{
	"id": "9a6cb02e-66cc-4ee1-996f-d3ca7dfde951",
	"created_at": "2026-04-06T00:22:38.733013Z",
	"updated_at": "2026-04-10T03:36:37.05568Z",
	"deleted_at": null,
	"sha1_hash": "dc1e33d498574f9c682f94746d008ed428c1224c",
	"title": "TA505’s modified loader means new attack campaign could be coming",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 32723,
	"plain_text": "TA505’s modified loader means new attack campaign could be\r\ncoming\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 19:00:25 UTC\r\nAfter months of inactivity, hacking group TA505's Get2 Loader has sprung back into operation, possibly signaling\r\nthat the group is ready for a new round of malicious activity.\r\nOn December 14, 2020, the Get2 loader had resurfaced with new download and execute configuration parameters\r\nnamed \"LD\" and \"ED.\" Intel 471 last observed the loader in operation on September 14, 2020.\r\nThe \"LD\" parameter reflectively loads a downloaded dynamic-link library (DLL) file into the address space of the\r\ncurrent process and calls its entry point. The \"ED\" parameter copies the DLL into executable memory and invokes\r\nthe entry point directly. The preexisting \"RD\" parameter that was used to inject the downloaded DLL into\r\nEXCEL.EXE can now perform injection into WINWORD.EXE as well.\r\nThe reconfigured loader is meant to allow the group to carry out its operations without drawing the attention of\r\nenterprise defenses. In the past, it has been used to download the SDBbot, FlawedGrace and other malware.\r\nTA505 is a prolific Russian-speaking, financially-motivated group that is known for launching large-scale targeted\r\nattacks. The group was most recently discovered going after German-speaking targets with weaponized CVs. Intel\r\n471 also observed the group going after targets in Japan, South Korea, United Arab Emirates in 2019. Once the\r\ngroup's malware or actions are caught by researchers or the press, the group tends to go silent in an effort to\r\nreconfigure its tools.\r\nDrawing from past experiences, Intel 471 believes that new, undiscovered malware campaigns will follow with\r\nthe introduction of the reconfigured Get2 Loader.\r\n\"TA505 can be somewhat deliberate in how they operate, more so than most of the financially-motivated groups\r\nwe track,\" said Intel 471 COO Jason Passwaters. \"Once things start ramping up like this, rest assured they are\r\nback at it with a target list in hand.\"\r\nThe Intel 471 adversary intelligence on major threat groups such as TA505 and our unique insight into its\r\ncapabilities, intent and motivations, can be leveraged by threat intelligence teams to remain proactive and resilient\r\nagainst attacks as cybercriminals modify TTPs.\r\nSource: https://intel471.com/blog/ta505-get2-loader-malware-december-2020/\r\nhttps://intel471.com/blog/ta505-get2-loader-malware-december-2020/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/ta505-get2-loader-malware-december-2020/"
	],
	"report_names": [
		"ta505-get2-loader-malware-december-2020"
	],
	"threat_actors": [
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434958,
	"ts_updated_at": 1775792197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc1e33d498574f9c682f94746d008ed428c1224c.pdf",
		"text": "https://archive.orkl.eu/dc1e33d498574f9c682f94746d008ed428c1224c.txt",
		"img": "https://archive.orkl.eu/dc1e33d498574f9c682f94746d008ed428c1224c.jpg"
	}
}