{ "id": "a5ad02fe-3be3-458a-950a-4944027e684e", "created_at": "2026-04-06T00:12:51.521749Z", "updated_at": "2026-04-10T03:34:54.844103Z", "deleted_at": null, "sha1_hash": "f0aef069587f27108c9c71d29508608de956aab8", "title": "Unskilled hacker linked to years of attacks on aviation, transport sectors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1241270, "plain_text": "Unskilled hacker linked to years of attacks on aviation, transport sectors\r\nBy Ionut Ilascu\r\nPublished: 2022-02-15 · Archived: 2026-04-05 13:52:25 UTC\r\nFor years, a low-skilled attacker has been using off-the-shelf malware in malicious campaigns aimed at companies in the\r\naviation sector as well as in other sensitive industries.\r\nThe threat actor has been active since at least 2017, targeting entities in the aviation, aerospace, transportation,\r\nmanufacturing, and defense industries.\r\nTracked as TA2541 by cybersecurity company Proofpoint, the adversary is believed to operate from Nigeria and its activity\r\nhas been documented before in analysis of separate campaigns.\r\nhttps://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nNon-sophisticated attacks\r\nIn a report today, Proofpoint notes that TA2541 has been consistent about its attack method, relying on malicious Microsoft\r\nWord documents to deliver a remote access tool (RAT).\r\nA typical malware campaign from this group involves sending “hundreds to thousands” of emails - mostly in English - to\r\n“hundreds of organizations globally, with recurring targets in North America, Europe, and the Middle East.”\r\nRecently, though, the group switched from malicious attachments to linking to a payload hosted in cloud services such as\r\nGoogle Drive, Proofpoint researchers say.\r\nTA2541 does not use custom malware but commodity malicious tools available for purchase on cybercriminal forums.\r\nAccording to the researcher’s observations, AsyncRAT, NetWire, WSH RAT, and Parallax appears to be the group’s top\r\nfavorites being pushed most often in malicious messages.\r\nProofpoint highlights that all malware used in TA2541 campaigns can be used to collect information, but the threat actor’s\r\nultimate goal remains unknown at the moment.\r\nA typical TA2541 attack chain starts with sending an email that is usually related to transportation (e.g. flight, aircraft, fuel,\r\nyacht, charter, cargo) and delivers a malicious document.\r\n“In recent campaigns, Proofpoint observed this group using Google Drive URLs in emails that lead to an obfuscated Visual\r\nBasic Script (VBS) file. If executed, PowerShell pulls an executable from a text file hosted on various platforms such as\r\nPastetext, Sharetext, and GitHub” - Proofpoint\r\nIn the next step, the adversary executes PowerShell into various Windows processes and looks for available security\r\nproducts by querying the Windows Management Instrumentation (WMI).\r\nThen it tries to disable the built-in defenses and starts gathering system information before downloading the RAT payload on\r\nthe compromised host.\r\nGiven TA2541’s choice of targets, its activity has not gone unnoticed and security researchers from other companies have\r\nanalyzed its campaigns [1, 2, 3] in the past, but without connecting all the dots.\r\nCisco Talos published a report last year about a TA2541 campaign targeting the aviation industry with AsyncRAT. The\r\nresearchers concluded that the actor had been active for at least five years.\r\nBased on evidence from analyzing the infrastructure used in the attack, Cisco Talos was able to build a profile for the threat\r\nactor, linking its geographic location to Nigeria.\r\n“While researching the actor's activities, using passive DNS telemetry, we compiled the list of IPs used by the domain\r\nakconsult.linkpc.net. The chart below shows that roughly 73 percent of the IPs were based in Nigeria, further strengthening\r\nthe theory that the actor in question is based in Nigeria.” - Cisco Talos\r\nIn a single campaign, the actor can send up to several thousand emails to dozens of organizations and are not tailored for\r\nindividuals with specific roles. This shows that TA2541 is not concerned with the stealth of its actions, further supporting\r\nthe theory of a non-skilled actor.\r\nWhile thousands of organizations have been targeted in these “spray-and-pray” attacks, companies across the globe in the\r\naviation, aerospace, transportation, manufacturing, and defense industries appear to be a constant target.\r\nEven if TA2541’s tactics, techniques, and procedures (TTPs) describe an adversary that is not technically sophisticated, the\r\nactor managed to deploy malicious campaigns for more than five years without raising too many flags.\r\nhttps://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/\r\nhttps://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/" ], "report_names": [ "unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "99468ac6-ccfd-4cd8-b726-791600e61431", "created_at": "2023-11-01T02:01:06.647272Z", "updated_at": "2026-04-10T02:00:05.313262Z", "deleted_at": null, "main_name": "TA2541", "aliases": [ "TA2541" ], "source_name": "MITRE:TA2541", "tools": [ "Snip3", "Revenge RAT", "jRAT", "WarzoneRAT", "Imminent Monitor", "AsyncRAT", "NETWIRE", "Agent Tesla", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "97dc332f-2241-4755-ae33-54e5eff3990a", "created_at": "2023-01-06T13:46:39.307201Z", "updated_at": "2026-04-10T02:00:03.282272Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "MISPGALAXY:TA2541", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "878ce40c-9fbc-4cff-a5c4-771086979fa7", "created_at": "2022-10-25T16:07:24.264056Z", "updated_at": "2026-04-10T02:00:04.915395Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "ETDA:TA2541", "tools": [ "AVE_MARIA", "AgenTesla", "Agent Tesla", "AgentTesla", "AsyncRAT", "Ave Maria", "AveMariaRAT", "DarkRAT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Imminent Monitor", "Imminent Monitor RAT", "Iniduoh", "Jenxcus", "Kognito", "Luminosity RAT", "LuminosityLink", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Njw0rm", "Origin Logger", "Parallax", "Parallax RAT", "ParallaxRAT", "Recam", "Revenge RAT", "RevengeRAT", "Revetrat", "WSHRAT", "ZPAQ", "avemaria", "dinihou", "dunihi" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434371, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f0aef069587f27108c9c71d29508608de956aab8.pdf", "text": "https://archive.orkl.eu/f0aef069587f27108c9c71d29508608de956aab8.txt", "img": "https://archive.orkl.eu/f0aef069587f27108c9c71d29508608de956aab8.jpg" } }