Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 12:50:07 UTC
 APT group: TA555
Names TA555 (Proofpoint)
Country [Unknown]
Motivation Financial crime
First seen 2018
Description
(Proofpoint) Beginning in May 2018, Proofpoint researchers observed a previously
undocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns. The
campaigns appear to primarily target hotels, restaurants, and telecommunications, and are
distributed by an actor we track as TA555. To date, we have observed AdvisorsBot used as a
first-stage payload, loading a fingerprinting module that, as with Marap, is presumably used to
identify targets of interest to further infect with additional modules or payloads. AdvisorsBot is
under active development and we have also observed another version of the malware
completely rewritten in PowerShell and .NET.
Observed Sectors: Hospitality, Telecommunications.
Tools used AdvisorsBot, PoshAdvisor.
Information
<https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot>
Last change to this card: 14 April 2020
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bf6a3eb5-da87-482a-87da-d50a301953ee
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bf6a3eb5-da87-482a-87da-d50a301953ee
Page 1 of 1