{
	"id": "19132c26-7b07-46e0-8b0f-6cc2f5cea955",
	"created_at": "2026-04-06T00:16:01.108988Z",
	"updated_at": "2026-04-10T13:12:39.371634Z",
	"deleted_at": null,
	"sha1_hash": "e2d6a7a51ee7bab982f09755c44f751fe7fe5af2",
	"title": "SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6524579,
	"plain_text": "SteganoAmor campaign: TA558 mass-attacking companies and public\r\ninstitutions all around the world\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-05 18:26:21 UTC\r\nResearchers from the Positive Technologies Expert Security Center discovered more than three hundred attacks worldwide,\r\nwhich they confidently attributed to the well-known TA558 group.\r\nAs originally described by researchers at ProofPoint, TA558 is a relatively small financially motivated cybercrime group\r\nthat has attacked hospitality and tourism organizations mainly in Latin America, but has also been identified behind attacks\r\non North America and Western Europe. According to the researchers, the group has been active since at least 2018.\r\nIn the attacks that we studied, the group made extensive use of steganography by sending VBSs, PowerShell code, as well\r\nas RTF documents with an embedded exploit, inside images and text files. Interestingly, most of the RTF documents and\r\nVBSs have names like greatloverstory.vbs, easytolove.vbs,\r\niaminlovewithsomeoneshecuteandtrulyyoungunluckyshenotundersatnd_howmuchiloveherbutitsallgreatwithtrueloveriamgivingyou.doc,\r\nand others, associated with love, which is why we dubbed the campaign \"SteganoAmor\".\r\nVictims\r\nIn the course of our research, we discovered numerous samples that targeted various economic sectors and countries. Most\r\nof the email messages we came across had been sent to Latin America, but a considerable percentage were addressed\r\nto companies in Russia, Romania, Turkey, and some other countries.\r\nSome of the victims that we saw had legitimate FTP and SMTP servers, which the threat actor infected and utilized\r\nas C2 servers. They also used the infected SMTP servers to send phishing email.\r\nAs our research effort continued, we found servers with public directories in which the group placed files to be used in its\r\nattacks.\r\nFigure 1. An example of a public directory\r\nWe also found malware logs containing stolen data on the servers with public directories. Thus, data stolen with the help\r\nof AgentTesla was stored in the form of HTML files whose names conformed to the following template:\r\nPW_*PC_name*_*date of exfiltration*_*time of exfiltration*.html\r\nThe files contained aggregated credentials for every known browser, email (for example, Outlook and Thunderbird) account\r\ncredentials, and remote access (VPN or RDP) credentials.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 1 of 25\n\nFigure 2. A log example\r\nThe logs included data from regular users, public institutions, and various businesses.\r\nWe discovered a total of more than 320 attacks targeting the following countries and sectors:\r\n45\r\n38\r\n26 25 24\r\n15\r\n13 13 12 12 11\r\n9\r\n8 8 8\r\n7 7 6 6 6\r\n4 4\r\n2 2 2 2\r\n1 1 1 1 1\r\nMe…\r\nColombia\r\nChili\r\nArgentina\r\nRomania\r\nTurkey\r\nBrazil\r\nPeru\r\nRussia\r\nEcuador\r\nUruguay\r\nCzech Republic\r\nIndia\r\nPoland\r\nDominican Republic\r\nSpain\r\nGermany\r\nPakistan\r\nUnited States\r\nCosta Rica\r\nGuatemala\r\nIndonesia\r\nSlovenia\r\nSouth Korea\r\nBulgaria\r\nThailand\r\nSebia\r\nLebanon\r\nMacedonia\r\nAlgeria\r\nMorocco © Positive Technologies\r\nFigure 3. Distribution of attacks by country\r\nIn the course of our research, we discovered attacks on specific companies. The number of attacks on specific targets differs\r\nsignificantly from the total number of discovered attacks, as we could not always find out who the victim was.\r\n22%\r\n16%\r\n8% 16%\r\n8%\r\n5%\r\n5%\r\n5%\r\n5%\r\n3%\r\n3%\r\n3%\r\nIndustrial sector Service sector Public sector Electric power industry Construction\r\nTransportation companies Sports Information technology Education Religious organizations Finance\r\nPharmaceutical industry\r\n© Positive Technologies\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 2 of 25\n\nFigure 4. Distribution of attacks by sectors\r\nThe research begins\r\nWhile monitoring threats, members of the ESC team discovered a file named \"factura 00005111, 005114, 005115.pdf.xlam\"\r\nSHA-256: 69ffd7a475c64517c9c1c0282fd90c47597e3d4650320158cfb8c189d591db8c. Linked files led them to an email\r\nmessage. The file name \"banned-20240117T134543-25672-12″ suggested that the message had reached the recipient but\r\nwas blocked by security systems. It was ostensibly sent to a Romanian company from another Romanian company:\r\nFigure 5. The phishing email with a malicious attachment\r\nThe sender's IP address, 46.27.49.180, was replaced with another. Our data indicated that the group had sent 22 other\r\nmessages from that IP address to various organizations starting on June 15, 2023.\r\nWhen the message is opened, Excel downloads with the help of macros a file named \"packedtpodododod.exe\" (SHA-256:C42288A5946D2C3EB35E7485DD85936C1FABF49E46B12449C9136FF974A12F91) from the following URL:\r\n94.156.65[.]225/packedtpodododod.exe\r\nAn RTF file could be downloaded from the same IP address via the following URL:\r\n94.156.65[.]225/microsoftdecidedtodesignnewproducttoupdateandupgradenewprojectthingsonthepcandsystem.doc\r\nThis variant contains CVE-2017-11882 and downloads the following file in the chain from the URL:\r\n94.156.65[.]225/herewegoxla.exe.\r\nOnce downloaded, the file runs. The final payload is AgentTesla hiding behind an Excel icon, which uploads data to the\r\nC2 via FTP. The C2 itself is a legitimate website that has been compromised.\r\nOther infection chains\r\nThanks to internal systems, we discovered dozens of different files linked to the FTP server, which was used as a C2 for\r\nAgentTesla. Most of the files linked to the FTP server were used in malicious files that bore Spanish, Portuguese, and\r\nRomanian names.\r\nWe also used our systems to successfully discover hundreds of different files and dozens of malicious IP addresses used\r\nby the group in the campaign at hand. Some of the files were documents with various name extensions and targeting\r\ndifferent countries, but sharing one infrastructure and similarities between the attack chains. The files had different names\r\nin English, Bulgarian, Croatian, Turkish, Russian, Chinese, and other languages.\r\nBelow, you will find examples of chains containing malware that belongs to a variety of families: AgentTesla, Remcos,\r\nXWorm, LokiBot, Guloader, Formbook, SnakeKeylogger. We would like to emphasize that one type of malware may\r\nbe involved in several different chains. A complete list of indicators of compromise is available under IOCs below.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 3 of 25\n\n1.1 AgentTesla attack: the main scenario involving an Excel document and steganography\r\nThe main scenario we saw in this campaign and which gave it its name is an attack chain that involves steganography.\r\nA case in point is a file named \"Cerere de cotatie.xla\" (SHA-256:\r\n64020a7a3f5f6c589272f28d727318eb5eb4eb4d41510679cb8134c0325c8fe2) It kicks off the chain. When opened,\r\nit exploits CVE-2017-11882, sending a request to the URL:\r\nqly[.]ai/08XE5, a shortened link that redirects to\r\n23.95.60.74/weareinlovewithmygirlfriendunderstandhowitistoget___youareverybeautifilformeiloveusoomuchalwaysloveutrulyfromtheheartlove.do\r\nFigure 6. Request for the next stage (after opening the document)\r\nThe file received with the server response (SHA-256:\r\n2c58ca41949aa784dce6a2006162781fe7a7a5453cafb731ee4d512efe718c43) is an RTF document.\r\nFigure 7. Receiving an RTF document\r\nWhen opened, it runs and downloads a VBS script from that same IP address:\r\n23[.]95[.]60[.]74/roammamamamam.vbs\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 4 of 25\n\nFigure 8. Request for an RTF document to obtain VBS\r\nThe VBS script sends a request to paste[.]ee to fetch the next payload:\r\npaste[.]ee/d/FZTcX\r\nFigure 9. Malicious code in the legitimate paste[.]ee service\r\nIt then proceeds to downloading and decoding an encoded malicious string (steganography) embedded in an image from the\r\nfollowing URLs:\r\nuploaddeimagens[.]com[.]br/images/004/753/714/original/new_image.jpg?1709908350\r\nuploaddeimagens[.]com[.]br/images/004/753/713/original/new_image.jpg?1709908316\r\nThe images are the same:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 5 of 25\n\nFigure 10. An image downloaded from the legitimate service\r\nnew_image.jpg (SHA-256: 1435aef381b7e31245e2ca66818209a7f8d54daef4d0db25ef78b3a9fec3242b)\r\nA Base64-encoded next-stage payload hidden inside the downloaded image:\r\nFigure 11. The Base64-encoded payload\r\nThe PowerShell command inside the script:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 6 of 25\n\nFigure 12. The PowerShell code inside the script\r\nThe script then decrypts the payload from the image and downloads a further payload from the same URL, written in reverse\r\nstring format. Its content is notably a Base64-encoded executable, also reversed:\r\n23[.]95[.]60[.]74/romamammamamamaa.txt\r\nFigure 13. Payload with reversed Base64 code\r\nNext, AgentTesla runs. The malware runs a check as a bypass element to make sure that it is not running on a hosting\r\nplatform, and the victim's IP address is real.\r\nip-api[.]com/line/?fields=hosting\r\nAgentTesla steals data from browsers, email clients, remote access services, and connects via FTP to a C2 to upload it.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 7 of 25\n\nFigure 14. Communication with the C2 server\r\nFigure 15. Exfiltration\r\n1.2 AgentTesla attack: an alternate scenario involving a Microsoft Word document\r\nThis is a late-2023 example that we do not see the malicious actor use as much any more, but still find samples of:\r\n\"Lista de productos 2.docx\" (SHA-256: 54376ee15cca7c6cdecc27b701b85bdd2aa618fe8158a453d65030425154299a)\r\nFigure 16. The malicious document with OLE\r\nWhen run, it sends a request to shlx.us/eO, which redirects to the following URL:\r\n23.95.122[.]104/htm/1/HTMLbrowserIEchromeHistoryCleaner.doc\r\nFigure 17. The next-stage request after opening the document\r\nThe downloaded document (SHA-256: 6cab2705e5bfe56db1e9a74c8af9dca162de7631dd8dc074685dcb9c1dc7c5a2)\r\nis a malicious RTF document containing an exploit:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 8 of 25\n\nFigure 18. Getting the RTF document\r\nThe RTF document then downloads \"IGCC.exe\", which is AgentTesla.\r\nFigure 19. The RTF document fetches the AgentTesla payload\r\nAs a result, AgentTesla starts communication via FTP with the C2 and proceeds to exfiltrate data:\r\nFigure 20. Exfiltrating the victim's data\r\n1.3 Remcos attack\r\nRemcos, or Remote Control and Surveillance, originally legitimate software, is currently employed by many threat actors\r\nas a RAT (Remote Access Trojan) to access a victim's computer.\r\nIn the course of our research, we found multiple Remcos samples used in attacks by the group.\r\nOne of these files is named \"ORDER_SPECIFICATIONS_OFFER.xla\" (SHA-256:\r\n93946883de3d4074ac4baed60abcc3f2d0c57c8ef6e41ceaedbc5ca0de55dc30):\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 9 of 25\n\nFigure 21. A malicious Excel document with OLE\r\nWhen the file is opened, the macro inside the Excel file reaches out to the first C2 at the shortened URL qly[.]ai/p5Zpt for\r\nadditional data:\r\nFigure 22. The request to qly[.]ai/p5Zpt\r\nThe URL redirects the request to an RTF document containing an exploit:\r\n147.185.243[.]107/45700/macc/shelovemywifemorethankanyonebutsametimeiloveagirlwholovingmealot_____sheisreallymyloverwhocarewholove\r\nс cve-2017-11882\r\nFigure 23. The request after the redirect\r\nThis is followed by a request to the next URL, which responds with an obfuscated VBS script, rather than an image:\r\n147.185.243[.]107/45700/beautifulglobe.jpg,\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 10 of 25\n\nFigure 24. The VBS script\r\nThis script contains the embedded address of the next C2 in the chain, which hosts another obfuscated script:\r\npaste[.]ee/d/NYO9X\r\nFigure 25. The VBS script in the legitimate paste.ee service\r\nWe found deobfuscation of this script to be more interesting than the first one, as it contained more encoding iterations. The\r\nresult was a piece of code inside, containing a reversed string for the following C2:\r\n147.185.243[.]107/45700/MACC.txt:\r\nFigure 26. The deobfuscation process\r\nOnce inside the TXT file, we found the final link in the chain: a reversed Base64-encoded piece of code:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 11 of 25\n\nFigure 27. The MACC.txt code\r\nThe chain results in infection with the Remcos RAT (SHA-256:\r\nbd296301230adac77b09dc91d06ec26adbc49d015ea7d1b4f68b6805c2b5ee55).\r\nBefore talking to the remote server, Remcos calls geoplugin[.]net/json.gp to check the IP address, and then contacts the\r\nC2 using TLS mimicry to hide the traffic:\r\nFigure 28. The conversation between Remcos and the C2 server\r\n1.4 XWorm attack\r\nXWorm is among the most popular RATs, used by many threat actors including TA 558.\r\nSimilarly to the previous case, one of these chains begins with an Excel file containing an embedded link, which redirects\r\nrequests to another server to download an RTF document with an exploit inside. In this case, we saw the files\r\n7b768394fa0869d92f872eb486f49fabd6469ef3a8fd8bdf9cb49d35b39ea73b and\r\n94bcfc033fd6e445163116ebf73877ef71e22192bef829822314042b31a7281f, which, when run, redirected to a URL to fetch\r\nthe next stage:\r\n107.175.31[.]187/7508/iconimages.jpg\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 12 of 25\n\nFigure 29. The RTF request for a VBS script\r\nThe script contains an embedded URL:\r\npaste[.]ee/d/G5J31\r\nIts content is an obfuscated VBS script containing two links to images with additional payloads:\r\nuploaddeimagens[.]com [.]br/images/004/755/997/original/new_image_r.jpg?1710413993\r\nuploaddeimagens[.]com [.]br/images/004/755/997/original/new_image_r.jpg?1710413993\r\nFigure 30. The request to fetch the images\r\nAs with the main case described above, the strings from the images are decoded, and a payload is assembled, which then\r\ndownloads a TXT file with a reversed Base64-encoded file, which is the final payload: XWorm.\r\n107.175.31[.]187/7508/xwo.txt\r\nFigure 31. The payload with the reversed Base64-encoded file\r\nOnce running, XWorm starts talking to the C2:\r\n147.124.212[.]213:6161\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 13 of 25\n\nFigure 32. XWorm talking to the C2 server\r\n1.5 LokiBot attack\r\nLokiBot is a stealer that collects data from various applications used by the victim, such as browsers, email and FTP clients,\r\nand so on. One of these files was received from:\r\n23.94.239[.]119/_—00_o______---0o0_00_0oo_0-o_o0-__________o0o-\r\n__________/ozzwerdfdghjfdggsahfhfghf.doc\r\nFigure 33. Downloading an RTF file\r\nAs in the other instances, the file is an RTF document that downloads a PE file (SHA-256:\r\nadc6a50e5985c31f0ed5ea885edd73e787f893f709591e5cf795fd78403d1430) from the following URL:\r\n23.94.239[.]119/112/vbc.exe\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 14 of 25\n\nFigure 34. Downloading the PE file\r\nThe file is LokiBot, which starts communicating with the C2, sending information to the following URL:\r\nsempersim[.]su/ha1/fre.php\r\nFigure 35. Communication between LokiBot and the C2 server\r\n1.6 Guloader/Formbook attack\r\nThis example begins with the file named \"NEW ORDER.xls\" (SHA-256:\r\n3688f05556a136fe094de5cb1888eac2a579525f72cd027e19738582ed40c283).\r\nFigure 36. The contents of \"NEW ORDER.xls\"\r\nThe macro inside the Excel file starts the next chain, similar to what we saw earlier. First, it sends a request to:\r\n2s[.]gg/3zs\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 15 of 25\n\nFigure 37. The request before the redirect\r\nIt then redirects to an RTF document with the previously mentioned CVE:\r\n103.237.87[.]56/rew/re/binwecanmaintainthenewthingswithhimbecauseiwasrunningaroundthewroldwithnew____icangofornewthingsfortruestoryul\r\nFigure 38. Downloading the malicious RTF file\r\nGuloader, to be used as the loader for fetching the next piece of malware, is then downloaded from the following IP address:\r\n103.237.87[.]56/setup/bin.exe\r\nFigure 39. Downloading Guloader\r\nThe Guloader file (SHA-256: bfd50523e4cabf7fe9e6f0afc926b9269708ac80af43a943ebcbc909a9ae0695)accesses a Google\r\nDrive to get the malware payload, FormBook:\r\ndrive.google[.]com/uc?export=download\u0026id=1QJZpYWwA5nTHlXAY5PxXqGvqEBOtjtOi -\u003e\r\ndrive.usercontent.google[.]com/download?id=1QJZpYWwA5nTHlXAY5PxXqGvqEBOtjtOi\u0026export=download\r\nOnce running, FormBook (SHA-256: e1259d936c3993e5d8671b8b5e2362eb974984d046871296c50cf51ee1a96e4b) starts\r\ntalking to the C2:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 16 of 25\n\nthechurchinkaty[.]com/nrup/?\r\nvLwt1tg=a+HLDFsiIkHuV4rn/wjkuvItWj7ch7WMO9xbFOtVeNEzn7JMPDdWHI+pluLOfQ5QTDqWxNNxIGS7LM9UJKf1d/iZERaTVE3Mnox\r\nFigure 40. The communication between FormBook and the C2 server\r\n1.7 SnakeKeylogger attack\r\nAs in most of the cases we have covered so far, the chain begins with an Excel file, such\r\nas \"Payment_Draft_confirmation.xla\" (SHA-256:\r\n9caeaefa5ecb508895fef48764dc689f49dd8ad9f7e4de9e52202f1c1db101e1).\r\nWhen the file runs, it sends a request to the following URL:\r\nqly[.]ai/TZWGK\r\nFigure 41. The request\r\nThis is followed by a redirect to the following URL to download an RTF document:\r\n207.32.219[.]82/7050/snk/snkisanewthingswhichhelovesornotireallynotknowwhathelookingbutshesloved___alotwiththisnewthingswhathetoldme.d\r\nFigure 42. Downloading the RTF document\r\nThe RTF document downloads a VBS script from the following URL:\r\n207.32.219[.]82/7050/imaginepixelimages.jpg\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 17 of 25\n\nFigure 43. Downloading the VBS script\r\nThe next stage downloads reversed Base64-encoded strings, which prove to be SnakeKeylogger (SHA-256:\r\n69dffbdcc112b62bfa93e2d6d95de42ef16e01e428b883b9671056ac93bbce8f) when decoded:\r\n207.32.219[.]82/7050/SNK.txt\r\nFigure 44. The payload with the reversed Base64-encoded file\r\nThe first thing SnakeKeylogger does upon starting is running a check:\r\ncheckip.dyndns[.]org\r\nFigure 45. The checkip.dyndns.org check\r\nIt then checks the geographic location according to the IP address:\r\nreallyfreegeoip[.]org\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 18 of 25\n\nFigure 46. The geographic location check\r\nThis is followed by a request to get an SMTP server:\r\nscratchdreams[.]tk/_send_.php?TS\r\nFigure 47. The request to get an SMTP server\r\nFinally, SnakeKeylogger forwards the information it stole to the compromised legitimate SMTP server:\r\nFigure 48. Sending data to the compromised legitimate SMTP server\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 19 of 25\n\n1.8 Other attack examples\r\nWe saw other attack chains. For example, here's an example of network communication between NjRAT and C2\r\nFigure 49. An example of network communication between NjRAT and C2\r\nBut these differed only insignificantly from the ones described above, essentially being the same attacks with different final\r\npayloads.\r\nThus, as we were examining the threat actor's infrastructure, we noticed that the IP addresses used to host RTF files with\r\nexploits embedded in them and fake JPG files with embedded VBS scripts were also used as the locations for various RATs.\r\nAs an example, here is the IP address of the zgRAT C2 server:\r\n94.156.69[.]17\r\nFigure 50. An example of this IP address being involved in the infection chain\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 20 of 25\n\nFigure 51. An example of this IP address being used for the zgRAT C2 server\r\nThe group's use of legitimate FTP and SMTP servers\r\nUpon closer inspection, the FTP servers we found turned out to be legitimate services, which the threat actor presumably\r\nhad infected to use as C2s for exfiltration of victims' data extracted with the help of the malware described above.\r\nIn each case, the legitimate sites belonged to various small companies based in Mexico, Colombia, and Romania.\r\nHere is one such site:\r\nFigure 52. A legitimate site\r\nThe organization has an active social media account with several thousand subscribers and a link to a website:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 21 of 25\n\nFigure 53. The social media account\r\nFigure 54. A legitimate site\r\nAs in the previous case, this organization has an active social media account with several thousand subscribers and a link\r\nto a website:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 22 of 25\n\nFigure 55. The company's Facebook account\r\nWhen researching the group's attacks on Russian companies, we noticed that, besides FTP servers, it used SMTP\r\non compromised servers that hosted legitimate European websites:\r\nFigure 56. A legitimate site\r\nThe group created some of its SMTP domains to make its activities appear legitimate. Thus, one of the SMTP domains\r\nit used, itresinc.com, is apparently trying hard to look like the legitimate it-resinc.com.\r\nThe threat actor used these legitimate and newly created SMTP servers in two ways:\r\n1. To send phishing email\r\n2. As a C2 server for spreading malware\r\nInterestingly, the group never used the same SMTP server as both a phishing server and a C2 in one attack.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 23 of 25\n\nAs an example of an attack, here is an email message sent to an organization in Russia from a compromised legitimate\r\nSMTP server:\r\nFigure 57. The email from the compromised SMTP server\r\nThe phishing email came with a ZIP archive attached:\r\n\"loading advice.zip\" SHA-256: ca383ef7a0031ff933907be8b038ccc62ac556bdc0f077d7f9c3022952e62efa\r\nThe archive contained one file that was AgentTesla:\r\n\"loading advice.exe\" SHA-256: 84b2a0360556088e4aad29627d4ed15d53b18aa72d9d98b4b0d1be27916c681e\r\nFigure 58. The contents of the archive\r\nWhen the executable runs, it uploads data to an SMTP server that imitates a legitimate one:\r\nmail.itresinc.com\r\nAttribution to known groups\r\nIn the course of our research, we found that a part of the campaign had been described by analysts at Cyble.\r\nCyble describes the same kill chain that we saw, including the use of steganography, as well as the payload, which may\r\ncontain various types of malware like AgentTesla, Remcos, and so on.\r\nResearchers at MetabaseQ last October described the same threat actor's activity, attributing it to TA558.\r\nTheir report takes note of the kill chain, which also employed steganography. Although the researchers said that the victims,\r\nas with TA558 earlier, were located in Latin America, the United States, Portugal, and Spain, we have found that while\r\nTA558 mainly focuses on Latin America, the number of affected countries is much greater, and TA558 attacks completely\r\ndifferent countries.\r\nLast August, researcher Ankit Anubhav shared on X (formerly Twitter) information about TA558's use of steganography\r\nwith a final chain that resulted in infection with Quasar Rat.\r\nAnother Microsoft researcher, Igal Lytzki, referred to Ankit Anubhav in his description of a similar attack, where he drew\r\nattention to steganography samples and AgentTesla on an FTP server containing logs of victims' data. Igal said he had\r\ninformed the victims accordingly:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 24 of 25\n\nFig. 59. Tweet by researcher Igal Lytzki\r\nConclusion\r\nThe TA558 attack chains in the SteganoAmor campaign examined here continue to affect users in Latin America and\r\nelsewhere in the world. The group continues to exploit the fairly old CVE-2017-11882 in its attack chain. It uses\r\nsteganography, an obfuscation technique, inside the chains to spread well-known malware used in other attacks in recent\r\nyears. The phishing may be harder to detect due to the group's use of compromised legitimate SMTP servers,\r\nso we recommend exercising caution when dealing with email that contains attachments, even if the messages were received\r\nfrom governmental organizations or small local companies. The use of legitimate SMTP and FTP servers, as well as tools\r\nlike Guloader, may complicate detection of the threat actor's presence on the host, so companies are advised to monitor\r\nnetwork traffic more closely and investigate suspicious activity linked to legitimate services.\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-instituti\r\nons-all-around-the-world/\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/"
	],
	"report_names": [
		"steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world"
	],
	"threat_actors": [
		{
			"id": "316b23b5-e097-4dc6-8b1c-d096860c6c16",
			"created_at": "2022-10-25T16:07:24.290801Z",
			"updated_at": "2026-04-10T02:00:04.924688Z",
			"deleted_at": null,
			"main_name": "TA558",
			"aliases": [],
			"source_name": "ETDA:TA558",
			"tools": [
				"AZORult",
				"AsyncRAT",
				"Bladabindi",
				"ExtRat",
				"Jorik",
				"Loda",
				"Loda RAT",
				"LodaRAT",
				"Nymeria",
				"PuffStealer",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Revenge RAT",
				"RevengeRAT",
				"Revetrat",
				"Rultazo",
				"Socmer",
				"Vengeance Justice Worm",
				"Vjw0rm",
				"Xtreme RAT",
				"XtremeRAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cf91b389-9602-45c0-8d6b-c61d14800f54",
			"created_at": "2023-01-06T13:46:39.448277Z",
			"updated_at": "2026-04-10T02:00:03.332604Z",
			"deleted_at": null,
			"main_name": "TA558",
			"aliases": [],
			"source_name": "MISPGALAXY:TA558",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434561,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2d6a7a51ee7bab982f09755c44f751fe7fe5af2.pdf",
		"text": "https://archive.orkl.eu/e2d6a7a51ee7bab982f09755c44f751fe7fe5af2.txt",
		"img": "https://archive.orkl.eu/e2d6a7a51ee7bab982f09755c44f751fe7fe5af2.jpg"
	}
}