{
	"id": "7f9ba1b7-37ba-40b2-9807-0a7f9d86b93c",
	"created_at": "2026-04-06T00:11:21.974787Z",
	"updated_at": "2026-04-10T03:37:23.85632Z",
	"deleted_at": null,
	"sha1_hash": "bd3a9d92a06c47416928faa09dafe16f67f125b4",
	"title": "TA551 Uses ‘SLIVER’ Red Team Tool in New Activity | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 340570,
	"plain_text": "TA551 Uses ‘SLIVER’ Red Team Tool in New Activity | Proofpoint US\r\nBy BRYAN CAMPBELL, SELENA LARSON AND THE PROOFPOINT THREAT INSIGHT TEAM\r\nPublished: 2021-10-20 · Archived: 2026-04-05 16:05:23 UTC\r\nOctober 20, 2021\r\nProofpoint researchers identified a new campaign from the highly active cybercrime actor known as TA551 using a\r\nlegitimate “Red Team \u0026 adversary simulation Framework”. The new activity demonstrates a significant departure from the\r\npreviously observed activity from this group. Proofpoint assesses with high confidence the new activity could lead to\r\nransomware infections.\r\nTA551 is a criminal threat actor Proofpoint has tracked since 2016. It is known by other security firms as Shathak.\r\nProofpoint assesses with high confidence TA551 gains access to stolen messages or compromised email accounts – also\r\nknown as thread hijacking – which it uses in email campaigns to distribute malware. TA551 has previously distributed\r\nmalware payloads such as Ursnif, IcedID, Qbot, and Emotet. This actor acts as an initial access facilitator for ransomware\r\nthreat actors. Proofpoint has observed its campaigns leveraging banking trojans have led to ransomware infections.\r\nProofpoint assesses with high confidence TA551 IcedID implants were associated with Maze and Egregor ransomware\r\nevents in 2020.\r\nOn 20 October 2021, Proofpoint observed emails that appeared to be replies to previous conversations and contained\r\npassword-protected zipped Word documents. The attachments ultimately lead to the download of Sliver, an open-source,\r\ncross-platform adversary simulation and red team platform. The activity demonstrated a significant departure from previous\r\ntactics, techniques, and procedures from TA551.\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity\r\nPage 1 of 3\n\nFigure: Thread hijacked email containing zipped Word document.\r\nWhen a victim downloads the zipped attachment, they are ultimately directed to a macro-laden Microsoft Word document. If\r\nmacros are enabled, SLIVER is downloaded.\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity\r\nPage 2 of 3\n\nFigure: Malicious Microsoft Word document directing victims to enable macros.\r\nSLIVER is available for free online, and capabilities include information gathering, command and control (C2)\r\nfunctionality, token manipulation, process injection, and other features. Red teaming tools are becoming increasingly\r\npopular with cybercrime threat actors. For instance, Proofpoint observed a 161% increase in threat actor use of the red\r\nteaming tool Cobalt Strike between 2019 and 2020. Additional offensive frameworks that appear as first stage payloads used\r\nby cybercrime actors include Lemon Tree and Veil.\r\nTA551’s use of SLIVER demonstrates considerable actor flexibility. As an established initial access broker leveraging initial\r\naccess via email threat campaigns, TA551 would compromise a victim and potentially broker access to enable the\r\ndeployment of Cobalt Strike and eventually ransomware. With SLIVER, TA551 actors can gain direct access and interact\r\nwith victims immediately, with more direct capabilities for execution, persistence, and lateral movement. This potentially\r\nremoves the reliance on secondary access.\r\nProofpoint observed the following indicators of compromise:\r\nIndicator Description\r\nhXXp://carwaded[.]com/cbfsd/P9G7gD1E6t9w22zQj/cC9DHcTHUKJV/ugnbvdk0EInGgeCqaLEYILzxL/zes1?\r\nref=wU4bJ1ZLhoMc8BcRMMqy\u0026q=ELOKZymM\r\nDocument\r\nPayload\r\nhXXp://ruwejo[.]com/upload/admin.jsp SLIVER C2\r\nb7cc07bfc41e61a89e961dd5826fa2b4d47a85a5b5856d50f9a57667199635b3\r\nDocument\r\nSHA256\r\nEmerging Threats Signature\r\nETPRO MALWARE Sliver Framework HTTP C2 sessionInit\r\nIs your organization protected against criminal threat actors? Learn about Ransomware attacks and prevention.\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity\r\nhttps://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity"
	],
	"report_names": [
		"ta551-uses-sliver-red-team-tool-new-activity"
	],
	"threat_actors": [
		{
			"id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f",
			"created_at": "2022-10-25T15:50:23.579601Z",
			"updated_at": "2026-04-10T02:00:05.360509Z",
			"deleted_at": null,
			"main_name": "TA551",
			"aliases": [
				"TA551",
				"GOLD CABIN",
				"Shathak"
			],
			"source_name": "MITRE:TA551",
			"tools": [
				"QakBot",
				"IcedID",
				"Valak",
				"Ursnif"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "40b623c7-b621-48db-b55b-dd4f6746fbc6",
			"created_at": "2024-06-19T02:03:08.017681Z",
			"updated_at": "2026-04-10T02:00:03.665818Z",
			"deleted_at": null,
			"main_name": "GOLD CABIN",
			"aliases": [
				"Shathak",
				"TA551 "
			],
			"source_name": "Secureworks:GOLD CABIN",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "90f216f2-4897-46fc-bb76-3acae9d112ca",
			"created_at": "2023-01-06T13:46:39.248936Z",
			"updated_at": "2026-04-10T02:00:03.260122Z",
			"deleted_at": null,
			"main_name": "GOLD CABIN",
			"aliases": [
				"Shakthak",
				"TA551",
				"ATK236",
				"G0127",
				"Monster Libra"
			],
			"source_name": "MISPGALAXY:GOLD CABIN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68",
			"created_at": "2022-10-25T16:07:24.578896Z",
			"updated_at": "2026-04-10T02:00:05.039955Z",
			"deleted_at": null,
			"main_name": "TA551",
			"aliases": [
				"G0127",
				"Gold Cabin",
				"Monster Libra",
				"Shathak",
				"TA551"
			],
			"source_name": "ETDA:TA551",
			"tools": [
				"BokBot",
				"CRM",
				"Gozi",
				"Gozi CRM",
				"IceID",
				"IcedID",
				"Papras",
				"Snifula",
				"Ursnif",
				"Valak",
				"Valek"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434281,
	"ts_updated_at": 1775792243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bd3a9d92a06c47416928faa09dafe16f67f125b4.pdf",
		"text": "https://archive.orkl.eu/bd3a9d92a06c47416928faa09dafe16f67f125b4.txt",
		"img": "https://archive.orkl.eu/bd3a9d92a06c47416928faa09dafe16f67f125b4.jpg"
	}
}