{
	"id": "0f51eff2-65b6-4536-82e0-8797c91e6af9",
	"created_at": "2026-04-06T02:10:38.003638Z",
	"updated_at": "2026-04-10T13:12:35.673386Z",
	"deleted_at": null,
	"sha1_hash": "7e60dc38042aa5b8282fe26bae21761250c625b5",
	"title": "Security Brief: TA547 Pivots from Ursnif Banking Trojan to Ransomware in Australian Campaign | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1359378,
	"plain_text": "Security Brief: TA547 Pivots from Ursnif Banking Trojan to\r\nRansomware in Australian Campaign | Proofpoint US\r\nBy July 17, 2020 Sherrod DeGrippo and the Proofpoint Threat Research Team\r\nPublished: 2020-07-16 · Archived: 2026-04-06 01:31:09 UTC\r\nShare with your network!\r\nProofpoint researchers have identified a ransomware and banking trojan campaign that occurred July 12-14, 2020\r\nand targeted multiple verticals in Australia. The campaign pivoted from distributing the Ursnif banking trojan in\r\nearly messages to later distributing Adhubllka ransomware, which encrypts files on compromised systems. While\r\nthis campaign was widely distributed across industries, construction, transportation, entertainment and media,\r\naerospace, and manufacturing were among the most commonly observed.\r\nProofpoint researchers believe this campaign is the work of TA547, an actor known for abusing email service\r\nproviders and distributing banking trojans across various geographic regions. This campaign is also the latest\r\nexample of TA547 targeting Australians. A prior effort included a ZLoader banking malware campaign disguised\r\nas job applicant emails.\r\nIn this case over 2,000 messages were sent during July 12-14 with lures informing intended recipients that their\r\norder “has been processed” and urging them to their view their “order details.” The subject lines contained\r\n“salesforce.com Order Confirmation” followed by a fake order number.\r\nThe messages contain Microsoft Excel attachments (Figure 1) or URLs linking to Excel documents hosted by an\r\nemail service provider (Figure 2).\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign\r\nPage 1 of 6\n\nFigure 1: Malicious Microsoft Excel attachment\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign\r\nPage 2 of 6\n\nFigure 2: Link to malicious Excel document\r\nThe email lure with malware attached (Figure 1) is not particularly interesting or customized, but the lure that\r\ncontains a link to the malware (Figure 2) is a bit more creative. It contains a lure with branding for a construction\r\nworkers’ resource group, which is notable because the construction industry was one of the sectors most targeted\r\nin this campaign.\r\nIn initial messages, the files used XL4 macros (Figure 3) to download Ursnif but shifted to downloading\r\nAdhubllka ransomware on July 13 around 08:00am GMT (Figure 4).\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign\r\nPage 3 of 6\n\nFigure 3: Excel document containing malicious macros\r\nThe pivot to delivering a new payload isn’t unusual on its own, but it is unclear why the actor switched away from\r\nusing highly valuable crimeware like Ursnif to Adhubllka ransomware.\r\nFigure 4: Ransomware note\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign\r\nPage 4 of 6\n\nFigure 5: Ransomware payment page\r\nThe initial payment page for Adhubllka includes a link to a Freshdesk ticketing software instance. The link is\r\nbehind a URL shortener that collects the victim’s IP address if they visit the link to report an issue. The actor\r\nmight be suggesting the victim visit the ticketing site in a browser other than Tor because it isn’t a .onion link, but\r\nthis could also be an attempt to collect the victim’s unmasked IP address.\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign\r\nPage 5 of 6\n\nFigure 6: Ransomware payment portal\r\nThe ransom of $3,700 is requested in bitcoin, complete with a QR code to facilitate the transaction. Instructions\r\nfor creating a bitcoin wallet are found on the “How to get my files back” tab of the site.\r\nAs of this publication, the Tor site is still online, though no transactions involving associated bitcoin addresses\r\nappear to have taken place.\r\nThe techniques used in this campaign are not uncommon for TA547, but the mid-campaign payload switch is\r\nunusual. While the motivation for the switch isn’t immediately clear, it’s possible that the actor is experimenting\r\nwith different payloads, or simply wants different types of infections at their disposal.\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign\r\nPage 6 of 6\n\nin this campaign. In initial messages, the files used XL4 macros (Figure 3) to download Ursnif but shifted to downloading\nAdhubllka ransomware on July 13 around 08:00am GMT (Figure 4).\n   Page 3 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign"
	],
	"report_names": [
		"ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign"
	],
	"threat_actors": [
		{
			"id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9",
			"created_at": "2022-10-25T16:07:24.557505Z",
			"updated_at": "2026-04-10T02:00:05.032451Z",
			"deleted_at": null,
			"main_name": "Scully Spider",
			"aliases": [
				"Scully Spider",
				"TA547"
			],
			"source_name": "ETDA:Scully Spider",
			"tools": [
				"DanaBot",
				"Lumma Stealer",
				"LummaC2",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"Rhadamanthys",
				"Rhadamanthys Stealer",
				"Stealc"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "72bc3519-a265-4136-b85a-d5e331f085b1",
			"created_at": "2023-01-06T13:46:39.313045Z",
			"updated_at": "2026-04-10T02:00:03.28438Z",
			"deleted_at": null,
			"main_name": "TA547",
			"aliases": [],
			"source_name": "MISPGALAXY:TA547",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441438,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e60dc38042aa5b8282fe26bae21761250c625b5.pdf",
		"text": "https://archive.orkl.eu/7e60dc38042aa5b8282fe26bae21761250c625b5.txt",
		"img": "https://archive.orkl.eu/7e60dc38042aa5b8282fe26bae21761250c625b5.jpg"
	}
}