Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-06 02:12:49 UTC
Home > List all groups > TA551, Shathak
 Other threat group: TA551, Shathak
Names
TA551 (Proofpoint)
Gold Cabin (SecureWorks)
Shathak (?)
Monster Libra (Palo Alto)
G0127 (MITRE)
Country Russia
Motivation Financial gain
First seen 2016
Description
(Palo Alto) TA551 (also known as Shathak) is an email-based malware distribution
campaign that often targets English-speaking victims. The campaign discussed in
this blog has targeted German, Italian and Japanese speakers. TA551 has historically
pushed different families of information-stealing malware like Ursnif and Valak.
After mid-July 2020, this campaign has exclusively pushed IcedID malware, another
information stealer.
Observed
Tools used BokBot, Gozi, Sliver, Valak.
Operations performed
Oct 2021
TA551 Uses ‘SLIVER’ Red Team Tool in New Activity
Jan 2021
From IcedID to Domain Compromise
Information
MITRE ATT&CK https://apt.etda.or.th/cgi-bin/showcard.cgi?u=269da320-1b20-4721-9bd6-17e0a355fe7d
Page 1 of 2

Playbook <https://pan-unit42.github.io/playbook_viewer/?pb=monsterlibra>
Last change to this card: 16 August 2025
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=269da320-1b20-4721-9bd6-17e0a355fe7d
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=269da320-1b20-4721-9bd6-17e0a355fe7d
Page 2 of 2