{
	"id": "38506ade-b53e-44f1-ab16-0707e372b56a",
	"created_at": "2026-04-06T01:32:08.208283Z",
	"updated_at": "2026-04-10T13:12:17.572932Z",
	"deleted_at": null,
	"sha1_hash": "ef6dfa1c4a8ec38beae47139947a7cad27b33c5b",
	"title": "An Encounter With TA551/Shathak",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 657458,
	"plain_text": "An Encounter With TA551/Shathak\r\nBy Andrew Cook\r\nArchived: 2026-04-06 00:51:09 UTC\r\nThe Recon incident response team recently responded to a case of business email compromise.  The incident\r\nspanned over seven months of potential dwell time, and included the unraveling of encrypted malware hidden in\r\nan image file. Our analysis attributed the incident to a threat group known as TA551/Shathak, known for stealing\r\nbanking credentials.\r\nRead on to learn more!\r\nFIRST SIGN OF TROUBLE\r\nMost business email compromise investigations seem to start in one of two ways:\r\n1. Someone uncovers a fraudulent wire transfer that leads back to a compromised mailbox\r\n2. A compromised user begins receiving confused responses and bounce-back errors for weird emails they\r\nnever sent\r\nIn this case, we were called in for #2.\r\nTo start, all we had were the error and responses back to the compromised user. They told us our victim was\r\nsending out messages that looked like this:\r\nHello ,\r\nThe important information for you.\r\nSee the attachment to the email.\r\nPassword - 1234567\r\nhttps://blog.reconinfosec.com/an-encounter-with-ta551-shathak\r\nPage 1 of 5\n\nThanks\r\nAttached: request.zip\r\nWe've seen this campaign before; it's TA551/Shathak. We've been quick to catch these malicious emails for\r\nexisting customers before they can do damage. Unfortunately, this was not an existing customer. Without pre-deployed monitoring and log aggregation tools, we knew we'd have to perform some manual analysis of the\r\naffected user's system and email mailbox.\r\nINITIAL ACCESS\r\nWe had two plausible hypotheses for initial access. First, as we quickly learned, the victim's password was\r\nguessable. Based on the configuration of the email server, anyone could brute force this password from the\r\nInternet without any mitigating controls. This would be our best case scenario because it would limit the incident's\r\nscope to the compromised email account. Unfortunately, this hypothesis doesn't match the known tactics of\r\nTA551/Shathak.\r\nThis leads to our second hypothesis: our victim opened a malicious attachment similar to the ones sent from the\r\ncompromised account. Our victim likely received a similar email some time in the past. A compromised system\r\nwould increase the scope of our investigation beyond just webmail.\r\nPROVING WORKSTATION COMPROMISE\r\nOur customer asked us to prove malware on the workstation was the initial access point in order to justify the\r\neffort and cost of remediating the system. We also wanted to bolster our evidence attributing this incident to\r\nTA551/Shathak. At the moment all we really had were the contents of the outbound emails.\r\nOur team uses Velociraptor to interrogate and analyze endpoints. We started by querying for any evidence\r\nof  requests.zip  on the user's system. We found it sitting in the downloads folder, created about seven months\r\nago.\r\nThis was a quick win, but not a guarantee of a successful compromise. It may be a fair assumption to conclude\r\nthis downloaded file was our smoking gun, but it's still an assumption. The seven month gap increased the risk\r\nthat we were looking at a failed first attempt; the user may not have run this malicious file. We wanted evidence of\r\ncode execution.\r\nMimecast's excellent writeup on the TA551/Shathak and its malware goes into detail about what we should expect\r\nto see in the next stage of the attack. The encrypted zip file contains a macro-enabled Office document. According\r\nto Mimecast, the malicious document uses a series of C2 channels and droppers to download and execute malware\r\nhidden in an encrypted PNG image. This image file, stored somewhere in  C:\\Windows\\Temp , became our next\r\ntarget.\r\nDECRYPTING THE MALWARE\r\nOnce again, Velociraptor gave us a quick way so search for this PNG file. We found a likely candidate\r\nin  C:\\Users\\{user}\\AppData\\Local\\{GUID}\\Bcqethuh.png  This file was created several months\r\nhttps://blog.reconinfosec.com/an-encounter-with-ta551-shathak\r\nPage 2 of 5\n\nafter  requests.zip , which was unexpected. To eliminate any doubt that this suspicious PNG file was malicious\r\nand tied to our TA551/Shathak campaign, we kicked off an effort to decrypt it.\r\nWe tinkered with Mimecast's proof-of-concept decryption code, and *poof*, our suspicious PNG revealed itself as\r\nexecutable malware, likely the IceID banking trojan. Our working decryption code is available on our Github.\r\nResults of  decrypt.py\r\nEncrypted PNG File Reveals Hidden Executable Code\r\nFINDINGS AND NEXT STEPS\r\nWith our initial triage complete, we were ready to give our customer an update: this incident actually started\r\nseveral months ago and affected more than just the user's mailbox. The attacker had gained access to the victim\r\nuser's workstation via a malicious Word document. As a result of this compromise, the IceID banking trojan was\r\nexecuted on the system resulting in at least the theft of the user's email credentials. These stolen credentials were\r\nwhat the attacker used to send malicious emails to the victim's contacts. Based on our attribution, the attacker was\r\nlikely looking for banking credentials.\r\nOur tactical recommendations included isolating the affected workstation, resetting the user's credentials\r\n(including anywhere this credential was reused), and notifying the employee about the personal risks of the\r\nhttps://blog.reconinfosec.com/an-encounter-with-ta551-shathak\r\nPage 3 of 5\n\nbanking trojan so they could take appropriate precautions. We also started the process of scoping the incident,\r\nincluding analyzing the rest of the environment for evidence of the IceID trojan and other related indicators.\r\nThis attack showed the importance of a defense-in-depth strategy. Even best practices against email phishing, like\r\nemail filtering and attachment analysis, would have failed to prevent this incident. To bypass filtering, the email\r\noriginated from a compromised but legitimate contact. To bypass malware analysis, the attacker encrypted the\r\npayload inside a password protected .zip archive. Our last lines of defense, endpoint protection/detection and user\r\nawareness training, were in the best position to stop this attack in its tracks. Every layer of defense matters!\r\nICEID ENDPOINT DETECTION\r\nThe following two Sigma rules detect the execution of the IceID trojan based on its misuse of Regsvr32 to execute\r\nmalicious code (MITRE ATT\u0026CK T1218.010).\r\ntitle: Suspicious Scheduled Task Creation Leveraging Regsvr32\r\nstatus: stable\r\ndescription: Detects the creation of scheduled tasks that leverage regsvr32 to load malicious dll files\r\nauthor: Luke Rusten\r\nreferences:\r\n - https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf\r\n - https://unit42.paloaltonetworks.com/ta551-shathak-icedid/\r\ntags:\r\n - attack.persistence\r\n - attack.t1053.005\r\n - attack.t1218.010\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n CommandLine|contains|all:\r\n - 'schtasks'\r\n - ' /create '\r\n - 'regsvr32'\r\n condition: selection\r\nfields:\r\n - CommandLine\r\nfalsepositives:\r\n - Unknown\r\nlevel: medium\r\ntitle: Scheduled Task Leveraging Regsvr32\r\ndescription: Detects scheduled tasks that are leveraging regsvr32 to load malicious dll files\r\nstatus: stable\r\nauthor: Luke Rusten\r\nhttps://blog.reconinfosec.com/an-encounter-with-ta551-shathak\r\nPage 4 of 5\n\nreferences:\r\n - https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf\r\n - https://unit42.paloaltonetworks.com/ta551-shathak-icedid/\r\ntags:\r\n - attack.persistence\r\n - attack.t1053.005\r\n - attack.t1218.010\r\nlogsource:\r\n product: windows\r\n service: security\r\n definition: 'The Advanced Audit Policy setting Object Access \u003e Audit Other Object Access Events has to be co\r\ndetection:\r\n selection:\r\n EventID: 4698\r\n TaskContent: '*regsvr32*'\r\n condition: selection\r\nfalsepositives:\r\n - Unknown\r\nlevel: medium\r\nLOOKING FOR EXPERTISE?\r\nThe Recon team consists of passionate experts that eat, sleep and breathe defensive security operations. If you are\r\nlooking for a partner, check out our services or contact us.\r\nSource: https://blog.reconinfosec.com/an-encounter-with-ta551-shathak\r\nhttps://blog.reconinfosec.com/an-encounter-with-ta551-shathak\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.reconinfosec.com/an-encounter-with-ta551-shathak"
	],
	"report_names": [
		"an-encounter-with-ta551-shathak"
	],
	"threat_actors": [
		{
			"id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f",
			"created_at": "2022-10-25T15:50:23.579601Z",
			"updated_at": "2026-04-10T02:00:05.360509Z",
			"deleted_at": null,
			"main_name": "TA551",
			"aliases": [
				"TA551",
				"GOLD CABIN",
				"Shathak"
			],
			"source_name": "MITRE:TA551",
			"tools": [
				"QakBot",
				"IcedID",
				"Valak",
				"Ursnif"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "40b623c7-b621-48db-b55b-dd4f6746fbc6",
			"created_at": "2024-06-19T02:03:08.017681Z",
			"updated_at": "2026-04-10T02:00:03.665818Z",
			"deleted_at": null,
			"main_name": "GOLD CABIN",
			"aliases": [
				"Shathak",
				"TA551 "
			],
			"source_name": "Secureworks:GOLD CABIN",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "90f216f2-4897-46fc-bb76-3acae9d112ca",
			"created_at": "2023-01-06T13:46:39.248936Z",
			"updated_at": "2026-04-10T02:00:03.260122Z",
			"deleted_at": null,
			"main_name": "GOLD CABIN",
			"aliases": [
				"Shakthak",
				"TA551",
				"ATK236",
				"G0127",
				"Monster Libra"
			],
			"source_name": "MISPGALAXY:GOLD CABIN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68",
			"created_at": "2022-10-25T16:07:24.578896Z",
			"updated_at": "2026-04-10T02:00:05.039955Z",
			"deleted_at": null,
			"main_name": "TA551",
			"aliases": [
				"G0127",
				"Gold Cabin",
				"Monster Libra",
				"Shathak",
				"TA551"
			],
			"source_name": "ETDA:TA551",
			"tools": [
				"BokBot",
				"CRM",
				"Gozi",
				"Gozi CRM",
				"IceID",
				"IcedID",
				"Papras",
				"Snifula",
				"Ursnif",
				"Valak",
				"Valek"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439128,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef6dfa1c4a8ec38beae47139947a7cad27b33c5b.pdf",
		"text": "https://archive.orkl.eu/ef6dfa1c4a8ec38beae47139947a7cad27b33c5b.txt",
		"img": "https://archive.orkl.eu/ef6dfa1c4a8ec38beae47139947a7cad27b33c5b.jpg"
	}
}