{ "id": "4dcf74fa-aabb-4125-a79c-5fb2e46cf0a1", "created_at": "2026-04-06T00:16:51.370026Z", "updated_at": "2026-04-10T03:35:43.389662Z", "deleted_at": null, "sha1_hash": "e722b78ccb2678579d9980083debe43b39a1a6ff", "title": "Threat Actor Profile: TA542, From Banker to Malware Distribution Service | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1338388, "plain_text": "Threat Actor Profile: TA542, From Banker to Malware\r\nDistribution Service | Proofpoint US\r\nBy May 15, 2019 Axel F and the Proofpoint Threat Insight Team\r\nPublished: 2019-05-15 · Archived: 2026-04-05 15:42:23 UTC\r\nUpdate: Table 1 was updated to reflect a Poland-targeted Emotet campaign discovered on the day of publication.\r\nThis is the first campaign targeting the region since 2017.\r\nOverview\r\nProofpoint researchers began tracking a prolific actor (referred to as TA542) in 2014 when reports first emerged\r\nabout the appearance of the group’s signature payload, Emotet (aka Geodo) [1][2]. TA542 consistently uses the\r\nlatest version of this malware, launching widespread email campaigns on an international scale that affect North\r\nAmerica, Central America, South America, Europe, Asia, and Australia.\r\nEarlier versions of Emotet had a module that was used to commit banking fraud, specifically targeting German,\r\nAustrian, and Swiss banks [7], and for years, the malware was widely classified as a banking Trojan. However,\r\nlater versions of Emotet no longer loaded its own banking module, and instead loaded third party banking\r\nmalware. More recently, we have observed Emotet delivering third-party payloads such as Qbot, The Trick,\r\nIcedID, and Gootkit. Additionally, Emotet loads its modules for spamming, credential stealing, email harvesting,\r\nand spreading on local networks.\r\nTA542 typically distributes high volume email campaigns consisting of hundreds of thousands or even millions of\r\nmessages targeting all industries. TA542 is currently one of the most prolific actors in the entire threat landscape.\r\nWith TA542’s international reach and high volume campaign strategy, we expect Emotet use to continue to grow\r\nin the upcoming quarters.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\nPage 1 of 11\n\nFigure 1: Indexed volume of email messages containing Emotet, TA542’s signature payload (from 5/1/17-5/1/19)\r\nEvolution of Emotet\r\nVersion 1 of Emotet originated around May 2014 as a banking Trojan, which at first was only known to load its\r\nown banking module targeting German and Austrian banks [1][2].\r\nVersion 2 was detected in fall 2014, when it began using the Automatic Transfer System (ATS), and had a modular\r\nstructure with a spamming module, banking module, DDoS module, and address book stealing module [7].\r\nVersion 3 of Emotet appeared in January of 2015, containing  stealth modifications designed to prevent its\r\ndetection by anti-malware defenses, and soon began targeting Swiss banks [7].\r\nVersion 4 was initially observed around December 1, 2016, spreading via the RIG 4.0 exploit kit [9]. Proofpoint\r\nresearchers next observed it spreading via emails with links to zipped executables or JScript in February 2017.\r\nStarting in April 2017, TA542 began consistently distributing this version in high-volume campaigns. This version\r\ndoes not use its own banking module, but primarily loads other modules and third-party banking malware.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\nPage 2 of 11\n\nFigure 2: Timeline of major milestones in TA542 activity\r\nEmotet Modules\r\nSince its introduction, Emotet has used a number of modules:\r\nMain module: Downloads other modules from a command and control (C\u0026C) server.\r\nSpam module: This module has been present in most versions of Emotet. The spam module facilitates the\r\ncontinued spread of the Emotet botnet by sending out emails with links or attachments that lead to Emotet.\r\n“Distribution is performed using previously scraped mail accounts, which are sent to each spambot” from the\r\nC\u0026C [8].\r\nCredential stealing: This module has been present in most versions of Emotet. In version 4, it steals credentials\r\nfrom web browsers and mail clients, using NirSoft tools Mail PassView and WebBrowser PassView [8].\r\nSpreader module: The network spreader module, introduced in September 2017, enumerates network resources. It\r\nattempts to connect to them “as the currently logged on user before jumping into the bruting portion of the code.”\r\n[10] The brute force attack happens by enumerating available logins and attempting passwords from a hardcoded\r\nlist. For every successful login, a file is copied into the new network folder. A service is configured on the remote\r\nsystem to execute the file.\r\nEmail harvesting: This module was introduced in October 2018. It exfiltrates email content from the infected\r\nmachines to the C\u0026C. Specifically targeted components of email include the email subject, body, the name of the\r\nsender and the receiver, along with his or her corresponding email address. This information is only stolen for\r\nemails sent/received in the last 180 days. “If the body is longer than 16384 characters, it is truncated to this size\r\nplus the string ...” [6].\r\nAddress book stealer: This module, first seen in 2017, performs a relationship analysis between sender and\r\nrecipient in the current user’s Outlook data file. It extracts the name and address list from each profile’s address\r\nbook and then undergoes a recursive scan on each email stored in the data file. Information about each sender and\r\nrecipient is extracted, which is then used to make inferences about the relationship and refine its targeting, that is\r\nthen passed to the spam module. [11]\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\nPage 3 of 11\n\nDDoS module: No longer active, a module from early versions of Emotet [7].\r\nBanking module: No longer active, a module from early versions of Emotet [7].\r\nDelivery\r\nAs with many threat actors monitored by Proofpoint researchers, TA542 leverages social engineering mechanisms\r\nto increase infection rates. They frequently use stolen branding and urgent subject lines in order to deceive\r\npotential victims. They also compose emails in the appropriate language for the targeted country. TA542 uses a\r\nvariety of social engineering mechanisms and strategies, but the most common are described below.\r\nEmail Subjects\r\nTA542 primarily uses generic subject lines that usually refer to transactions, payments, and invoices. Examples\r\ninclude: “ACH Payment Info”, “Payment Notification”, “Transaction for your invoice”, “Overdue payment”,\r\n“Paid Invoices”, “Sales Invoice”, “Status update”, “Document needed”, “New Order”, “Receipt for your invoice”.\r\nEmail Body\r\nOften, the body of the message is simple, and consists of only a few sentences. Email bodies usually include brief\r\nverbiage about missed or upcoming payments, incoming financial statements, or invoices. However, Proofpoint\r\nresearchers have observed more sophisticated examples in which TA542 included stolen company branding.\r\nEmail Thread Hijacking\r\nThread hijacking is a technique in which threat actors reply to existing benign email conversations with a\r\nmalicious attachment or URL. Since early April 2019, TA542 began to consistently utilize this technique to\r\ndistribute Emotet, sending what appear to be replies to legitimate emails [4][5]. While the technique is not novel\r\nor original, it is still effective because as victims have seen these email chains before, they may believe that they\r\nare interacting with a person they trust, making them more inclined to open attachments and links in the message\r\nbody.\r\nThe appearance of thread hijacking followed reports of a new module that can steal emails from the victim’s\r\nmachines in October 2018 [5].\r\nBrand Abuse\r\nTA542 abuses the branding of dozens of high-profile companies, including them in the body of the email,\r\nMicrosoft Word document attachments, PDF attachments, and in the malicious URL paths. Commonly abused\r\nbrands include shipping companies (such as DHL and UPS), telecommunication companies (such as T-Mobile and\r\nO2), large financial institutions (such as TD Bank, Barclays, and RBC) and others.\r\nHoliday Lures\r\nTA542 also drafts holiday-themed lures to target consumers during major holidays. Proofpoint researchers have\r\nobserved seasonal upticks in TA542 Emotet activity, especially around Christmas, Thanksgiving, Black Friday,\r\nand Cyber Monday, likely targeting holiday shoppers.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\nPage 4 of 11\n\nGeographical targeting\r\nTA542 frequently targets certain core geographies such as Germany, United Kingdom, United States, and Latin\r\nAmerica. TA542 also targets other countries, but less consistently. Each region is targeted with appropriate\r\nlanguage translations in email bodies, subjects, filenames, and geographically relevant branding. Known targeted\r\ncountries are listed in Table 1 below:\r\nCountry Language Note\r\nGermany German Consistently targeted\r\nAustria German\r\nIntermittently targeted: First targeted in 2015; since then intermittently\r\ntargeted until April 9, 2019, when we began to observe regular targeting\r\nSwitzerland German\r\nIntermittently targeted: First targeted in 2015; since then intermittently\r\ntargeted until April 9, 2019, when we began to observe regular targeting\r\nUnited Kingdom English Consistently targeted\r\nUnited States English Consistently targeted\r\nCanada French Intermittently targeted\r\nJapan Japanese Proofpoint observed campaigns on April 12-16, 2019\r\nChina, Hong\r\nKong, Taiwan\r\nChinese Proofpoint observed campaigns on April 12-16, 2019\r\nAustralia English Proofpoint observed several campaigns in April 2019\r\nLatin America\r\nSpanish,\r\nPortuguese\r\nProofpoint regularly observes countries targeted in this region,\r\nincluding: Mexico, Uruguay, Argentina, Colombia, Chile, Bolivia,\r\nParaguay, Brazil, Ecuador, Costa Rica, El Salvador, Guatemala\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\nPage 5 of 11\n\nCaribbean Spanish Countries such as the Dominican Republic\r\nPoland Polish\r\nLast observed in 2017\r\nUpdate: Proofpoint researchers detected a campaign targeting Poland\r\non May 15, 2019\r\nTable 1: Description of the countries with observed Emotet email campaigns. Note that this list is not considered\r\nexhaustive.\r\nExample Emails\r\nThis section highlights email lures from some of the more notable TA542 campaigns.\r\nThe figure below shows the following email messages:\r\nGerman language email targeting Switzerland containing a malicious URL on April 29, 2019 (top left).\r\nEnglish language email targeting the United States and utilizing thread hijacking on April 30, 2019 (top\r\nright).\r\nChinese language email targeting Taiwan on April 12, 2019. This email is notable because, for a few days\r\nin April, TA542 experimented with targeting this region as well as China, Hong Kong, and Australia\r\n(bottom left).\r\nSpanish language email targeting a company in the Dominican Republic on May 3, 2019. This particular\r\nemail is notable because, while Latin American countries are frequently targeted, the neighboring\r\nCaribbean countries are rarely targeted (bottom right).\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\nPage 6 of 11\n\nFigure 3: Example emails showing a variety of geographic targeting by TA542, including language localization\r\nThe example emails below show the seasonal customization used in the days leading up to Christmas and Black\r\nFriday in 2018:\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\nPage 7 of 11\n\nFigure 4: Example emails showing holiday email lures\r\nAttachments / URLs\r\nThe malicious content included in the emails sent by this threat actor is generally either a URL or an attachment,\r\nalthough Proofpoint researchers have observed some instances in which both were included at the same time. The\r\nactor maintains a diverse arsenal of attachments and URLs in order to vary their attacks. TA542 frequently uses\r\nsome formats, such as attached Microsoft Word documents with macros and URLs linking to similar documents.\r\nThe actor uses other formats such as PDFs and JScript intermittently. Finally, formats such as password-protected\r\nZip files containing Microsoft Word documents appear to be experimental and it remains to be seen if they will be\r\nadopted for broader use.\r\nAttachments\r\nThe following is a list of known types of email attachments used by TA542. All types of attachments are first-stage downloaders that attempt to download the Emotet payload or another intermediary downloader, as in the\r\ncase of PDFs, from one of several (typically five) hardcoded payload URLs. Many unique attachments can\r\ncontain the same set of payload URLs. TA542 also exchanges the URL sets several times a day.\r\nMicrosoft Word documents with macros\r\nPDFs with links to Microsoft Word documents with macros\r\nPDFs with links to Zip archives with JScript files inside\r\nPassword-protected Zip archives with JScript files inside\r\nPassword-protected Zip files containing Microsoft Word documents\r\nURLs\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\nPage 8 of 11\n\nThe following is a list of known types of URLs that the actor embeds in the emails. The URLs are frequently\r\nhosted on compromised vulnerable sites, including vulnerable  WordPress installations. The actor typically adds a\r\nnested structure of one or more folders on the compromised site and hosts a malicious PHP script that initiates the\r\ndownload of the payload. The folder names are sometimes synchronized with the rest of the campaign theme, and\r\nmight use stolen branding.\r\nURLs linking to Microsoft Word documents with macros\r\nURLs linking to Zipped Microsoft Word documents with macros\r\nURLs linking to Jscript\r\nURLs linking to Zipped JScript\r\nURLs linking to Zipped executables (not used since 2017)\r\nExperiments\r\nApril 3, 2019: First use of password-protected Zip files containing JScript. The actor has intermittently\r\nused this technique several more times.\r\nApril 4, 2019: First use of password-protected Zip files containing Microsoft Word documents. At the time\r\nof writing of this analysis, the actor has only used this method once.\r\nFigure 5: TA542 most commonly uses Microsoft Word documents with macros. The actor periodically updates the\r\nvisual lure used in the document. This collage shows many of the lures used.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\nPage 9 of 11\n\nFigure 6: PDF attachment examples used by this threat actor. The actor commonly abuses branding of large\r\nfinancial institutions, telecommunications companies, and more in the PDFs\r\nConclusion\r\nIn the last two years, TA542 has become one of the most prolific threat actors in the overall threat landscape.\r\nLeveraging a robust Botnet known as Emotet, TA542 orchestrates high-volume, international email campaigns\r\nthat distribute hundreds of thousands or even millions of messages per day. They use Emotet to download third-party banking malware such as The Trick, IcedID, and Gootkit, and to facilitate the continued spread of their\r\nbotnet via a number of modules. As TA542 continues to operate at near-global scale, we can expect Emotet use to\r\ngrow in the upcoming quarters.\r\nReferences\r\n[1] https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/\r\n[2] https://web.archive.org/web/20140708121405/https://www.abuse.ch/?p=7930\r\n[3] https://www.proofpoint.com/us/threat-insight/post/proofpoint-threat-report-banking-trojans-dominate-malware-landscape-first-months\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\nPage 10 of 11\n\n[4] https://www.trendmicro.com/vinfo/nz/security/news/cybercrime-and-digital-threats/further-emotet-evolution-operators-hijacking-existing-email-threads-to-deliver-malware\r\n[5] https://cofense.com/emotet-gang-switches-highly-customized-templates-utilizing-stolen-email-content-victims/\r\n[6] https://www.kryptoslogic.com/blog/2018/10/emotet-awakens-with-new-campaign-of-mass-email-exfiltration/\r\n[7] https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/\r\n[8] https://www.cert.pl/en/news/single/analysis-of-emotet-v4/\r\n[9] https://twitter.com/kafeine/status/804360636847321088\r\n[10] https://www.fidelissecurity.com/threatgeek/threat-intelligence/emotet-network-spreader-component/\r\n[11] https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus\r\nSource: https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service\r\nPage 11 of 11\n\n https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service \nFigure 3: Example emails showing a variety of geographic targeting by TA542, including language localization\nThe example emails below show the seasonal customization used in the days leading up to Christmas and Black\nFriday in 2018: \n Page 7 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service" ], "report_names": [ "threat-actor-profile-ta542-banker-malware-distribution-service" ], "threat_actors": [ { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434611, "ts_updated_at": 1775792143, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e722b78ccb2678579d9980083debe43b39a1a6ff.pdf", "text": "https://archive.orkl.eu/e722b78ccb2678579d9980083debe43b39a1a6ff.txt", "img": "https://archive.orkl.eu/e722b78ccb2678579d9980083debe43b39a1a6ff.jpg" } }