observed TA450 attempt to deliver a malicious URL in\r\na PDF attachment rather than directly linking the file in an email. Additionally, this campaign is the first time\r\nProofpoint has observed TA450 using a sender email account that matches the lure content. For example, this\r\ncampaign used an email account of salary[@]\u003ccompromisedorg\u003eco[.]il, which is in alignment with the various\r\npay-themed subject lines. \r\nFinally, this activity continues TA450's trend of leveraging Hebrew language lures and compromised .IL accounts\r\nto target Israeli individuals belonging to large multinational companies, maintaining a heightened risk for\r\norganizations with this type of footprint. \r\nEmerging Threat (ET) signatures \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign\r\nPage 2 of 4\n\nSID   Rule Name  \r\n2051743  ET OPEN DNS Query to File Sharing Domain (egnyte .com) \r\n2051745  ET OPEN 2051745 - DNS Query to File Sharing Domain (sync .com) \r\n2051749  ET OPEN DNS Query to File Sharing Domain (terabox .com) \r\n2051750  ET OPEN Observed File Sharing Domain (terabox .com in TLS SNI) \r\n2051746  ET OPEN Observed File Sharing Domain (egnyte .com in TLS SNI) \r\n2051748  ET OPEN Observed File Sharing Domain (sync .com in TLS SNI) \r\nIndicators of compromise (IOCs) \r\nIndicator Type\r\nsalary \u003csalary[@]\u003ccompromisedorg\u003e.co[.]il \r\nExample of compromised\r\nemail sender \r\nהשכר תלושי) Machine translation: Pay slip)  Email subject \r\n02/2024 לחודש שכר תלוש) Machine translation: Pay slip for the month\r\n02/2024) \r\nEmail subject \r\nשכר לתלוש סיסמה) Machine translation: Pay slip password)  Email subject \r\nהשכר תלוש .pdf (Machine translation: Pay slip)  Document title \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign\r\nPage 3 of 4\n\ndee6494e69c6e7289cf3f332e2867662958fa82f819615597e88c16c967a25a9  SHA256 (PDF) \r\nhxxp://ws.onehub[.]com/files/[alphanumericidentifier]  Example malicious URL  \r\nhxxps://salary.egnyte[.]com/[alphanumericidentifier]  Example malicious URL  \r\nhxxps://ln5.sync[.]com/[alphanumericidentifier]  Example malicious URL  \r\nhxxps://terabox[.]com/s/[alphanumericidentifier]  Example malicious URL  \r\ncc4cc20b558096855c5d492f7a79b160a809355798be2b824525c98964450492  SHA256 (salary.zip) \r\ne89f48a7351c01cbf2f8e31c65a67f76a5ead689bb11e9d4918090a165d4425f  SHA256 (salary.msi) \r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" ], "report_names": [ "security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434641, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5e5faec00f51ee063b925d21d820804bec696dcd.pdf", "text": "https://archive.orkl.eu/5e5faec00f51ee063b925d21d820804bec696dcd.txt", "img": "https://archive.orkl.eu/5e5faec00f51ee063b925d21d820804bec696dcd.jpg" } }