{ "id": "fc53e6fa-86cb-4f3a-9a8a-032cdff7d1e3", "created_at": "2026-04-06T00:08:37.546201Z", "updated_at": "2026-04-10T03:36:37.070865Z", "deleted_at": null, "sha1_hash": "d2905dae32119f1b71fc7d381d635dbc75355997", "title": "TA505 returns with a new bag of tricks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47412, "plain_text": "TA505 returns with a new bag of tricks\r\nBy Deutsche Telekom AG\r\nPublished: 2020-06-16 · Archived: 2026-04-05 13:17:36 UTC\r\nIn one of my last blog posts I already introduced TA505, an advanced threat actor, and their recent tool set to you.\r\nIn this blog post I’ll show you somenew techniques that they’ve recently adopted to increase their financial gain\r\nand to improve their operational security.\r\nCybersecurity: This TA505 threat acteur is active at least since 2014.Thomas Barabosch gives an\r\noverview of the hacking tools that TA505 currently uses.\r\nTA505 is a cybercrime threat actor that conducts Big Game Hunting operations. In short, Big Game Hunting\r\nmeans selectively targeting organizations with ransomware in order to achieve huge ransom payouts. Today,\r\norganizations should treat ransomware events also as data breaches since ransomware actors steal data before\r\nencrypting it and leverage this data during the negotiation phase. If the victim organization does not pay the\r\nransom, ransomware gangs publish the stolen data on their data leak websites. TA505 runs their own data leak\r\nwebsite “CL0P^-LEAKS”. In addition to these Big Game Hunting operations, there is also a possible connection\r\nto another, more targeted activity cluster, which is closely related to TA505. Want to dive deeper here?\r\nSince the beginning of June 2020, TA505 continues their operation with massive spam campaigns. Within a\r\ncouple of days, they have run several campaigns: on 2020-06-02 and 2020-06-03, they started by targeting\r\nGermany, on 2020-06-04 and 2020-06-05, I observed them targeting Canada, and on 2020-06-08 as well as 2020-\r\n06-12, they ran a rather broad campaigns targeting many countries worldwide including Europe (Germany,\r\nSlovakia, UK) and America (USA). In this blog post, I review the recently observed activities and point out some\r\ninteresting changes. \r\nSame TTPs with some interesting changes\r\nThe TTPs that I have observed since the return of TA505 align mostly with the TTPs from earlier this year. To\r\nsum up, the initial attack vector is still spam. This spam carries a HTML file that redirects the victim via\r\ncompromised websites to a XLS maldoc. The maldoc comprises macros and asks the victim to enable them. Once\r\nenabled, the XLS maldoc drops their downloader called Get2, which in turn downloads their Remote\r\nAdministration Tool (RAT) SDBBot. From this point on, we must assume that a human operator explores the local\r\nnetwork and as an ultimate goal may deploy the ransomware Clop. This is common in today’s human-operated\r\nransomware attacks.\r\nSo far, so good. But there are some notable changes that I observed within the last months. Since the beginning of\r\nthis year, their HTML redirectors that they attach to their spam mails mimic the DDoS protection service of\r\nCloudflare in order to make the victim believe that they are redirected by a legitimate service. \r\nDDoS protection service of Cloudflare.\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104\r\nPage 1 of 3\n\nSince this month, they added the Google service “reCAPTCHA” to these HTML redirectors. On one side, this\r\nincreases credibility from the victim’s point of view. On the other side, this hinders automatic analysis of their\r\ninfrastructure by sandbox systems and individual researchers.\r\nGoogle service “reCAPTCHA”.\r\nAnother interesting change is that TA505 jumped on the data leak bandwagon. Today, ransomware actors steal\r\ndata from victim networks before they actually conduct the ransomware attack. During the negotiation phase of\r\nthe ransom, these actors utilize this stolen data in order to increase the pressure on the victim and threaten to\r\npublish the data if the victim does not pay. TA505 created their data leak website “CL0P^-LEAKS” for exactly\r\nthis purpose. As a consequence, victims of these recent TA505 campaigns should not only treat this as a\r\nransomware event but they should also prepare for a possible data breach.\r\nData leak website “CL0P^-LEAKS”.\r\nSDBBot beefs up with Certificate Pinning\r\nSDBBot is TA505’s currently preferred RAT, which they use during the human-operated phase of their\r\nransomware attacks. During the spam campaigns that I observed in June 2020, they continued to distribute\r\nSDBBot to their victims. \r\nSDBBot went through a number of iterations when looking at its version numbers. For instance, samples that\r\nTA505 distributed in November 2019 were tagged with version number 2.3. The samples that they distributed in\r\nJune 2020 are tagged with version number 3.9.\r\nOne addition that stroke my eye was the addition of Transport Layer Security (TLS) to ensure communication\r\nsecurity. TLS is definitely on the rise in malware. It is estimated that almost one quarter of malware utilizes TLS\r\nfor its communication. SDBBot’s actual implementation is based on the open source TLS library “Mbed TLS”.\r\nWhile using TLS is not out of the ordinary for malware in 2020, SDBBot comes with certificate pinning, which is\r\nnot very common for Windows-based cybercrime malware. In a nutshell, the malware comes with an embedded\r\nX509 certificate that is associated with its command and control (CC) server. When the malware connects to its\r\nCC server, it checks if the server’s X509 certificate matches its embedded certificate. If it does not match, then the\r\nmalware refuses to talk to the CC server. The following screenshot shows the embedded X509 certificate observed\r\nin a SDBBot samples from 2020-06-08.\r\nEmbedded X509 certificate observed in a SDBBot samples from 2020-06-08.\r\nThe use of TLS and certificate pinning has three consequences. First, the communication between bot and CC\r\nserver is cryptographically protected and eavesdropping is not possible without intrusive measures. Second, the\r\ncertificate pinning ensures that bots cannot be taken over by claiming the CC server’s domain. Third, the reverse\r\nengineering of the malware’s communication protocol is more difficult since analysts have to patch the embedded\r\ncertificate in order to make the malware talk to them.\r\nConclusion\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104\r\nPage 2 of 3\n\nTA505 is back and they probably will not go away soon. They continue with mostly the same TTPs that they\r\nutilized since at least Summer 2019. However, they naturally evolve and adjust their tactics to ensure constant\r\nsuccess of their operations. On the one hand, they jumped on the data leak bandwagon with their website “CL0P^-\r\nLEAKS”. On the other hand, they continue to improve their tools like SDBBot, which gained new features like\r\ncertificate pinning.\r\nAppendix: List of IoCs\r\nIoC Description\r\ne3f57d7d933d19d190ff27ec455875ac SDBBot installer x86, version 3.9\r\na66e9afbba9b0f014d0774070b59c79e SDBBot installer x64, version 3.9\r\ns77657453-onedrive[.]com SDBBot domain (2020-06-12)\r\ns89065339-onedrive[.]com SDBBot domain (2020-06-12)\r\ns3-ap-southeast-1-amazonaws[.]com  SDBBot domain (2020-06-02)\r\ns3-ap-southeast-2-amazonaws[.]com SDBBot domain (2020-06-02)\r\nOn topicCybersecurity: TA505’s Box of Chocolate\r\nCybersecurity: Dissecting Emotet - part one\r\nCybersecurity: Dissecting Emotet - part two\r\nSource: https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104" ], "report_names": [ "cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434117, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d2905dae32119f1b71fc7d381d635dbc75355997.pdf", "text": "https://archive.orkl.eu/d2905dae32119f1b71fc7d381d635dbc75355997.txt", "img": "https://archive.orkl.eu/d2905dae32119f1b71fc7d381d635dbc75355997.jpg" } }