{ "id": "e2b1cb7f-034c-45be-b50e-76cbed02e827", "created_at": "2026-04-06T00:06:35.684339Z", "updated_at": "2026-04-10T03:36:37.112054Z", "deleted_at": null, "sha1_hash": "d44996d59fd84e653e79ac52da8e0d1f6189380d", "title": "Threat Actor Profile: TA505, From Dridex to GlobeImposter | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 479696, "plain_text": "Threat Actor Profile: TA505, From Dridex to GlobeImposter |\r\nProofpoint US\r\nBy September 27, 2017 Proofpoint Staff\r\nPublished: 2017-09-27 · Archived: 2026-04-05 14:04:26 UTC\r\nOverview\r\nProofpoint researchers track a wide range of threat actors involved in both financially motivated cybercrime and\r\nstate-sponsored actions. One of the more prolific actors that we track - referred to as TA505 - is responsible for the\r\nlargest malicious spam campaigns we have ever observed, distributing instances of the Dridex banking Trojan,\r\nLocky ransomware, Jaff ransomware, The Trick banking Trojan, and several others in very high volumes.\r\nBecause TA505 is such a significant part of the email threat landscape, this blog provides a retrospective on the\r\nshifting malware, payloads, and campaigns associated with this actor. We examine their use malware such as Jaff,\r\nBart, and Rockloader that appear to be exclusive to this group as well as more widely distributed malware like\r\nDridex and Pony. Where possible, we detail the affiliate models with which they are involved and outline the\r\ncurrent state of TA505 campaigns.\r\nThe infographic in Figure 1 traces the earliest known dates on which TA505 began distributing particular malware\r\nstrains, beginning with Dridex in 2014 and most recently when they elevated GlobeImposter and Philadelphia\r\nfrom small, regionally targeted ransomware variants to global threats.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\nPage 1 of 10\n\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\nPage 2 of 10\n\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\nPage 3 of 10\n\nFigure 1: Timeline of TA505 malware introductions\r\nOf note is TA505’s use of the Necurs botnet [1] to drive their massive spam campaigns. As we saw in both 2016\r\nand 2017, disruptions to Necurs went hand-in-hand with quiet periods from TA505. When the botnet came back\r\nonline, TA505 campaigns quickly returned [2], usually at even greater scale than before the disruption.\r\nThe following is a more detailed description of the malware and notable campaign attributes associated with\r\nTA505.\r\nDridex\r\nThe now infamous Dridex banking Trojan can trace much of its DNA to Cridex and Bugat [3]. Dridex itself\r\nappeared shortly after the Zeus banking Trojan was taken down. It was originally documented [4] on July 25,\r\n2014 (or June 22, 2014, according to Kaspersky [5]) and the first campaign we observed in which TA505\r\ndistributed Dridex occurred three days later on July 28. Although a number of actors have distributed Dridex,\r\nTA505 operates multiple affiliate IDs, including what appears to be the earliest recorded affiliate, botnet ID 125.\r\nThese early campaigns were distributed via the Lerspeng downloader while later campaigns occasionally used\r\nPony or Andromeda as intermediate loaders to distribute various instances of Dridex.\r\nAlthough TA505 initially distributed Dridex botnet ID 125, they were observed using botnet ID 220 in March\r\n2015 and botnet ID 223 in December of that year. Later, they were also associated with botnet IDs 7200 and 7500.\r\nThese botnets generally target the following regions:\r\n125: UK, US, and Canada\r\n220: UK and Australia\r\n223: Germany\r\n7200: UK\r\n7500: Australia\r\nThe group has routinely distributed the malware in larger campaigns than any other actor, regularly spamming\r\nmillions of recipients.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\nPage 4 of 10\n\nFigure 2: Indexed Dridex message volume since TA505 began distributing the banking Trojan in 2014 \r\nTA505 continued distributing Dridex through early June 2017 using a range of email attachments. Most recently\r\nthese included PDF attachments with embedded Microsoft Word documents bearing malicious macros that call\r\nPowerShell commands that install Dridex. However, because of the length of time for which the group has been\r\ndistributing Dridex, distribution mechanisms trace the state of the art for the last two years of email campaigns\r\nwith techniques ranging from straight macro documents to a variety of zipped scripts.\r\nShifu\r\nIn October 2015, we observed several campaigns in which TA505 targeted Japanese and UK organizations with\r\nthe Shifu banking Trojan [6]. Shifu is relatively common in Japan but was a new addition to TA505’s toolbox. It\r\nappears that they introduced Shifu after high-profile law enforcement actions impacted Dridex distribution.\r\nHowever, TA505 was also among the first actors to return to high-volume Dridex distribution this same month,\r\neven as they demonstrated their ability to diversify and deliver threats beyond Dridex.\r\nAs with many of their other campaigns, TA505 delivered Shifu through macro-laden Microsoft Office document\r\nattachments.\r\nLocky\r\nTA505 introduced Locky [7] ransomware in February 2016. After alternating for over four months with Dridex,\r\nLocky became the payload of choice for TA505, eclipsing earlier campaigns in terms of volume and reach. TA505\r\nstopped distributing Dridex in July 2016, relying almost exclusively on Locky through December of that year.\r\nLike Dridex, Locky is also distributed in an affiliate model; TA505 exclusively distributes Locky Affid=3.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\nPage 5 of 10\n\nFigure 3: Indexed Locky message volume since TA505 began distributing the ransomware in early 2016\r\nFigure 4 shows the evolution of Dridex and Locky campaigns over the course of over two years:\r\nLow-volume campaigns distributed Dridex during much of 2015\r\nModerate volumes of Dridex appeared from the end of 2015 through February 2016; it is worth noting that\r\nthese “moderate volume” campaigns were, at the time, the largest campaigns ever observed.\r\nAlternating Dridex and Locky campaigns of varying volumes appeared through May 2016.\r\nA lull in June 2016 [1] associated with a disruption in the Necurs botnet; TA505 is heavily reliant on this\r\nmassive botnet to send out high-volume malicious spam campaigns and disappearances of TA505 activity\r\nfrequently accompany disruptions in Necurs.\r\nExtremely high-volume campaigns distributing Locky exclusively in July 2016, consistently delivering\r\ntens of millions of messages.\r\nAnother lull in November 2016 saw the complete absence of Locky and Dridex, while high-volume\r\ncampaigns reappeared in December, albeit at lower volumes than during the Q3 2016 peak.\r\nAn expected break following the 2016-2017 winter holidays turned into an unexplained three-month\r\nhiatus [8] for TA505.\r\nLarge-scale Dridex and Locky campaigns returned in Q2 2017, although none reached the volumes we\r\nobserved in mid-2016.\r\nLater campaigns saw new attachment types, even as Dridex and Locky payloads remained largely\r\nunchanged.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\nPage 6 of 10\n\nLocky distribution ceased in June and July but returned in August with volumes rivaling the peaks of 2016.\r\nTA505 turned to URLs in early August 2017 to distribute Locky, finally eschewing the document or\r\nzipped-script attachments that have characterized the majority of their Locky campaigns since February\r\n2016; most of these URLs linked to malicious documents and scripts.\r\nBy later August, TA505 had turned back to large attachment campaigns, primarily distributing various\r\nzipped scripts that downloaded Locky. The group continued this pattern with occasional URL campaigns\r\nand attached HTML files bearing malicious links.\r\nFigure 4: Indexed Dridex vs. Locky message volume since TA505 began distributing Dridex in early 2015\r\nRockloader\r\nTA505 first introduced Rockloader [9] in April 2016 as an intermediate loader for Locky. At that time, Rockloader\r\nwas the initial payload downloaded by malicious attached JavaScript files. Once Rockloader was installed, it\r\ndownloaded Locky and, in some cases, Pony and Kegotip. Pony is another loader with information stealing\r\ncapabilities while Kegotip is an credential and email address harvesting malware strain that would appear in a\r\nsmall number of TA505 campaigns the following year as the primary payload.\r\nBart\r\nBart ransomware [10] appeared for exactly one day on June 24, 2016. It was a secondary payload downloaded by\r\nRockloader, the initial payload in a large email campaign using zipped JavaScript attachments. The Bart ransom\r\nscreen was visually similar to Locky’s but Bart had one important distinction: it could encrypt files without\r\ncontacting a command and control server. However, we have not seen Bart since, suggesting that this was either\r\nan experiment or that the ransomware did not function as expected for TA505.\r\nKegotip\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\nPage 7 of 10\n\nTA505 briefly distributed the Kegotip information stealer in April 2017. Across two campaigns of several million\r\nmessages each, the actor used both macro-laden Microsoft Word documents and zipped VBScript attachments to\r\ninstall the Trojan on potential victim PCs. Kegotip is an infostealer (credentials and email addresses) used to\r\nfacilitate other crimeware activities. It steals credentials from various FTP clients, Outlook, and Internet Explorer.\r\nIt also will gather email addresses scraped from files stored on the computer. This information can be used to\r\nfacilitate future spam campaigns by the perpetrator or may be sold to other actors.\r\nJaff\r\nTA505 introduced Jaff ransomware [11] in May 2017. Jaff was not dramatically different from other ransomware\r\nstrains. The payment portal was initially similar to the one used by Locky and Bart. It was primarily notable for its\r\nhigh-volume campaigns and its association with TA505, given the actor’s propensity for massive campaigns and\r\nability to dominate the email landscape. Jaff appeared in multi-million message campaigns for roughly a month\r\nand then promptly disappeared as soon as a decryptor was released in mid-June 2017.\r\nThe Trick\r\nThe Trick, also known as Trickbot, is another banking Trojan that TA505 first began distributing in June of 2017,\r\nalthough we have observed The Trick in the wild since fall 2016, usually in regionally targeted campaigns. It is\r\ngenerally considered a descendant of the Dyreza banking Trojan and features mutliple modules. The main bot is\r\nresponsible for persistence, the downloading of additional modules, loading affiliate payloads, and loading\r\nupdates for the malware.\r\nAs with much of the malware distributed by TA505, The Trick has appeared in frequent, high-volume campaigns.\r\nThe campaigns used a mix of attached zipped scripts (WSF, VBS), malicious Microsoft Office documents (Word,\r\nExcel), HTML attachments, password-protected Microsoft Word documents, links to malicious JavaScript, and\r\nother vectors. The last TA505 campaigns featuring The Trick appeared in mid-September 2017 with payloads\r\nalternating between Locky and The Trick.\r\nPhiladelphia\r\nPhiladelphia ransomware has been circulating since September 2016. It first attracted our attention in April of this\r\nyear [12] when we observed an actor customizing the malware for use in highly targeted campaigns. In a brief\r\nstint, TA505 distributed it in one large campaign in July, but we have not seen them use it since.\r\nGlobeImposter\r\nGlobeImposter is another ransomware strain that saw relatively small-scale distribution until TA505 began\r\nincluding it in malicious spam campaigns at the end of July 2017. TA505 primarily distributed GlobeImposter in\r\nzipped script attachments through the beginning of September 2017. Again, GlobeImposter is not particularly\r\ninnovative but TA505 elevated the ransomware from a regional variant to a major landscape feature during\r\nroughly six weeks of large campaigns.\r\nConclusion\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\nPage 8 of 10\n\nTA505 is arguably one of the most significant financially motivated threat actors because of the extraordinary\r\nvolumes of messages they send. The variety of malware delivered by the group also demonstrates their deep\r\nconnections to the underground malware scene. At the time of writing, Locky ransomware remains their malware\r\nof choice, even as the group continues to experiment with a variety of additional malware.\r\nThe history of TA505 is instructive because they\r\nHave proven to be highly adaptable, shifting techniques and malware frequently to “follow the money”,\r\nwhile largely sticking to successful strategies where possible\r\nAre flexible, using largely interchangeable components, innovating where necessary on the malware front\r\nand using off-the-shelf malware where possible\r\nOperate at massive scale, consistently driving global trends in malware distribution and message volume.\r\nEach of these elements makes TA505 a magnifying lens through which to consider the framework employed by\r\nmany modern threat actors. Such a framework typically consists of five elements:\r\n1. Actor: The attacker organization; real humans driven by various motivations -- In the case of TA505, the\r\nmotivations are financial.\r\n2. Vector: The delivery mechanism; email via attacker-controlled or leased spam botnet -- Necurs for TA505\r\n-- remains a dominant vector, and certainly the vector of choice for this actor.\r\n3. Hoster: The sites hosting malware; if malware is not directly attached to email, then macro-enabled\r\ndocuments, malicious scripts, or exploit kits will pull payloads from these servers. TA505 almost\r\nexclusively hosts malware in this way, although they vary the means of installing their final payloads on\r\nvictim machines.\r\n4. Payload: The malware; software that will enable the attacker to make use of (control, exfiltrate data from,\r\nor download more software to) the target computer. For TA505, the payloads have shifted over the years\r\nand months of their activity, but their sending and hosting infrastructure make these changes relatively\r\nsimple to implement.\r\n5. C\u0026C: The command and control channel that serves to relay commands between the installed malware\r\nand attackers. TA505 operates a variety of C\u0026C servers, allowing it to be resilient in the case of\r\ntakedowns, sinkholes, and other defensive operations.\r\nThis framework enables attackers to operate in robust, horizontally segmented ecosystems, specializing in\r\ndeveloping certain parts of the framework, and selling or leasing to others; such frameworks are resistant to\r\ntakedowns and individual component failures. But such frameworks also increase attackers' detection surface, that\r\nis, their susceptibility to discovery. In the case of TA505, while most elements of the framework are well-developed, their reliance on the Necurs botnet for the sending high-volume malicious spam - a key component of\r\nthe Vector element above - appears to be their Achilles heel.\r\nBy tracking each of these elements, defenders can infer other elements and take the appropriate defensive\r\nmeasures. We will continue to track this actor, which, despite significant occasional disruptions to their sending\r\ninfrastructure, appears to be on track to continue driving the majority of malicious email in the months to come.\r\nReferences\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\nPage 9 of 10\n\n[1] https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-outage-crimps-dridex-and-locky-distribution\r\n[2] https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-returns-with-updated-locky-ransomware-in-tow\r\n[3] https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation\r\n[4] https://www.s21sec.com/en/blog/2014/07/new-feodo-variant-follows-geodo-steps/\r\n[5] https://securelist.com/dridex-a-history-of-evolution/78531/\r\n[6] https://www.proofpoint.com/us/threat-insight/post/Not-Yet-Dead\r\n[7] https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky\r\n[8] https://www.proofpoint.com/us/threat-insight/post/2017-q1-threat-report-findings\r\n[9] https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware\r\n[10] https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky\r\n[11] https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart\r\n[12] https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware\r\nSource: https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE", "MISPGALAXY" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter" ], "report_names": [ "threat-actor-profile-ta505-dridex-globeimposter" ], "threat_actors": [ { "id": "f276b8a6-73c9-494a-8ab2-13e2f1da4c53", "created_at": "2022-10-25T16:07:24.441133Z", "updated_at": "2026-04-10T02:00:04.993411Z", "deleted_at": null, "main_name": "Achilles", "aliases": [], "source_name": "ETDA:Achilles", "tools": [ "RDP", "Remote Desktop Protocol" ], "source_id": "ETDA", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433995, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d44996d59fd84e653e79ac52da8e0d1f6189380d.pdf", "text": "https://archive.orkl.eu/d44996d59fd84e653e79ac52da8e0d1f6189380d.txt", "img": "https://archive.orkl.eu/d44996d59fd84e653e79ac52da8e0d1f6189380d.jpg" } }