{
	"id": "fdae9b52-5369-433b-85d8-592080ecb5f5",
	"created_at": "2026-04-06T00:07:53.774799Z",
	"updated_at": "2026-04-10T13:12:19.382055Z",
	"deleted_at": null,
	"sha1_hash": "67f4c58d389fa4387b60968da0a605170f259417",
	"title": "Can’t stop, won’t stop: TA584 innovates initial access | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5057832,
	"plain_text": "Can’t stop, won’t stop: TA584 innovates initial access | Proofpoint US\r\nBy January 28, 2026 The Proofpoint Threat Research Team\r\nPublished: 2026-01-26 · Archived: 2026-04-02 10:54:23 UTC\r\nKey findings \r\nTA584 is one of the most prominent cybercriminal threat actors tracked by Proofpoint threat researchers. \r\nIn 2025, the actor demonstrated multiple attack chain changes including expanded global targeting; ClickFix social\r\nengineering; and delivering new malware, Tsundere Bot.  \r\nTA584’s activity is unique in the cybercrime landscape and shows how static detections alone are not reliable\r\nfor constantly innovating threat actors.  \r\nOverview \r\nProofpoint tracks multiple sophisticated cybercriminal threat actors, and one of the most frequently active with high\r\nvolume campaigns is TA584. TA584 is a prominent initial access broker (IAB) that targets organizations globally. In the\r\nsecond half of 2025, TA584 demonstrated multiple attack chain changes including adopting ClickFix social engineering,\r\nexpanded targeting to more consistently target specific geographies and languages, and recently delivering a new malware\r\ncalled Tsundere Bot. TA584 overlaps with a group tracked as Storm-0900.  \r\nThe actor’s operational tempo increased throughout 2025, with the number of monthly campaigns tripling from March to\r\nDecember 2025. \r\nTA584  \r\nBackground \r\nTracked by Proofpoint since November 2020, TA584 has demonstrated a variety of tactics, techniques, and procedures\r\n(TTPs). Delivery methods included macro-enabled Excel documents, URLs with aggressive filtering, use of various traffic\r\ndistribution services (TDS), and geo-fenced landing pages.   \r\nWhile TA584 has been tracked for several years, its earlier campaigns followed relatively predictable patterns compared to\r\nthe variety of techniques observed in 2025. One of the most notable shifts in TA584’s activity during 2025 is how\r\nquickly campaigns are launched, modified, and retired. The actor has been active for several years, but earlier activity\r\ntended to follow longer-lived patterns, with infrastructure, lures, and delivery mechanisms reused over extended periods of\r\ntime. In contrast, 2025 activity is characterized by high campaign churn and short operational lifespans.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 1 of 19\n\nFigure 1. Operational tempo increased throughout 2025. \r\nIn 2025, TA584 conducted campaigns in rapid succession, often overlapping in time while using distinct lure themes,\r\nbranding, and landing pages. In many cases, individual campaigns remained active for only a short time (hours to\r\ndays) before being replaced or significantly modified. Instead of refining a single successful attack chain, TA584\r\nfavors continuous iteration, rapidly cycling through various tactics, techniques, and procedures (TTPs), even when prior\r\ncampaigns remained effective. \r\nThe consistency of this pattern throughout 2025 shows how a steady stream of brief, thematically distinct campaigns\r\noriginating from the same actor provides insight into how modern financially-motivated threat actors adapt to defensive\r\npressure. \r\nData scope \r\nProofpoint’s analysis of TA584 activity is based on email as an initial access vector. Although TA584 has\r\nbeen monitored periodically since 2020, the findings presented here primarily focus on activity observed throughout 2025,\r\nwhen visibility of campaign volume, operational tempo, and variability increased significantly. The analysis follows activity\r\nfrom initial message delivery through malware execution. This perspective lets us see how TA584 adapts social engineering\r\ntechniques, distribution infrastructure, and payload delivery over time, while also identifying execution behaviors\r\nthat remain consistent despite other changes. \r\nThe scope of this analysis is intentionally focused on the pre-compromise and early execution stages of TA584 attack chains.\r\nAreas covered include email lure construction, social engineering themes, brand impersonation, localization strategies,\r\nlanding page design, delivery infrastructure, and malware execution.  \r\nCampaigns were identified and clustered by correlating multiple attributes including delivery characteristics, shared or\r\nstructurally similar infrastructure, recurring execution patterns, geofencing and IP filtering, landing page\r\ndesign, malware and malware configuration, and overlapping lure characteristics. Attribution to TA584 is based on a\r\ncombination of historical tracking, continuity across campaigns, and recurring patterns observed over multiple years of\r\nactivity.  \r\nOverall, the methodology used in this report reflects the challenges of tracking modern, high-velocity, email-centric threat\r\nactors. TA584’s 2025 activity shows how quick campaign turnover and deliberate variability can make static indicators less\r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 2 of 19\n\neffective.  \r\nCampaign details \r\nSocial engineering \r\nTA584 sends emails impersonating various organizations. Impersonated entities include job-related firms (such as Michael\r\nPage, Addeco) or business services (BBB, Companies House), as well\r\nas brands like PayPal, OSHA, Medicare, OneDrive, or YourCostSolutions.  \r\nThe most frequently observed vertical impersonated is healthcare, followed by government entities. Proofpoint has seen this\r\nactor impersonate hospitals, care facilities, and multiple various government agencies in multiple countries.  \r\nFigure 2. TA584 impersonations. \r\nTA584 demonstrates unique social engineering content using a very wide range of themes and techniques used to get\r\npeople to engage with malicious content. The emails and associated landing pages always match, with well-designed and\r\nbelievable lures. \r\nBrand impersonation further reinforces this approach. TA584 regularly incorporates well-known brands into email content,\r\nbut brand usage is typically short-lived, with individual brands appearing briefly before being replaced\r\nin subsequent campaigns. In several cases, brand selection appears aligned with geographic targeting, with localized or\r\nregionally relevant brands used to increase credibility among specific recipients. Importantly, this variability does not appear\r\nto be random. Despite frequent changes, lures consistently maintain a sense of urgency or implied legitimacy, often\r\nencouraging recipients to view a document, review a transaction, or resolve an outstanding issue. The underlying social\r\nengineering objective remains the same, even if the surface-level details change. \r\nThis actor’s behavior is notable. Because TA584 regularly changes their lures, it reduces the effectiveness of content-based\r\ndetection and increases the likelihood that at least some variants will evade filtering. For defenders, this shows\r\nhow campaigns should be assessed holistically, correlating sender behavior, delivery infrastructure, and downstream\r\nexecution rather than relying solely on static content indicators. \r\nSome themes observed in 2025 include debt collection and payment processing, invitations to events or programs, tax\r\nobligations, medical test results, healthcare benefits, parking tickets, recruiting emails, and business complaints.   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 3 of 19\n\nOne campaign in December used a unique social engineering technique: including a photo of an alleged package delivery\r\nthat contained the name of the recipient in the email lure. \r\nFigure 3. Purported photo of physical mail.  \r\nIn the emails, TA584 included a photo of supposed physical mail that displayed the targets’ name and address, customized to\r\neach recipient. This likely furthered the believability of the lure. Proofpoint rarely observes this technique, however we have\r\nseen it used by TA2725 in recent months. \r\nAttack chain \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 4 of 19\n\nTA584 uses multiple delivery methods via email. In 2025, the actor most often sent emails from compromised\r\nindividual senders. These accounts were typically paired with several display names per campaign that matched the lure, and\r\na single wave could involve hundreds of different compromised senders across many unrelated, legitimate, and often aged\r\ndomains. \r\nTA584 also occasionally sends through thirdparty Email Service Providers (ESPs) such as SendGrid and Amazon Simple\r\nEmail Service (SES). This likely involves stolen credentials to create or takeover ESP accounts and then authenticate the\r\ncompromised domain for sending. In practice, that usually requires DNS access to add provider-specific DNS records. \r\nBecause the emails come from authenticated, aged senders and vary heavily in subject lines and URLs, it can be difficult to\r\nreliably track and cluster these campaigns using email characteristics alone. \r\nThe emails usually contain unique links for each target that performs geofencing and IP filtering. If these\r\nchecks were passed, the recipient is redirected to a landing page aligning with the lure in the email. Between March\r\n2021 and July 2025, the landing page featured a countdown, the target's name (from a query in the URL), and a\r\nCAPTCHA. The timer, which was always placed in the top right corner, added to the sense of urgency a recipient would\r\nhave, feeling like there was limited time to reply to seemingly important emails. Solving the CAPTCHA revealed a\r\ndownload button for a zipped JavaScript or shortcut (.lnk) file.  \r\nIn early campaigns, TA584 also delivered macro-enabled Excel documents (tracked as EtterSilent) directly after the filtering\r\nchecks that, if macros were enabled, would lead to malware installation. \r\nFigure 4. March 2021 campaign, emails containing URLs that redirect to the download of a zipped macro-enabled Excel\r\nsheet that, when enabled, downloaded Ursnif. \r\nFigure 5. Lure impersonating a recruiting firm targeting North American organizations, containing a URL leading to a\r\nlanding page featuring a countdown, matching the email lure, March 2025.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 5 of 19\n\nFrom late July 2025, the actor switched to using the ClickFix technique. The ClickFix social engineering technique uses\r\ndialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their\r\nown computer. First observed in 2024, the ClickFix technique is now used by many different threat actors that customize the\r\nlanding pages based on lure theme and objective.  \r\nCurrently, messages contain unique URLs with a link leading to a customized landing page with a \"Slide\" CAPTCHA. If the\r\nCAPTCHA is resolved, a ClickFix page will be displayed which guides users to follow instructions which, if completed, run\r\na PowerShell command which in turn runs another remote intermediate PowerShell script containing obfuscated code that\r\nwill execute the malware payload. The initial script from the ClickFix command can only be retrieved if the same IP address\r\nhas accessed the landing page. The landing page also contains a call-back function to check if the payload has been accessed\r\nand redirects the browser to a benign site, for example docusign[.]com, when this has been done. \r\nFigure 6. BBB complaint lure with URL, November 2025.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 6 of 19\n\nFigure 7. CAPTCHA and ClickFix landing pages, November 2025.  \r\nRedirect behavior and intermediate delivery techniques are a notable aspect of TA584’s landing page\r\ninfrastructure. All campaigns use redirect chains or intermediary resources to obscure the final payload location,\r\nadding additional layers between the initial email and malware delivery. The individual URLs are not consistently\r\nreused, and the actor changes URLs and redirects with each campaign, often using third-party criminal services in the\r\nredirect chain. The actor often uses a set of compromised domains per campaign, with a path in the URL identifying the\r\ncampaign (such as domain.tld/bbb/[unique query]) either directly in the email, or in the redirect chain if a third-party service\r\nhas been used in the campaign. However, from late 2025, the actor preferred to instead use Amazon AWS S3 URLs,\r\neither directly in the email or in the redirect chain, also most often paired with a unique query per target. In 2025,\r\nProofpoint also observed Blogspot URLs, and other various URLs used in the email lure. While in previous years, the actor\r\ncommonly used Cookie Reloaded (Prometheus TDS) URLs for filtering payloads, we observed TA584 occasionally switch\r\nto Keitaro TDS, but the actor most frequently used 404 TDS as the primary filter in 2025. This variability reinforces the\r\nactor’s preference for adaptable infrastructure, causing detection to become more challenging.  \r\n404 TDS is a traffic distribution system (TDS) used by cybercriminal actors since at least 2021 and has been observed used\r\nby multiple ecrime actors, particularly those that demonstrate more sophisticated capabilities. 404 TDS was named due to\r\nthe mechanism it used in initial campaigns to redirect users to the payload sites. Specifically, the TDS would respond with a\r\n\"404 Not Found\" code and then use a meta refresh method to automatically refresh the current web page to direct the user to\r\nthe URL contained in the meta refresh element, which is the next site in the attack chain. 404 TDS does not appear to\r\nperform any filtering or blocking. In most cases the TDS simply redirects the user to next URL. 404 TDS links are time\r\nlimited, typically to one day.  \r\nAfter any potential third-party filtering and the initial redirect, the browser is redirected to a long hostname (often related to\r\nthe lure) hosted on an actor-controlled domain, where additional IP-based filtering is performed. Only if the target passes\r\nthis final IP filtering step are they redirected to the final landing page, hosted under a campaign-specific path on the same\r\nhost. \r\nThe domain itself is usually used for only one or two campaigns, and new domains are typically registered and deployed at\r\nleast once per week. Although new domains are rotated frequently, the IP address hosting these final steps\r\noften remains static for long periods. For example, 94[.]159[.]113[.]37 (AS216234 Komskov Vadim Aleksandrovich) has\r\nbeen used since April 2025. \r\nBecause of the layered redirects and filtering, full redirect chains and final landing pages are rarely captured by public\r\nsandboxes or URL scanning services. \r\nTargeting details \r\nCampaigns typically target hundreds of organizations with message volumes ranging from a few thousand to nearly\r\n200,000 messages per campaign.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 7 of 19\n\nHistorically, this actor largely focuses targeting on organizations in North America, the UK, and Ireland, but at the end of\r\nJuly 2025, the actor expanded targeting to regularly include Germany. (Analyst note: Proofpoint previously observed a small\r\nnumber of campaigns targeting Germany in 2023, but in 2025 the actor consistently targeted that country at a significantly\r\nhigher volume). TA584 focused its targeting efforts on European users for much of the summer, before returning to mostly\r\ntargeting North America by fall 2025. Proofpoint has also observed limited targeting of Australia since at least spring 2025.  \r\nThe actor appears to be opportunistic and doesn’t target specific verticals. The actor typically conducts a few campaigns per\r\nweek, but we have observed breaks between campaigns. The most frequently targeted geography is North America.   \r\nFigure 8. Targeted countries by campaign, 2025. \r\nTA584’s 2025 campaigns show consistent shifts in geographic targeting, with individual operations often focused on\r\nspecific regions. While earlier activity associated with the actor had a less specific focus on geographic targeting,\r\ncampaigns observed in 2025 frequently included deliberate regional targeting, with less opportunistic activity. TA584\r\nfocused its targeting efforts on European users for much of the summer, before returning to mostly targeting North America\r\nby fall 2025. Proofpoint has also observed limited targeting of Australia since at least spring 2025.  \r\nTargeted regions often change between campaigns, with geographic focus rotating over relatively short timeframes. In\r\nseveral cases, campaigns in a single week targeted different regions while using distinct branding, language, and lure\r\nthemes relevant to selected targets.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 8 of 19\n\nFigure 9. UK targeted email lure 24 September 2025. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 9 of 19\n\nFigure 10. German targeted email lure 25 September 2025. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 10 of 19\n\nFigure 11. U.S. targeted email lure 19 September 2025. \r\nThis rotational targeting allows TA584 to keep high operational tempo while reducing repeated exposure within any single\r\nregion.  \r\nMalware details \r\nThe current payload delivered is XWorm with the configuration “P0WER”, which it has used since at least mid-2024. However, at the end of November and through December 2025, TA584 also distributed a newly observed malware\r\ncalled Tsundere Bot which we will describe below.  \r\nPreviously, the actor was observed distributing the following payloads for initial access: Ursnif (2020 – 2022), LDR4 (2022\r\n– 2023), WarmCookie (2024), Xeno RAT (2024), and Cobalt Strike (2024). TA584 also used DCRAT in one campaign\r\nin September 2025, which was a significant outlier. The actor did not use this payload again.  \r\nXWorm is a remote access trojan (RAT) observed since 2022 that also includes some ransomware functionality. It is\r\navailable for sale on criminal forums and used by many different threat actors of various levels of sophistication.  \r\nTsundere bot \r\nWhile Tsundere Bot was previously distributed by other threat actors in Proofpoint campaign data as early as August\r\n2025, TA584 used Tsundere Bot for the first time at the end of November 2025. Throughout December, Proofpoint observed\r\nthis payload in multiple additional campaigns, and it now appears to be a favored payload alongside XWorm. Tsundere Bot\r\nis a new malware with backdoor and loader capabilities. Further investigation identified the panels,\r\nwhich identified themselves as “Tsundere Netto” and “Tsundere Reborn”, from where the name Tsundere Bot was taken. It\r\nis a malware-as-a-service (MaaS). It is used by multiple different threat actors, according to third-party reporting from\r\nKaspersky, including being dropped by RMMs downstream of web injects, and delivered via fake video game installers.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 11 of 19\n\nFigure 12. Tsundere Bot panel screenshot.  \r\nThe bot needs Node.js to be installed on the system, which is handled by installers available to be built from the command\r\nand control (C2) panel in the form of MSI installers or PowerShell scripts. Tsundere Bot has the following capabilities: \r\nUses a form of EtherHiding to connect to the Ethereum blockchain via multiple RPC providers in order to retrieve its\r\nC2 and config via a Web3 smart contract and wallet defined by the installer, and uses a consensus mechanism to\r\nselect the most commonly returned C2 URL from multiple providers. The malware also includes a hardcoded C2\r\nfallback in the installer script. \r\nUses WebSockets to communicate with the C2. \r\nChecks system locale and exits if the system uses CIS country languages (Russian, Ukrainian, Belarusian, Kazakh,\r\netc.) \r\nCollects system information such as CPU/GPU info, username and hostname, Windows version, volume serial\r\nnumbers, etc. and creates a unique victim ID with this info. \r\nMaintains connection health to C2 with a “ping/pong” heartbeat. \r\nCan execute arbitrary JavaScript code sent from the C2 \r\nThe C2 panel, which allows public account creation, contains functions such as: \r\nBot control panel which can be filtered by IP, country code, username and hostname \r\nUser settings where a license key for the MaaS can be applied \r\nBuild system where installers in the form of MSI or PowerShell can be generated \r\nAutotasks management where custom Node.js scripts can be configured to run automatically on first or every bot\r\nconnection. \r\nA market where bots can be sold and purchased. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 12 of 19\n\nSocks Proxy, where bots can be configured to be used as SOCKS5 proxies. \r\nProofpoint has observed this malware delivered via a variety of attack chains based on the distinct threat actor using\r\nit, including multiple campaigns leveraging the ClickFix social engineering technique. Proofpoint has identified multiple\r\npairs of contracts/wallets that resolves to different active C2 servers. Early versions of the installer and bot\r\ncode contain comments in both Russian and English in different parts of the code. \r\nIn general, the malware can be used for information gathering, data exfiltration, lateral movement, and to\r\ninstall additional payloads. Given that Proofpoint has observed this malware used by TA584, researchers assess with high\r\nconfidence Tsundere Bot malware infections could lead to ransomware. \r\nThe first observed TA584 Tsundere Bot campaign occurred on 28 November 2025 and impersonated the Health and\r\nSafety Executive (HSE). Other Tsundere Bot campaigns observed in December include impersonating document review\r\ntools, construction companies, and mobile providers.  \r\nFigure 13. HSE lure.  \r\nIn this email, which is a typical lure style for the threat actor, TA584 is asking for recipients to provide requested\r\ninformation by clicking unique URLs that will redirect to a landing page with a CAPTCHA, if IP filtering and geofencing\r\nchecks are passed. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 13 of 19\n\nFigure 14. HSE themed CAPTCHA. \r\nIf the CAPTCHA is resolved, a ClickFix page will be displayed which guides users to follow instructions which, if\r\ncompleted, runs a PowerShell command.  \r\nFigure 15. ClickFix steps. \r\nThis command, in turn, runs a remote intermediate PowerShell script that is likely generated from the Tsundere Bot malware\r\npanel. The remote script installs Node.js and its dependencies directly from nodejs[.]org, then decrypts two AES-encrypted\r\nembedded Node.js files: one loader script, which subsequently loads the second script, the Tsundere Bot itself. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 14 of 19\n\nFigure 16. TA584 PowerShell script.  \r\nTsundere Bot retrieves its C2 address from the Ethereum blockchain using a variant of the EtherHiding technique, or a\r\nhardcoded C2 fallback, profiles the computer, sends this profiling information to the C2 (193[.]17[.]183[.]126:3001), and\r\nthen waits for additional Node[.]js-based payloads.  \r\nNotably, while the PowerShell installer script contains English, the Node.js scripts are commented in Russian and include\r\nlogic to abort execution if the malware detects that it is running on a system located in a CIS country. \r\nWhile the contract can be updated to point to a new C2, the contract used in this infection chain has had the same C2\r\nconfigured since its first transaction on 6 August 2025.  \r\nXWorm “P0WER” \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 15 of 19\n\nSince XWorm is a well-known malware, we won’t go into details here but include summary of what\r\nthe “P0WER” configuration means, and how TA584 uses it in their attack chain. Just as with Tsundere Bot, the “P0WER”\r\nvariant of this malware is likely a complete product that is sold as a MaaS. The name “P0WER” that Proofpoint is using for\r\nthis configuration is taken from the AES Key used in this specific version. And just as with other malware distributed by\r\nTA584, this configuration has also been seen from other unrelated clusters, which also use the same execution method as\r\nTA584. \r\nJust as with the Tsundere Bot chain, the infection starts with PowerShell running a remote PowerShell script. Due to the\r\nsimilarity in the execution of this variant from other clusters, it’s likely that this script is built with a malware builder from\r\na MaaS. While the obfuscation of the installation script has changed since the variant first\r\nwas observed, and additional obfuscation of the binaries, the functionality remains the same. \r\nThe script begins by disabling AMSI scanning via a reflection trick that forces an initialization failure (amsiInitFailed),\r\nensuring the rest of the code runs unmonitored. It suppresses errors to stay quiet and reconstructs two hidden Base64 blobs\r\nusing string replacements. The first blob is a custom .NET loader, which is reflectively loaded into memory; the second is\r\nthe XWorm malware executable. \r\nFigure 17. XWorm P0WER PowerShell script used by TA584 in April 2025. \r\nTo execute the malware, the script invokes a method called BIG.BOOM. This method performs process hollowing, a\r\ntechnique where the loader starts a legitimate, signed Microsoft utility, RegSvcs[.]exe, in a suspended state, empties its\r\nmemory, and replaces it with the XWorm payload. \r\nFigure 18. Xworm P0WER PowerShell script with XOR obfuscation used by TA584 in December 2025. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 16 of 19\n\nFigure 19. Same as Figure 18 script with as much obfuscation removed as possible, while still showing the functionality as\r\nused by the actor. \r\nThis makes the detonation effectively file-less, as the malware resides entirely in RAM and masks its activity under the\r\nidentity of a trusted system process. Finally, the script wipes the clipboard to remove traces of\r\nthe initial ClickFix command. \r\nOnce active in memory, the XWorm client communicates with its C2 server to pull down secondary modules, including a\r\npersistence plugin built with SharpHide. This tool manipulates the Windows Registry by inserting null-byte characters\r\n(\\x00) into the key names. Because many standard Windows APIs and management tools (like Regedit.exe) treat the null\r\nbyte as a string terminator, the entry becomes effectively invisible to basic enumeration, hiding the malicious \"Run\" key\r\nfrom casual inspection. \r\nThis hidden key establishes an execution chain that triggers every system boot: \r\nThe key launches mshta which executes a VBScript one-liner that instantiates the WScript.Shell COM object. This object is\r\nused to execute a PowerShell process with the WindowStyle set to 0 (hidden), preventing any console window from\r\nappearing to the user.  \r\nThe spawned PowerShell process decodes a Base64-encoded string to run another remote PowerShell script, which\r\nnormally contains the same installation script as the one initially executed. However, by fetching the payload dynamically\r\nfrom an external IP on each boot, the attacker ensures the infection is modular. This allows for C2 infrastructure migration or\r\nthe delivery of additional malware without needing to modify the local persistence entry, maintaining a persistent,\r\n\"effectively file-less\" foothold that is difficult to disrupt through standard file-system cleanup. \r\nAttribution \r\nProofpoint assesses with high confidence this actor is an initial access broker with infections that can lead to ransomware.\r\nTA584 is a sophisticated cybercriminal threat actor that has maintained operational consistency since at least 2020. Based on\r\nthe malware used and artifacts in the attack chains, it is likely this actor is plugged in to the Russian cybercriminal\r\necosystem and underground markets. \r\nDefensive recommendations \r\nRestrict users from running PowerShell unless necessary for their job function. \r\nUse application control policies (like AppLocker or Windows Defender Application Control) to prevent the execution\r\nof tools like node.exe from non-standard, user-writable locations such as “C:\\Users\\*\\AppData\\Local\\”. \r\nCreate detection rules for powershell[.]exe or cmd[.]exe spawning a node[.]exe process, especially when\r\nnode[.]exe is located in a user's AppData or other non-standard locations. \r\nBlock or monitor Ethereum endpoints. The malware relies on a hardcoded list of public Ethereum RPC providers to\r\nretrieve its C2 server address. Blocking (or, monitoring) outbound traffic to these specific URLs at the\r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 17 of 19\n\nnetwork firewall or web proxy can prevent the malware from receiving its instructions. \r\nMonitor and inspect WebSocket traffic. The malware uses WebSockets (ws:// or wss://) for C2 communication.\r\nImplement network monitoring to detect and inspect WebSocket connections to unknown or uncategorized domains. \r\nConsider disabling Windows+R via Group Policy for users who do not need it for their job function.  \r\nOrganizations should train users to identify the activity and report suspicious activity to their security teams. This\r\nis very specific training but can be integrated into an existing user training program. \r\nConclusion \r\nThe cybercriminal threat landscape has experienced dramatic shifts in behaviors, targeting, and malware use over the last\r\nyear, with many priority threat actors disappearing from email threat data in 2025. TA584, however, bucks this trend and\r\nhas demonstrated consistent patterns of behavior and targeting since 2020, with recent shifts that demonstrate the actor\r\nis attempting to infect a broader range of targets. Proofpoint assesses it’s likely TA584 will increase targeting in Europe in\r\n2025. It is also possible the threat actor will continue experimenting with different payloads, like Tsundere Bot or\r\nother remote access payloads newly available for sale on criminal markets.  \r\nOrganizations should be aware of techniques used by TA584 and implement preventative defensive measures\r\nincluding restricting users from running PowerShell unless required for job functions and blocking known TA584 hosts. \r\nExample Emerging Threats rules \r\n2865239 – Win32/xworm V2 CnC Command - RD- Inbound  \r\n2865240 – Win32/xworm V3 CnC Command - sendPlugin  \r\n2865241 – Win32/xworm V3 CnC Command - Informations Outbound \r\n2865163 – Win32/xworm v3 CnC Command - PCShutdown Inbound \r\n2865200 – Win32/xworm v3 CnC Command - savePlugin Inbound \r\n2033355 – ET INFO Windows Powershell User-Agent Usage \r\nExample indicators of compromise  \r\nIndicator  Description \r\nFirs\r\nSeen\r\n94[.]159[.]113[.]37  \r\nTA584 Host |\r\n AS216234 Komskov Vadim Aleksandrovich \r\nApr\r\n2025\r\n85[.]236[.]25[.]119  Tsundere Bot C2 \r\n9\r\nDec\r\n2025\r\n80[.]64[.]19[.]148  XWorm C2 \r\n10\r\nNov\r\n2025\r\n85[.]208[.]84[.]208  XWorm C2  9\r\nSept\r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 18 of 19\n\n2025\r\n178[.]16[.]52[.]242  XWorm C2 \r\n27\r\nOcto\r\n2025\r\n94[.]159[.]113[.]64  XWorm C2 \r\n28 M\r\n2025\r\nhxxp://94[.]159[.]113[.]37/ssd[.}png  ClickFix Payload URL \r\nSept\r\n2025\r\nbbedc389af45853493c95011d9857f47241a36f7f159305b097089866502ac99 \r\nSHA256 Remote PowerShell Script Leading\r\nto XWorm \r\nDec\r\n2025\r\n441c49b6338ba25519fc2cf1f5cb31ba51b0ab919c463671ab5c7f34c5ce2d30  SHA256 XWorm SharpHide Payload \r\nDec\r\n2025\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nhttps://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access\r\nPage 19 of 19\n\n80[.]64[.]19[.]148  XWorm C2 Nov 2025\n85[.]208[.]84[.]208  XWorm C2 9\n   Sept\n Page 18 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access"
	],
	"report_names": [
		"cant-stop-wont-stop-ta584-innovates-initial-access"
	],
	"threat_actors": [
		{
			"id": "901361b4-9c52-4f5b-a06d-21528b1f2cc4",
			"created_at": "2024-02-16T02:00:04.592106Z",
			"updated_at": "2026-04-10T02:00:03.586462Z",
			"deleted_at": null,
			"main_name": "TA2725",
			"aliases": [],
			"source_name": "MISPGALAXY:TA2725",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "830ec576-b163-4d11-b711-fee2aa0f2ee1",
			"created_at": "2026-02-03T02:00:03.446725Z",
			"updated_at": "2026-04-10T02:00:03.944446Z",
			"deleted_at": null,
			"main_name": "TA584",
			"aliases": [
				"Storm-0900"
			],
			"source_name": "MISPGALAXY:TA584",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434073,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67f4c58d389fa4387b60968da0a605170f259417.pdf",
		"text": "https://archive.orkl.eu/67f4c58d389fa4387b60968da0a605170f259417.txt",
		"img": "https://archive.orkl.eu/67f4c58d389fa4387b60968da0a605170f259417.jpg"
	}
}