{ "id": "de87720f-658e-4cf2-969d-66307e38eefc", "created_at": "2026-04-06T00:10:29.073354Z", "updated_at": "2026-04-10T03:33:52.180891Z", "deleted_at": null, "sha1_hash": "7f972e43486e6214eb3cd65c952fc0878cdb2bc5", "title": "Phish Scales: Malicious Actor Combines Personalized Email, Variety of Malware To Target Execs | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 701492, "plain_text": "Phish Scales: Malicious Actor Combines Personalized Email, Variety of\r\nMalware To Target Execs | Proofpoint US\r\nBy April 05, 2016 Matthew Mesa\r\nPublished: 2016-04-05 · Archived: 2026-04-05 20:26:37 UTC\r\nThe rule of thumb for phishing emails is that the more personalized they are, the more effective they will be.\r\nPersonalization, though, is expensive, both in terms of the necessary research and preparation of highly targeted malicious\r\nemails. The tradeoff between efficacy and cost has always been a constraint on attackers. Unfortunately, Proofpoint has\r\nrecently observed one actor who appears to have found a way to scale spear phishing. One recent study puts the average cost\r\nof a successful spear phishing campaign at $1.6 million per incident - if spear phishing becomes the norm instead of the\r\noutlier, the math becomes fairly intimidating for targeted organizations.\r\nSince January 2016, a financially motivated threat actor whom Proofpoint has been tracking as TA530 has been targeting\r\nexecutives and other high-level employees, often through campaigns focused exclusively on a particular vertical. For\r\nexample, intended victims frequently have titles of Chief Financial Officer, Head of Finance, Senior Vice President, Director\r\nand other high level roles.\r\nAdditionally, TA530 customizes the email to each target by specifying the target’s name, job title, phone number, and\r\ncompany name in the email body, subject, and attachment names. On several occasions, we verified that these details are\r\ncorrect for the intended victim. While we do not know for sure the source of these details, they frequently appear on public\r\nwebsites, such as LinkedIn or the company’s own website. The customization doesn't end with the lure; the malware used in\r\nthe campaigns is also targeted by region and vertical.\r\nWhile these campaigns aren't approaching the size of, for example, Dridex and Locky blasts that go after very large numbers\r\nof random recipients, TA530 has sent approximately a third of a million personalized messages to recipients in US, UK, and\r\nAustralian organizations. These attacks are quite large relative to other selective or spear phishing campaigns.\r\nWe observed TA530 at times targeting only a specific and narrow vertical, such as Retail and Hospitality. At other times, the\r\ncampaigns appear more widespread. Overall, the volume of messages targeting each vertical is shown below:\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 1 of 13\n\nFigure 1: Top targeted industries\r\nMalware Arsenal\r\nIn addition to the targeted and personalized approach, we observed TA530 having access to the necessary infrastructure and\r\nattempting to deliver and install the following primary malware payloads.\r\nUrsnif ISFB - banking Trojan configured to target Australian banks\r\nFileless Ursnif/RecoLoad - Point of Sale (PoS) reconnaissance Trojan targeted at Retail and Hospitality. It was first\r\nfeatured in Kafeine’s blog [1] in July of 2015,  which suggests that it has been in distribution since 2014; shortly\r\nafter, it was described with more detail by Trend Micro [2].\r\nTiny Loader - a downloader used in campaigns targeting Retail and Hospitality verticals. We have not observed it\r\ndownload secondary payloads, but previously it has been used to download malware such as AbaddonPOS [3].\r\nTeamSpy/TVSpy - RAT utilizing Teamviewer [4], primarily targeted at Retail and Hospitality\r\nCryptoWall - File encrypting ransomware targeted at a variety of companies\r\nNymaim - Installs a banking Trojan [5] primarily targeted at Financial companies\r\nDridex Botnet 222 - banking Trojan botnet with UK targeting. Proofpoint first observed this botnet when it was\r\ndropped by Bedep in January 2016 [6]\r\nTA530 also used additional intermediary loaders such as H1N1 Loader and Smoke Loader.\r\nCampaigns\r\nOne of the trends we noticed is that the POS-oriented payloads (TinyLoader and Fileless Ursnif) and TVSpy were targeted at\r\nretail and hospitality companies, while the banking and ransomware payloads were targeted a wider variety of companies. In\r\neach case, however, they were primarily still aimed at high-value employees.\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 2 of 13\n\nFigure 2: Fileless Ursnif campaigns targeting primarily Retail and Hospitality verticals\r\nIn one email targeting a retail company, we saw TA530 attempting to infect a manager. In that particular message, the actor\r\nused the target's name, phone number, and the company they work for to “report” an incident at one of the retail locations\r\nusing the actual address of that location. If the target were to open the attachment (Figure 3), and macros were enabled, it\r\nwould infect the user by running WMI commands to launch Powershell with a command to download and launch the\r\nFileless Ursnif payload from a byte array (Figure 4).\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 3 of 13\n\nFigure 3: Example document used to deliver Fileless Ursnif\r\nFigure 4: Macro used in document serving Fileless Ursnif\r\nIn other recent examples, we see the messages specify the company name, the contact’s name (Figure 6 and 7), and even the\r\ncontact’s position in the company (Figure 6). Again, the attachment is a Word document (Figure 8) containing macros, but in\r\nthis case, the document simply downloads and runs an executable. In these examples, the delivered payload is Nymaim. We\r\nhave observed Nymaim utilizing Ursnif to perform banking injects. It appears the intent is to infect employees who have a\r\nhigher chance of interacting with banking websites on behalf of the company. Similar emails (Figure 9) have also been used\r\nto distribute an instance of Ursnif which targets Australian banking sites with its web injects.\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 4 of 13\n\nFigure 5: Nymaim banking Trojan targeting primarily Financial Services\r\nFigure 6: Example email delivering Nymaim\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 5 of 13\n\nFigure 7: Example email delivering Nymaim\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 6 of 13\n\nFigure 8: Example document used to deliver Nymaim\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 7 of 13\n\nFigure 9: Example email delivering Ursnif ISFB\r\nHere we see another similar email (Figure 10) targeting an HR director, except this time the email is targeting a company in\r\nthe UK and the attached document (Figure 11) leads to the installation of Dridex botnet 222. Dridex 222 webinjects/redirects\r\nare primarily configured for UK targets.\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 8 of 13\n\nFigure 10: Example email delivering Dridex 222\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 9 of 13\n\nFigure 11: Example document used to deliver Dridex 222\r\nIn our last example we see a personalized email (Figure 13) using the company name and contact’s name to deliver the\r\nmalicious document (Figure 14). In this case, the delivered payload was CryptoWall. This campaign targeted management or\r\nhigher level employees across several verticals (Figure 12), and since the payload is a ransomware, there was a higher\r\nchance of encrypting valuable files.\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 10 of 13\n\nFigure 12: Cryptowall targeting\r\nFigure 13: Example email delivering CryptoWall “crypt5028”\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 11 of 13\n\nFigure 14: Example email delivering CryptoWall “crypt5028”\r\nWe have also observed TA530 using similarly personalized emails to distribute malicious links as well as messages\r\nattaching JavaScript downloaders. Although we have observed TA530 using messages which were not personalized, this was\r\nnot the norm among most of these campaigns.\r\nConclusion\r\nBased on what we have seen in these examples from TA530, we expect this actor to continue to use personalization and to\r\ndiversify payloads and delivery methods. The diversity and nature of the payloads suggest that TA530 is delivering payloads\r\non behalf of other actors. The personalization of email messages is not new, but this actor seems to have incorporated and\r\nautomated a high level of personalization, previously not seen at this scale, in their spam campaigns.\r\nIt is unlikely that these techniques will ultimately be limited to TA530. Rather, we expect increasing degrees of\r\npersonalization and targeting as actors learn to effectively harvest corporate data from public sites like LinkedIn, potentially\r\nmaking their campaigns more effective. This is a natural extension of the types of activities we have been seeing on both the\r\nmalware and the impostor threat fronts and, as always, reinforces the need for both secure email gateway solutions and\r\nongoing user education.\r\nReferences\r\n[1] http://malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 12 of 13\n\n[2] http://blog.trendmicro.com/trendlabs-security-intelligence/angler-exploit-kit-used-to-find-and-infect-pos-systems/\r\n[3] https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak\r\n[4] https://www.damballa.com/tvspy-threat-actor-group-reappears/\r\n[5] https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0\r\n[6] https://www.proofpoint.com/us/threat-insight/post/New-Year-More-Dridex\r\nIndicators of Compromise\r\ne099d716b97b694468e99419e62151a11ac2ad4858677c3faa1fb31c68d4fe50 SHA256\r\nCryptoWall/H1N1\r\nLoader Document\r\n408a53621f34427388c71c7343544e9794a0c1d85fcada4c3cbf2fbd39801ec7 SHA256\r\nDridex 222\r\nDocument\r\nc0407c207b17179241ddd1ac38cd57de3e2bb4bd1c1e6e093af9ffcd87f28fab SHA256\r\nAU Ursnif\r\nDocument\r\n4d0c14edfa616c0a5618b312f5ca90b3a29188288f35c5d8c1c2ae37ef11371f SHA256\r\nNymaim\r\nDocument\r\n30cd5d32bc3c046cfc584cb8521f5589c4d86a4241d1a9ae6c8e9172aa58ac73 SHA256\r\nFileless Ursnif\r\nDocument\r\n20338201ea3cbb697dd74ac709cf2574e5feedbe6306592706aa8c276c8bf40c SHA256 CryptoWall hash\r\nA0EF6BD2842658695BE4F1F84F0C62D010A8AA406E3A31E9DE5EF8662A058D80 SHA256\r\nH1N1 Loader\r\nhash\r\nB1ACB11DBEDD96763EE00DD15CE057E3259E1520294401410D8C42CFA768A50A SHA256 NeutrinoBot hash\r\nBCDB7ED813D0D33B786AE1A4DFA09A2CB3A0B61CE1BB8DB01DBDF7D64EC4B4A0 SHA256 Pony hash\r\n21B96966DB9395C123C4620FD90C142F6080DBA038BD65F6A418293BA3104816 SHA256 TinyLoader hash\r\naffa76507118deef34d20a9dde224fbce7bdcf5633e7ff529e5b291cfc2bce8c SHA256\r\nSmokeLoader\r\nhash\r\ne70e34fb85894d27e0711f56e1d57b9d126c4bb22a62454cc38f39fc3cd2c37d SHA256 TVSpy hash\r\n92BB0544F1AD7661BF2A77F5305EC439B10FB005CCA3545FAEC2B8DE5887110E SHA256 Dridex 222 hash\r\n2cba464f6454b598809063e58beed60d7a322f87720567997dda5f685ec5936a SHA256 AU Ursnif hash\r\nA51BE357ABB2BB1CDF977EBE05BEEB85943FAEFDA16855F0345EDFEE915C0CDB SHA256 Nymaim hash\r\nd6b818c6ed3fd3be9f113d19cde7e43a2d4d46c2377ee91236986342ec00a828 SHA256\r\nFileless Ursnif\r\nhash\r\nSource: https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nhttps://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs\r\nPage 13 of 13\n\n https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs \nFigure 5: Nymaim banking Trojan targeting primarily Financial Services\nFigure 6: Example email delivering Nymaim \n Page 5 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-target-execs" ], "report_names": [ "phish-scales-malicious-actor-target-execs" ], "threat_actors": [ { "id": "f8fd6c94-f1bf-43b8-8613-edc46ca097ee", "created_at": "2022-10-25T16:07:24.285532Z", "updated_at": "2026-04-10T02:00:04.922819Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "ETDA:TA530", "tools": [ "AbaddonPOS", "August Stealer", "Bugat v5", "CryptoWall", "Dofoil", "Dridex", "Gozi ISFB", "H1N1", "H1N1 Loader", "ISFB", "Nymaim", "Pandemyia", "Sharik", "Smoke Loader", "SmokeLoader", "SpY-Agent", "TVRAT", "TVSpy", "TeamSpy", "TeamViewerENT", "TinyLoader", "nymain" ], "source_id": "ETDA", "reports": null }, { "id": "1d8dd2ca-5592-482e-b89d-6a7e1a49f4f6", "created_at": "2023-01-06T13:46:38.408359Z", "updated_at": "2026-04-10T02:00:02.962242Z", "deleted_at": null, "main_name": "TeamSpy Crew", "aliases": [ "TeamSpy", "Team Bear", "Anger Bear", "IRON LYRIC" ], "source_name": "MISPGALAXY:TeamSpy Crew", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af77521e-c35f-4030-a95d-bcd1eaeeaac1", "created_at": "2023-01-06T13:46:38.476089Z", "updated_at": "2026-04-10T02:00:02.990237Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "MISPGALAXY:TA530", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434229, "ts_updated_at": 1775792032, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7f972e43486e6214eb3cd65c952fc0878cdb2bc5.pdf", "text": "https://archive.orkl.eu/7f972e43486e6214eb3cd65c952fc0878cdb2bc5.txt", "img": "https://archive.orkl.eu/7f972e43486e6214eb3cd65c952fc0878cdb2bc5.jpg" } }