{ "id": "4a2ca21d-9210-4a3c-abe6-b99d1e1d3282", "created_at": "2026-04-06T00:17:53.895596Z", "updated_at": "2026-04-10T03:36:37.172657Z", "deleted_at": null, "sha1_hash": "e441907400fff999970f33705ddf9df346749208", "title": "MirrorBlast and TA505: Examining Similarities in Tactics, Techniques and Procedures", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1001237, "plain_text": "MirrorBlast and TA505: Examining Similarities in Tactics,\r\nTechniques and Procedures\r\nBy Patrick Schläpfer\r\nPublished: 2021-10-19 · Archived: 2026-04-05 21:37:14 UTC\r\nWhat is MirrorBlast?\r\nMirrorBlast is a new malware campaign first observed at the end of September 2021. The malware was named by\r\nProofpoint Emerging Threats Labs, whose signatures recognize the malware based on its command and control\r\n(C2) traffic. Since then, the malware has been spotted in several campaigns, each showing similar infection\r\nchains. The following graphic shows the rough sequence of a MirrorBlast campaign.\r\nFigure 1 – Infection chain of a MirrorBlast campaign seen in October 2021.\r\nhttps://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nPage 1 of 12\n\nIs MirrorBlast a campaign from TA505?\r\nAfter MirrorBlast’s emergence, some security researchers speculated that it could be linked to TA505. Comparing\r\nMirrorBlast activity to historical TA505 Get2/SDBBot campaigns revealed numerous similarities in tactics,\r\ntechniques and procedures (TTPs). We assess that these similarities significantly strengthen the hypothesis that\r\nMirrorBlast and TA505 are linked. In this article, we describe some of these similarities:\r\nSimilarities in modus operandi\r\nSimilar domain registration patterns\r\nCampaign cadence\r\nSimilar download websites and lure documents\r\nSimilar target selection mechanisms\r\nFollow-up malware\r\nSimilarities in Modus Operandi\r\nThe Get2/SDBBot campaign TTPs were always similar, as if the group followed a strict playbook: The domains\r\nwere registered, the download website was set up, and before the malware was distributed, the attackers uploaded\r\na legitimate document to the download website. This was probably for testing purposes. Sometimes it was an\r\nempty document or one containing the characters “123”. But occasionally the attackers uploaded Excel documents\r\ncontaining several spreadsheets and legitimate content. For example, Figure 2 shows the test document that was\r\nuploaded during the Get2/SDBBot campaign on 14 September 2020.\r\nLooking at the MirrorBlast campaigns, the threat actor behaved similarly. The campaign on 14 October 2021 was\r\nnotable. Like TA505, the attackers registered domains, published the download website, and uploaded a test\r\ndocument. Strikingly, this test document was the same document as used by TA505 in a campaign in 2020,\r\ndemonstrating an overlap in the attackers’ methods as well as the tools they use.\r\nhttps://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nPage 2 of 12\n\nFigure 2 – Legitimate Excel file uploaded to TA505 and MirrorBlast malware distribution websites.\r\nSimilar Domain Registration Patterns\r\nIn Get2/SDBBot campaigns, TA505 registered new domains that had recognizable characteristics:\r\nMost domains impersonated well-known online services or used related keywords\r\nThe domains often contained one or more hyphen characters to separate words\r\nThe domains used the top-level domain .com\r\nHere are some examples of known TA505 domains:\r\nKnown TA505 Domains\r\nxbox-en-cnd[.]com\r\none-drive-storage[.]com\r\nstore-in-box[.]com\r\nmicrosoft-store-drm-server[.]com\r\nclouds-doanload-cnd[.]com\r\nmicrosoft-sback-server[.]com\r\none-drive-ms[.]com\r\nhttps://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nPage 3 of 12\n\nowncloud-cdn[.]com\r\ncdn-onedrive-live[.]com\r\noffice-en-service[.]com\r\nAs you can see, the domains follow a consistent naming convention. Moreover, the combination of certain domain\r\nregistrars and DNS service providers is also a good indicator of new TA505 domains. Figure 3 shows the domain\r\nregistrars used in the documented TA505 campaigns from September 2019 to December 2020. Most of the time,\r\nEranet International Limited was used to register the new domains and only rarely were others used. But in\r\nNovember and December 2020 this pattern changed when most domains were registered through Cnobin\r\nInformation Technology Limited. After that, no more TA505 Get2/SDBBot campaigns ceased, resulting in no\r\ntemporal overlap with MirrorBlast campaigns.\r\nFigure 3 – TA505 domain registrations by registrar, September 2019 to December 2020.\r\nAs of October 2021, there are only a few known MirrorBlast domains. However, even the limited data suggest a\r\nconsistent pattern in MirrorBlast domain registrations. As with TA505, the attackers imitate a well-known online\r\nservice and often delimit keywords in their domains with hyphens. The threat actor behind the MirrorBlast\r\ncampaigns used Cnobin Information Technology Limited to register their domains. This domain registrar was used\r\nby TA505 at the time of their last known activity in late 2020. There is no overlap in DNS service providers, since\r\nTA505 only used DNSPod and Cloudflare.\r\nFigure 4 – MirrorBlast domain registrations.\r\nhttps://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nPage 4 of 12\n\nCampaign Cadence\r\nIn 2020, TA505 ran a new campaign almost every day during the week. For this purpose, new domains were\r\nregistered for Get2 and SDBBot distribution nearly every campaign. In addition, the spam waves of the campaigns\r\nwere large. Comparing the cadence of MirrorBlast activity is difficult because of the limited data available at this\r\npoint. However, comparing MirrorBlast activity to date suggests that the campaigns became more frequent at the\r\nend of September 2021 and currently match the cadence of TA505 campaigns. New domains are registered almost\r\ndaily, which are used to spread malware.\r\nFigure 5 – Timeline showing MirrorBlast domain registrations from September to October 2021.\r\nInfrastructure Overlap\r\nIn the MirrorBlast campaign on 4 October 2021, an overlap with known TA505 infrastructure was detected. The\r\nIP address 169.239.128[.]11, which pointed to the domain fidufagios[.]com in the MirrorBlast campaign, was\r\npreviously used in a TA505 campaign on 9 October 2019. In the MirrorBlast campaign, the IP address was used\r\nfor command and control (C2). Meanwhile, in the TA505 campaign, the IP address pointed to the domain\r\nonedrive-sdn[.]com and was used to host a malicious Excel document.\r\nCampaign Date Domain IP Address\r\nMirrorBlast 4 October 2021 fidufagios[.]com 169.239.128[.]11\r\nGet2/SDBBot (TA505) 9 October 2019 onedrive-sdn[.]com 169.239.128[.]11\r\nSimilar Download Websites and Lure Documents\r\nAnother similarity between the two campaigns is the design and use of websites to trick users into downloading\r\nmalicious Excel spreadsheets. Both campaigns lead users to a download website via a hyperlink or an HTML\r\nhttps://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nPage 5 of 12\n\nattachment, whose design varies from campaign to campaign. Figure 6 shows the website of a Get2/SDBBot\r\nTA505 campaign from 14 February 2020.\r\nFigure 6 – Website used in Get2/SDBBot campaign, February 2020.\r\nIn the MirrorBlast campaign on 7 October 2021 (Figure 7), the website’s design was almost identical to the one\r\nused in campaigns attributed to TA505. The reuse of the websites suggests that MirrorBlast and TA505 may be\r\nlinked, or re-purposed by another threat actor with access to the website source code.\r\nFigure 7 – Website used in MirrorBlast campaign, October 2021.\r\nTA505 mostly used Excel documents to distribute Get2 and SDBBot. If you open the document, you will usually\r\nfind an image designed to trick the user into activating Microsoft Office’s macro functionality, which causes a\r\nhttps://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nPage 6 of 12\n\nmalicious macro to run. These social engineering images varied in the Get2/SDBBot campaigns orchestrated by\r\nTA505.\r\nExamining the images used in MirrorBlast lure documents reveals that they are almost identical to the TA505\r\ndocuments (Figures 8 and 9).\r\nFigure 8 – Lure document in TA505 campaign, 19 August 2020.\r\nThe only major difference is that the MirrorBlast campaign targeted a German-speaking region, so the threat actor\r\ntranslated the text into German. However, if you look at the text closely, you will notice that the second to last\r\nsentence was not translated and is identical to the TA505 campaign. Such images and designs can be copied by\r\nother threat actors and used for their own purposes. For this reason, this similarity only weakly supports the view\r\nthat MirrorBlast and TA505 are linked.\r\nhttps://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nPage 7 of 12\n\nFigure 9 – Lure document in MirrorBlast campaign, 13 October 2021.\r\nSimilar Target Selection Mechanisms\r\nThe download websites used to distribute Get2, a loader used by TA505, were selective about which visitors to\r\ninfect. Namely, they only offered the malicious Excel document to visitors with a Windows User-Agent. If a user\r\nwith a different User-Agent finds their way to the website, they are redirected to Apple’s iOS website.\r\nFigure 10 – Website redirect used in a TA505 campaign.\r\nWe found similar target selection behavior when looking at the MirrorBlast download websites. If you visit the\r\nwebsite with a non-Windows User-Agent, you are also redirected to the Apple iOS website.\r\nFigure 11 – Website redirect used in a MirrorBlast campaign.\r\nThis similar behavior is interesting, but also can be used to detect new TA505 and MirrorBlast domains. For\r\nexample, urlscan.io, an online URL scanning service, has a search feature that network defenders can use to find\r\nTA505 and MirrorBlast URLs submitted to the service:\r\npage.url:”*/ios/ios-13*”\r\npage.url:”*/ios/ios-15*”\r\nhttps://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nPage 8 of 12\n\nIn the known Get2 campaigns of TA505, a short reconnaissance phase took place after the initial infection. The\r\ncomputer name, username, Windows version, and a list of active processes were collected and sent to the C2 via\r\nan HTTP POST request. The C2 responded with a cookie and URLs leading to the next malware stage depending\r\non this information. This mechanism gives TA505 the ability to select which infected systems to deliver the next\r\nmalware stage, thereby minimizing delivery to malware analysis systems and targets of little value.\r\nMirrorBlast performs similar checks. In the KiXtart phase, which occurs after the Excel macro code executes, the\r\nmalware sends various information about the client to a C2 server. This includes the domain name, computer\r\nname and username.\r\nFigure\r\n12 – System information sent to C2 in KiXtart phase.\r\nIf this information originates from a client of interest to the attacker, the next malware stage follows. In the Rebol\r\nphase, information about the client is again collected. The computer name, username and system architecture are\r\ntransmitted to a C2 via an HTTP GET request.\r\nFigure 13 – Base64 encoded system information sent to C2 in Rebol phase, with a UUID returned.\r\nIn response, the C2 server returns a UUID. This UUID is encoded in Base64 and used as an argument in\r\nsubsequent HTTP GET requests. This way, the C2 operator can select which systems they want to infect.\r\nhttps://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nPage 9 of 12\n\nFigure 14 –\r\nBase64 encoded system information sent to C2 in Rebol phase, with no UUID returned.\r\nFollow-up Malware\r\nAnother similarity between TA505 and MirrorBlast is the malware that is eventually delivered to an infected\r\nsystem. According to public reports, the follow-up malware of a MirrorBlast campaign is FlawedGrace\r\n(GraceWire). FlawedGrace is a remote access Trojan (RAT) that was often used by the TA505 group. A report\r\nfrom ANSSI indicates the malware was used exclusively by TA505 in mid-2020. Assuming that FlawedGrace is\r\nonly available to TA505, the appearance of FlawedGrace in MirrorBlast campaigns is strong evidence that\r\nMirrorBlast is closely linked to TA505. However, whether TA505’s exclusive control over FlawedGrace has\r\nextended beyond mid-2020 is unclear.\r\nConclusion\r\nThis article compares the TTPs used in MirrorBlast and TA505’s Get2/SDBBot campaigns. We focused on similar\r\ncharacteristics between the two. Whether TA505 is behind the MirrorBlast campaigns or another threat actor is\r\nresponsible is not definitively clear based on these similarities, so we leave this for the reader to decide.\r\nRegardless of who is behind MirrorBlast, the campaign uses novel techniques (i.e. the KiXtart and Rebol phases)\r\nand has ramped up its activity in recent weeks. Therefore, we recommend organizations to implement prevention\r\nand detection measures to prevent infection with this malware. To accompany this article, we have published\r\nindicators of compromise (IOCs) of known MirrorBlast campaigns in the Appendix.\r\nIOCs\r\nObserved MirrorBlast Campaigns:\r\ncdn03664-dl-fileshare[.]com\r\nXLS: 2acdd04554feb1ef8b0307d5fb2c1bf7fd6a8e1157f9d3753119e64b30c16c30\r\nKiXtart payload download: 185.225.19[.]246\r\nhttps://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nPage 10 of 12\n\nMSI KiXtart: a403eae5b12b909f4075e855f58d1742308d5e0d3450e79b60162fa9fb7caad7\r\nKiXtart C2: 185.176.220[.]198\r\nRebol payload download: 5.188.108[.]40\r\nMSI Rebol: a69d27abd043cc676095f71300bf6b2368167536fcd4fe5342cf79a7e94fc2fe\r\nRebol C2: feristoaul[.]com\r\ndzikic-my-sharepoint[.]com\r\nXLS: 4648edc370e61a52c95d3f525391e0154406fd661d01d091f2d9dba9f8a485f2\r\nKiXtart payload download: 185.10.68[.]235\r\nMSI KiXtart: 2b108ec3e467ab6c3a9ad6a5545e8410e4185f8fee7a008d3d3a89a8caf86e75\r\nKiXtart C2: 185.202.93[.]201\r\nRebol payload download: 185.225.19[.]156\r\nMSI Robol: 0e6451e1f0eadb89390f4360e2a49a2ffb66e92e8b3ae75400095e75f4dd6abb\r\nRebol C2: fidufagios[.]com\r\ndzikics-my-sharepoint[.]com\r\nXLS: f4891094d6623dadbf84486b85a29b4bd0badf28ee100bc0e44c550715614e62\r\nKiXtart payload download: 185.10.68[.]235\r\nMSI KiXtart: ed7709cbbad9e164a45235be5270d6fb3492010ea945728a7d58f65f63434e58\r\nKiXtart C2: 185.183.96[.]147\r\nRebol payload download: 192.36.27[.]92\r\nMSI Robol: 0e6451e1f0eadb89390f4360e2a49a2ffb66e92e8b3ae75400095e75f4dd6abb\r\nRebol C2: fidufagios[.]com\r\ncdn-8846-sharepoint-office[.]com\r\nXLS: 28221d5ed7a6b37a4a0e5be77a9137378b1b6ca850c6327b77eae7a2b4437c96\r\nKiXtart payload download: 155.138.205[.]35\r\nKiXtart MSI: 83e4c90dc8bc1c53a4000bef83a355c4e36d2a1ba4a5d0982bc5b9b350278f1f\r\nKiXtart C2: 45.79.239[.]23\r\nhttps://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nPage 11 of 12\n\ncdnfilesdrop[.]com\r\ncdn0341.us-dropbox[.]com\r\ncdn9883.us-dropbox[.]com\r\nXLS: 67af798c2d8e2a5d19fb304d60aca9c40cc23ae40d350ddef0c9a8ac95e94555\r\nRebol payload download: hxxp://23.19.58[.]52\r\nRebol MSI: eceb164a69e8f79bb08099fcdf2b75071c527b0107daebc0e7a88e246b4c7f13\r\nRebol C2: feristoaul[.]com\r\nPotential follow-up malware:\r\nhxxp://141.164.41[.]231/host64_sh.bin\r\nhxxp://141.164.41[.]231/host32_pic.bin\r\nhxxp://5.149.255[.]14/host64_sh.bin\r\nhxxp://5.149.255[.]14/host32_pic.bin\r\nhxxp://89.44.197[.]46/host64_sh.bin\r\nhxxp://89.44.197[.]46/host32_pic.bin\r\nhxxp://193.42.36[.]110/host64_sh.bin\r\nhxxp://193.42.36[.]110/host32_pic.bin\r\nhost64_sh.bin: c1b4a0b9eadbf51e13343270b7ef85703b8a11ee736526f61193b821a72bef1f\r\nhost32_pic.bin: aa42da6f08308796d2f1a61ea4aa79ac6054b2f57670e553d7fda481bd521737\r\nC2: cdn-wfs-nspod[.]com\r\nSource: https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nhttps://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/\r\nPage 12 of 12\n\nphase, information transmitted about the to a C2 via an HTTP client is again GET request. collected. The computer name, username and system architecture are\nFigure 13- Base64 encoded system information sent to C2 in Rebol phase, with a UUID returned. \nIn response, the C2 server returns a UUID. This UUID is encoded in Base64 and used as an argument in\nsubsequent HTTP GET requests. This way, the C2 operator can select which systems they want to infect.\n Page 9 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/" ], "report_names": [ "mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434673, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e441907400fff999970f33705ddf9df346749208.pdf", "text": "https://archive.orkl.eu/e441907400fff999970f33705ddf9df346749208.txt", "img": "https://archive.orkl.eu/e441907400fff999970f33705ddf9df346749208.jpg" } }