TA505, Graceful Spider, Gold Evergreen Archived: 2026-04-06 02:06:40 UTC Home > List all groups > TA505, Graceful Spider, Gold Evergreen APT group: TA505, Graceful Spider, Gold Evergreen Names TA505 (Proofpoint) Graceful Spider (CrowdStrike) Gold Evergreen (SecureWorks) Gold Tahoe (SecureWorks) TEMP.Warlock (FireEye) ATK 103 (Thales) SectorJ04 (ThreatRecon) Hive0065 (IBM) Chimborazo (Microsoft) Spandex Tempest (Microsoft) G0092 (MITRE) Country Russia Motivation Financial crime, Financial gain First seen 2006 Description (Proofpoint) Proofpoint researchers track a wide range of threat actors involved in both financially motivated cybercrime and s largest malicious spam campaigns we have ever observed, distributing instances of the Dridex banking Trojan, Locky ransomw Because TA505 is such a significant part of the email threat landscape, this blog provides a retrospective on the shifting malwa Rockloader that appear to be exclusive to this group as well as more widely distributed malware like Dridex and Pony. Where TA505 is arguably one of the most significant financially motivated threat actors because of the extraordinary volumes of mes underground malware scene. At the time of writing, Locky ransomware remains their malware of choice, even as the group co Much of the malware from TA505 has been observed to be distributed using Avalanche, Cutwail (operated by Narwhal Spider) TA505 also has some infrastructure overlap with Buhtrap, Ratopak Spider and Group-IB found several relationships with Silen The Dridex development appears to have been done by a subgroup named Indrik Spider and, by extension, Doppel Spider. See also: Dungeon Spider and FIN11. Observed Sectors: Education, Financial, Healthcare, Hospitality, Retail. Countries: Worldwide. Tools used Amadey, AndroMut, Bart, CryptoLocker, CryptoMix, Dridex, Dudear, EmailStealer, FlawedAmmyy, FlawedGrace, FlowerPip Philadelphia, Pony, ReflectiveGnome, RockLoader, RMS, SDBbot, ServHelper, Shifu, Snatch, TeslaGun, TinyMet, Zeus, Livi Operations performed Oct 2017On October 10, TA505 introduced their first geo-targeted campaign dropping either Locky or The Trick banking Jun 2018 We first observed an actor embedding SettingContent-ms inside a PDF on June 18. However, on July 16 we obs with an embedded SettingContent-ms file. Nov 2018 ServHelper and FlawedGrace – New malware introduced by TA505 https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0ac7cc26-cb85-42f7-a2c1-41762b2e2541 Page 1 of 3 Apr 2019 LOLBins and a New Backdoor Malware May 2019 In the last few days, during monitoring activities, Yoroi CERT noticed a suspicious attack against an Italian orga capabilities and its possible attribution, discovering a potential expansion of the TA505 operation. Jun 2019 In June 2019, TA505 appears to have introduced yet another new downloader malware, AndroMut, which has so 2019 TA505 hacking crew spent much of 2019 trying to breach South Korea's financial sector 2019 In this newly discovered campaign from TA505, threat actors targeted German companies with trojanized emails techniques could easily be applied to any organization. Once the email attachment was activated, a company's secure credentials and credit card data could be transmitte users files, which suggests this recent activity could also lay the groundwork for an infection vector into the com Jan 2020 Microsoft says that an ongoing TA505 phishing campaign is using attachments featuring HTML redirectors for d Jun 2020 To evade detection, hackers are requiring targets to complete CAPTCHAs Sep 2021 Explosive New MirrorBlast Campaign Targets Financial Companies Sep 2021 Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant Oct 2010 Operation “Trident Breach” FBI announces arrests in $70 million cyber-theft https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0ac7cc26-cb85-42f7-a2c1-41762b2e2541 Page 2 of 3 Mar 2012 John Doe lawsuit against the Zeus operator Jun 2014 Operation “Tovar” Dell SecureWorks Contributes to Efforts Targeting Gameover Zeus and CryptoLocker MITRE ATT&CK Last change to this card: 16 August 2025 Download this actor card in PDF or JSON format Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0ac7cc26-cb85-42f7-a2c1-41762b2e2541 https://apt.etda.or.th/cgi-bin/showcard.cgi?u=0ac7cc26-cb85-42f7-a2c1-41762b2e2541 Page 3 of 3