{ "id": "d194d54a-2efb-4373-8bb7-f7a2da8a980e", "created_at": "2026-04-06T00:13:26.352078Z", "updated_at": "2026-04-10T03:36:37.068032Z", "deleted_at": null, "sha1_hash": "7a2d7cd5218a5c4d3fa42255bc46b07017bf877e", "title": "TA505 shifts with the times | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 587698, "plain_text": "TA505 shifts with the times | Proofpoint US\r\nBy June 08, 2018 Proofpoint Staff\r\nPublished: 2018-06-08 · Archived: 2026-04-05 20:07:39 UTC\r\nOverview\r\nIn September 2017, Proofpoint researchers detailed the history and ongoing activities of an actor we track as\r\nTA505. Throughout 2016 and 2017, TA505 was among the most prolific financially motivated actors we follow,\r\nregularly distributing massive malicious spam campaigns bearing diverse payloads ranging from Jaff ransomware\r\nto The Trick banking Trojan. TA505 was behind many of the Dridex campaigns that plagued organizations in 2015\r\nand introduced Locky ransomware in 2016, bringing unprecedented scale to malicious spam distribution. Since\r\nwe wrote our original TA505 profile, the actor has continued to explore the use of new malicious attachments and\r\nnew payloads. In 2018, though, the scale and regularity of their campaigns decreased, while the diversity of\r\npayloads has increased. Given the importance of this actor in the email threat landscape we wanted to revisit our\r\nprofile and update it with the latest activity from TA505.\r\nFor additional historical information on TA505, read our Actor Profile.\r\nActivity since September 2017\r\nLocky - September/October\r\nBy the fourth quarter of 2017, TA505 was still sending very high-volume campaigns primarily distributing Locky\r\nransomware. As in the preceding months, TA505 pivoted through various attachment types to deliver the\r\nmalicious payload. For the last half of September and the first half of October, the group primarily used VBScript\r\nfiles compressed in 7-Zip archives to distribute Locky Affiliate ID 3 (Affid=3). 7-Zip files are not natively\r\nsupported in Microsoft Windows and require the installation of 7-Zip software; recipients also needed to execute\r\nthe VBScript after installing 7-Zip and decompressing the attachments. While this combination of files is\r\nsomewhat unusual for attachment campaigns and requires more user interaction than many, most researchers\r\nexpect that TA505 was using new vectors to bypass protections put in place by organizations saturated with\r\nLocky-bearing messages over the previous year.\r\nGeo-targeted Locky and The Trick - October\r\nOn October 10, TA505 introduced their first geo-targeted campaign dropping either Locky or The Trick banking\r\nTrojan. In this campaign, HTML files were attached to emails inquiring about the status of an invoice. When users\r\nopened the HTML attachments to view the fake invoice, embedded JavaScript downloaded The Trick banking\r\nTrojan with gtag \"mac1\" if the victim appeared to reside in the UK, Australia, Luxembourg, Ireland, or Belgium.\r\nAll other victims received Locky (Affid=3 with file extension “.ykcol”).\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times\r\nPage 1 of 6\n\nFigure 1: Lure email with .html attachment, October 10, 2017\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times\r\nPage 2 of 6\n\nFigure 2: .html attachment with JavaScript that downloads the final payload, October 10, 2017\r\nTA505 sent several similar campaigns in mid-October with VBScript compressed in 7-Zip files that also\r\ndownloaded either Locky or The Trick. By late October, the actor switched to Microsoft Word attachments that\r\nabused Dynamic Data Exchange (DDE) to download either Locky or Locky and The Trick in several more geo-targeted campaigns. This was the first time that we observed TA505 abusing DDE, a legitimate feature in\r\nMicrosoft Office that became a regular part of multiple threat actors’ toolkits in Q4 2017. Recipients of these\r\nemails, which also used simple lures with attached fake invoices, needed to open the Microsoft Word attachments\r\nand click through a security dialog (Figure 3) to download the malware.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times\r\nPage 3 of 6\n\nFigure 3: DDE confirmation associated with late-October campaigns\r\nEmbedded .lnk and .vbs - November\r\nOn October 31, TA505 sent two campaigns, both using .lnk files embedded in Microsoft Word documents. As\r\nshown in Figure 4, recipients must open the attached Word document, enable editing, and then execute the .lnk file\r\nby double clicking an image in the document. They must further confirm that they want to open the .lnk file\r\n(Figure 5), which, in turn, downloads an intermediate downloader. This downloader then downloads either Locky\r\nor The Trick depending on location. Despite the number of steps involved, TA505 relies on light social\r\nengineering in the email and lure as well as end user conditioning to proceed through the scheme and infect their\r\nPC with malware.\r\nFigure 4: Microsoft Word document with embedded malicious .lnk file, October 31, 2017\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times\r\nPage 4 of 6\n\nFigure 5: Security dialog for embedded .lnk file\r\nThrough November 9, TA505 distributed several such campaigns, sometimes two per day, largely distributing\r\nLocky. Activity for the rest of November was light, featuring only five more campaigns using embedded Visual\r\nBasic scripts in Word documents or VB Script in 7-Zip attachments to distribute The Trick, Dridex, Scarab\r\nransomware, and GlobeImposter ransomware.\r\nGlobeImposter - December\r\nDecember saw yet another shift in payloads for TA505. Of the 34 campaigns the group sent in a month that was\r\nextremely active even by TA505 standards, 24 were distributing GlobeImposter ransomware. Like The Trick\r\nbanking Trojan, GlobeImposter was a relatively low-profile, regionally focused malware strain that became a\r\nglobal threat when TA505 began distributing it in massive campaigns. The majority of these campaigns used\r\nmalicious VBScript or JavaScript compressed in 7-Zip attachments.\r\nThe remaining ten campaigns in December distributed a range of malware including The Trick, the\r\nDreamSmasher reconnaissance tool, and Dridex.\r\nShifting to low-volume campaigns - January/February 2018\r\nTA505 has typically taken some time to resume full operations after the Russian Orthodox holidays. The group is\r\nalso heavily reliant on the Necurs botnet for its massive campaigns and its operators of the botnet appear to have\r\nlost control of the botnet for much of January and February. However, in previous years, Necurs disruptions\r\nresulted in complete silence from TA505. This year, the group remained active, though campaign frequency and\r\nvolume were a tiny fraction of their peaks in 2017 during this period.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times\r\nPage 5 of 6\n\nRather, TA505 appeared to once again be exploring new payloads and vectors. We observed the actor send two\r\nlarge pharmaceutical spam campaigns via BlackTDS in February, a highly unusual move for a group focused on\r\nmalicious attachments since at least 2014. We have also observed smaller campaigns distributing GandCrab\r\nransomware, DreamSmasher, Dridex, and Quant Loader.\r\nThe slow return of Necurs-powered large campaigns - March 2018 to present\r\nBeginning in March, TA505 launched several large campaigns, again utilizing the Necurs sending infrastructure,\r\nalbeit much less frequently than in 2017. Campaigns in March and April largely delivered the FlawedAmmyy\r\nremote access Trojan (RAT), often via the intermediate Quant Loader malware. Attachments in these campaigns\r\nwere frequently Zip archives containing \".url\" files which, if opened and allowed by the user, downloaded\r\nJavascript via the SMB protocol. The Javascript then downloaded Quant Loader, which, in turn downloaded the\r\nFlawedAmmyy RAT. RATs are generally used in targeted attacks, begging the question how a threat actor\r\ndistributing large-scale malicious spam might use such a tool.\r\nWe observed a handful of TA505 campaigns delivering FlawedAmmyy in late April and May, with the most recent\r\noccurring on June 7. While the frequency of these campaigns remains off from their normal cadence and message\r\nvolumes still have not returned to 2017 levels, the trend of shifting vectors and experimentation with new\r\ntechniques continues. The last two campaigns we observed from TA505 made use of .iqy attachments -- Microsoft\r\nExcel Web Query files are used to pull external data into Excel and, in these cases, the functionality was abused to\r\ndownload FlawedAmmyy.\r\nConclusion\r\nOver the past four years, TA505 has introduced both Dridex and Locky to the threat landscape in relentless,\r\nmassive email campaigns. The group also turned smaller targeted or regionally-focused malware like The Trick,\r\nGlobeImposter, and FlawedAmmyy into global phenomena. TA505 regularly changes vectors, shifts payloads, and\r\nexperiments with new techniques, all apparently to bypass defenses and deliver payloads from bankers to RATs,\r\noften at a scale unmatched by other high-profile actors.\r\nTheir recent foray into large-scale distribution of RATs and intermediate loaders bears further observation as,\r\nunlike with Locky or GlobeImposter infections, victims may not realize they are infected until the group triggers\r\nadditional malware installations or steals valuable data. The group’s willingness to explore new vectors, payloads,\r\nsending infrastructure, and other malicious services like BlackTDS, even when they do not have access to the\r\nNecurs spam cannon, exemplifies the adaptability of modern threat actors.\r\nSource: https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times" ], "report_names": [ "ta505-shifts-times" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "9099912b-a00a-4afb-8294-c6d35af421a1", "created_at": "2023-01-06T13:46:39.338108Z", "updated_at": "2026-04-10T02:00:03.292102Z", "deleted_at": null, "main_name": "Scarab", "aliases": [], "source_name": "MISPGALAXY:Scarab", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486", "created_at": "2022-10-25T16:07:24.158325Z", "updated_at": "2026-04-10T02:00:04.884772Z", "deleted_at": null, "main_name": "Scarab", "aliases": [ "UAC-0026" ], "source_name": "ETDA:Scarab", "tools": [ "Scieron" ], "source_id": "ETDA", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434406, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a2d7cd5218a5c4d3fa42255bc46b07017bf877e.pdf", "text": "https://archive.orkl.eu/7a2d7cd5218a5c4d3fa42255bc46b07017bf877e.txt", "img": "https://archive.orkl.eu/7a2d7cd5218a5c4d3fa42255bc46b07017bf877e.jpg" } }