{ "id": "8fb23e06-e526-49d6-b45f-5606891d6dfe", "created_at": "2026-04-06T00:17:30.024197Z", "updated_at": "2026-04-10T03:34:54.837011Z", "deleted_at": null, "sha1_hash": "d3362d39321bf61fa7c70f916ee410ad6525cc88", "title": "TA2541: Threats to Aviation, Aerospace, \u0026 Travel | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1292848, "plain_text": "TA2541: Threats to Aviation, Aerospace, \u0026 Travel | Proofpoint US\r\nBy February 15, 2022 Selena Larson and Joe Wise\r\nPublished: 2022-02-09 · Archived: 2026-04-02 10:44:41 UTC\r\nKey Findings  \r\nProofpoint researchers have tracked a persistent cybercrime threat actor targeting aviation, aerospace,\r\ntransportation, manufacturing, and defense industries for years.  \r\nThe threat actor consistently uses remote access trojans (RATs) that can be used to remotely control\r\ncompromised machines.  \r\nThe threat actor uses consistent themes related to aviation, transportation, and travel. The threat actor has\r\nused similar themes and targeting since 2017. \r\nProofpoint calls this actor TA2541. \r\nOverview  \r\nTA2541 is a persistent cybercriminal actor that distributes various remote access trojans (RATs) targeting the\r\naviation, aerospace, transportation, and defense industries, among others. Proofpoint has tracked this threat actor\r\nsince 2017, and it has used consistent tactics, techniques, and procedures (TTPs) in that time. Entities in the\r\ntargeted sectors should be aware of the actor's TTPs and use the information provided for hunting and detection.  \r\nTA2541 uses themes related to aviation, transportation, and travel. When Proofpoint first started tracking this\r\nactor, the group sent macro-laden Microsoft Word attachments that downloaded the RAT payload. The group\r\npivoted, and now they more frequently send messages with links to cloud services such as Google Drive hosting\r\nthe payload. Proofpoint assesses TA2541 is a cybercriminal threat actor due to its use of specific commodity\r\nmalware, broad targeting with high volume messages, and command and control infrastructure.  \r\nWhile public reporting detailing similar threat activities exists since at least 2019, this is the first time Proofpoint\r\nis sharing comprehensive details linking public and private data under one threat activity cluster we call TA2541. \r\n \r\nCampaign Details  \r\nUnlike many cybercrime threat actors distributing commodity malware, TA2541 does not typically use current\r\nevents, trending topics, or news items in its social engineering lures. In nearly all observed campaigns, TA2541\r\nuses lure themes that include transportation related terms such as flight, aircraft, fuel, yacht, charter, etc.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\r\nPage 1 of 11\n\nFigure 1: Email lure requesting information on aircraft parts.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\r\nPage 2 of 11\n\nFigure 2: Email lure requesting ambulatory flight information. \r\nTA2541 demonstrates persistent and ongoing threat activity since January 2017. Typically, its malware campaigns\r\ninclude hundreds to thousands of messages, although it is rare to see TA2541 send more than 10,000 messages at\r\none time. Campaigns impact hundreds of organizations globally, with recurring targets in North America, Europe,\r\nand the Middle East. Messages are nearly always in English. \r\nIn the spring of 2020, TA2541 briefly pivoted to adopting COVID-related lure themes consistent with their overall\r\ntheme of cargo and flight details. For example, they distributed lures associated with cargo shipments of personal\r\nprotective equipment (PPE) or COVID-19 testing kits.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\r\nPage 3 of 11\n\nFigure 3: PPE themed lure used by TA2541.  \r\nThe adoption of COVID-19 themes was brief, and the threat actor quickly returned to generic cargo, flight,\r\ncharter, etc. themed lures.   \r\nMultiple researchers have published data on similar activities since 2019 including Cisco\r\nTalos, Morphisec, Microsoft, Mandiant, and independent researchers. Proofpoint can confirm the activities in\r\nthese reports overlap with the threat actor tracked as TA2541.  \r\nDelivery and Installation \r\nIn recent campaigns, Proofpoint observed this group using Google Drive URLs in emails that lead to an\r\nobfuscated Visual Basic Script (VBS) file. If executed, PowerShell pulls an executable from a text file hosted on\r\nvarious platforms such as Pastetext, Sharetext, and GitHub. The threat actor executes PowerShell into various\r\nWindows processes and queries Windows Management Instrumentation (WMI) for security products such as\r\nantivirus and firewall software, and attempts to disable built-in security protections. The threat actor will collect\r\nsystem information before downloading the RAT on the host. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\r\nPage 4 of 11\n\nFigure 4: Example attack chain. \r\nWhile TA2541 consistently uses Google Drive, and occasionally OneDrive, to host the malicious VBS files,\r\nbeginning in late 2021, Proofpoint observed this group begin using DiscordApp URLs linking to a compressed file\r\nwhich led to either AgentTesla or Imminent Monitor. Discord is an increasingly popular content delivery network\r\n(CDN) used by threat actors.  \r\nAlthough TA2541 typically uses URLs as part of the delivery, Proofpoint has also observed this actor leverage\r\nattachments in emails. For example, the threat actor may send compressed executables such as RAR attachments\r\nwith an embedded executable containing URL to CDNs hosting the malware payload. \r\nListed below is an example of a VBS file used in a recent campaign leveraging the StrReverse function and\r\nPowerShell’s RemoteSigned functionality. It is worth noting the VBS files are usually named to stay consistent\r\nwith the overall email themes: fight, aircraft, fuel, yacht, charter, etc. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\r\nPage 5 of 11\n\nFigure 5: Contents of a sample VBS file.  \r\nDeobfuscated command:  \r\nhttps://paste[.]ee/r/01f2w/0 \r\nThe figure below depicts an example from a recent campaign where the PowerShell code is hosted on the paste.ee\r\nURL. \r\nFigure 6: Paste URL example. \r\nPersistence: \r\nTypically, TA2541 will use Visual Basic Script (VBS) files to establish persistence with one of their favorite\r\npayloads, AsyncRAT. This is accomplished by adding the VBS file in the startup directory which points to a\r\nPowerShell script. Note: the VBS and PowerShell file names used are mostly named to mimic Windows or system\r\nfunctionality. Examples from recent campaigns include: \r\nPersistence Example: \r\nC:\\Users[User]\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\SystemFramework64Bits.vbs   \r\nContents of VBS file: \r\nSet Obj = CreateObject(\"WScript.Shell\") \r\nObj.Run \"PowerShell -ExecutionPolicy RemoteSigned -File \" \u0026 \"C:\\Users\\\r\n[User]\\AppData\\Local\\Temp\\RemoteFramework64.ps1\", 0 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\r\nPage 6 of 11\n\nOther Recent VBS File Names Observed \r\nUserInterfaceLogin.vbs \r\nHandlerUpdate64Bits.vbs \r\nWindowsCrashReportFix.vbs \r\nSystemHardDrive.vbs \r\nTA2541 has also established persistence by creating scheduled tasks and adding entries in the registry. For\r\ninstance, in November 2021 TA2541 distributed the payload Imminent Monitor using both of these methods. In\r\nrecent campaigns, vjw0rm and STRRAT also leveraged task creation and adding entries to the registry. For\r\nexample:  \r\nScheduled Task: \r\nschtasks.exe /Create /TN \"Updates\\BQVIiVtepLtz\" /XML C:\\Users\\[User]\\AppData\\Local\\Temp\\tmp7CF8.tmp \r\nschtasks /create /sc minute /mo 1 /tn Skype /tr \"C:\\Users\\[Use]\\AppData\\Roaming\\xubntzl.txt\" \r\nRegistry: \r\nKey: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\svchost \r\nData: C:\\Users[User]\\AppData\\Roaming\\server\\server.exe \r\nKey: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\xubntzl \r\nData: C:\\Users\\User\\AppData\\Roaming\\xubntzl.txt \r\nMalware \r\nProofpoint has observed TA2541 using over a dozen different malware payloads since 2017. The threat actor uses\r\ncommodity malware available for purchase on criminal forums or available in open-source repositories. Currently,\r\nTA2541 prefers AsyncRAT, but other popular RATs include NetWire, WSH RAT and Parallax.   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\r\nPage 7 of 11\n\nFigure 7: Malware used by TA2541 associated with message volume. \r\nAll the malware used by TA2541 can be used for information gathering purposes and to gain remote control of an\r\ninfected machine. At this time, Proofpoint does not know what the threat actor’s ultimate goals and objectives are\r\nonce it achieves initial compromise. \r\nWhile AsyncRAT is the current malware of choice, TA2541 has varied its malware use each year since 2017. The\r\nthreat actor will typically use just one or a handful of RATs in observed campaigns, however in 2020, Proofpoint\r\nobserved TA2541 distributing over 10 different types of malware, all using the same initial infection chain.  \r\nFigure 8: Distribution of TA2541 malware over time. \r\nInfrastructure \r\nhttps://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\r\nPage 8 of 11\n\nTA2541 uses Virtual Private Servers as part of their email sending infrastructure and frequently uses Dynamic\r\nDNS (DDNS) for C2 infrastructure.   \r\nThere are multiple patterns across the C2 infrastructure and the message artifacts. For example, historic campaigns\r\nhave included the term “kimjoy” in the C2 domain name as well as in the threat actor reply-to address. Another\r\nstriking TTP is the common pattern observed with TA2541 C2 domains and payload staging URLs containing the\r\nkeywords “kimjoy,” “h0pe,” and “grace”. TA2541 also regularly uses the same domain registrars including\r\nNetdorm and No-IP DDNS, and hosting providers including xTom GmbH and Danilenko, Artyom.  \r\nVictimology \r\nOften, campaigns contained several hundred to several thousand email messages to dozens of different\r\norganizations. Although Proofpoint has observed TA2541 targeting thousands of organizations, multiple entities\r\nacross aviation, aerospace, transportation, manufacturing, and defense industries appear regularly as targets of its\r\ncampaigns. There appears to be a wide distribution across recipients, indicating TA2541 does not target people\r\nwith specific roles and functions.  \r\nConclusion  \r\nTA2541 remains a consistent, active cybercrime threat, especially to entities in its most frequently targeted\r\nsectors. Proofpoint assesses with high confidence this threat actor will continue using the same TTPs observed in\r\nhistoric activity with minimal change to its lure themes, delivery, and installation. It is likely TA2541 will\r\ncontinue using AsyncRAT and vjw0rm in future campaigns and will likely use other commodity malware to\r\nsupport its objectives. \r\nIndicators of Compromise (IOCs)  \r\nC2 Domains \r\nIndicator  Description  Date Observed \r\njoelthomas[.]linkpc[.]net  AsyncRAT C2 Domain  Throughout 2021 \r\nrick63[.]publicvm[.]com  AsyncRAT C2 Domain  January 2022 \r\ntq744[.]publicvm[.]com  AsyncRAT C2 Domain  January 2022 \r\nbodmas01[.]zapto[.]org  AsyncRAT C2 Domain  January 2022 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\r\nPage 9 of 11\n\nbigdips0n[.]publicvm[.]com  AsyncRAT C2 Domain  December 2021 \r\n6001dc[.]ddns[.]net  AsyncRAT C2 Domain  September 2021 \r\nkimjoy[.]ddns[.]net  Revenge RAT C2 Domain  March 2021 \r\nh0pe[.]ddns[.]net  AsyncRAT C2 Domain  April/May 2021 \r\ne29rava[.]ddns[.]net  AsyncRAT C2 Domain  June 2021 \r\nakconsult[.]ddns[.]net  AsyncRAT C2 Domain  July 2021 \r\ngrace5321[.]publicvm[.]com  StrRAT C2 Domain  January 2022 \r\ngrace5321[.]publicvm[.]com  Imminent Monitor C2 Domain  November 2021 \r\nVBS SHA256 Hashes \r\nVBS SHA256 hashes observed in recent December and January campaigns.  \r\nFile Name: Aircrafts PN#_ALT PN#_Desc_\u0026_Qty Details.vbs \r\nSHA256: 67250d5e5cb42df505b278e53ae346e7573ba60a06c3daac7ec05f853100e61c \r\nFile Name: charters details.pdf.vbs \r\nSHA256: ebd7809cacae62bc94dfb8077868f53d53beb0614766213d48f4385ed09c73a6 \r\nFile Name: charters details.pdf.vbs \r\nSHA256: 4717ee69d28306254b1affa7efc0a50c481c3930025e75366ce93c99505ded96 \r\nFile Name: 4Pax Trip Details.pdf.vbs \r\nSHA256: d793f37eb89310ddfc6d0337598c316db0eccda4d30e34143c768235594a169c \r\nET Signatures    \r\nhttps://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\r\nPage 10 of 11\n\n2034978 - ET POLICY Pastebin-style Service (paste .ee) in TLS SNI \r\n2034979 - ET HUNTING Powershell Request for paste .ee Page \r\n2034980 - ET MALWARE Powershell with Decimal Encoded RUNPE Downloaded \r\n2850933 - ETPRO HUNTING Double Extension VBS Download from Google Drive \r\n2850934 - ETPRO HUNTING Double Extension PIF Download from Google Drive \r\n2850936 - ETPRO HUNTING VBS Download from Google Drive  \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\r\nhttps://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight\r\nPage 11 of 11\n\n https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight \n2034978-ET POLICY Pastebin-style Service (paste .ee) in TLS SNI\n2034979-ET HUNTING Powershell Request for paste .ee Page \n2034980-ET MALWARE Powershell with Decimal Encoded RUNPE Downloaded\n2850933-ETPRO HUNTING Double Extension VBS Download from Google Drive\n2850934-ETPRO HUNTING Double Extension PIF Download from Google Drive\n2850936-ETPRO HUNTING VBS Download from Google Drive \nSource: https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight \n Page 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE", "ETDA" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" ], "report_names": [ "charting-ta2541s-flight" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "99468ac6-ccfd-4cd8-b726-791600e61431", "created_at": "2023-11-01T02:01:06.647272Z", "updated_at": "2026-04-10T02:00:05.313262Z", "deleted_at": null, "main_name": "TA2541", "aliases": [ "TA2541" ], "source_name": "MITRE:TA2541", "tools": [ "Snip3", "Revenge RAT", "jRAT", "WarzoneRAT", "Imminent Monitor", "AsyncRAT", "NETWIRE", "Agent Tesla", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "97dc332f-2241-4755-ae33-54e5eff3990a", "created_at": "2023-01-06T13:46:39.307201Z", "updated_at": "2026-04-10T02:00:03.282272Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "MISPGALAXY:TA2541", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "878ce40c-9fbc-4cff-a5c4-771086979fa7", "created_at": "2022-10-25T16:07:24.264056Z", "updated_at": "2026-04-10T02:00:04.915395Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "ETDA:TA2541", "tools": [ "AVE_MARIA", "AgenTesla", "Agent Tesla", "AgentTesla", "AsyncRAT", "Ave Maria", "AveMariaRAT", "DarkRAT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Imminent Monitor", "Imminent Monitor RAT", "Iniduoh", "Jenxcus", "Kognito", "Luminosity RAT", "LuminosityLink", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Njw0rm", "Origin Logger", "Parallax", "Parallax RAT", "ParallaxRAT", "Recam", "Revenge RAT", "RevengeRAT", "Revetrat", "WSHRAT", "ZPAQ", "avemaria", "dinihou", "dunihi" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434650, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d3362d39321bf61fa7c70f916ee410ad6525cc88.pdf", "text": "https://archive.orkl.eu/d3362d39321bf61fa7c70f916ee410ad6525cc88.txt", "img": "https://archive.orkl.eu/d3362d39321bf61fa7c70f916ee410ad6525cc88.jpg" } }