{ "id": "b74673d9-0203-46ed-8699-6cbed1d28a2f", "created_at": "2026-04-06T00:15:04.885351Z", "updated_at": "2026-04-10T03:34:54.826696Z", "deleted_at": null, "sha1_hash": "f6e922284e2c8128b77bbe52caf11f3b8aa0a19e", "title": "TA2541: APT Has Been Shooting RATs at Aviation for Years", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 80305, "plain_text": "TA2541: APT Has Been Shooting RATs at Aviation for Years\r\nBy Elizabeth Montalbano\r\nPublished: 2022-02-15 · Archived: 2026-04-05 16:27:17 UTC\r\nSince 2017, the attacker has flung simple off-the-shelf malware in malicious email campaigns aimed at aviation,\r\naerospace, transportation and defense.\r\nResearchers have identified an advanced persistent threat (APT) group responsible for a series of cyberespionage\r\nand spyware attacks against the aviation, aerospace, transportation and defense industries since at least 2017 that\r\nfeature high-volume email campaigns using industry-specific lures.\r\nThe group, which researchers have dubbed TA2541, typically sends hundreds of thousands of malicious messages\r\n– nearly always in English – that ultimately deliver a remote-access trojan (RAT) payload using commodity\r\nmalware to collect data from victims’ machines and networks, according to a new report by Proofpoint released\r\nTuesday. These campaigns have affected hundreds of organizations across the world, with recurring targets in\r\nNorth America, Europe and the Middle East, researchers said.\r\nThough a number of the group’s attacks already have been tracked by various researchers – including Microsoft,\r\nMandiant, Cisco Talos, Morphisec and others – since at least 2019, Proofpoint’s latest research shares\r\n“comprehensive details linking public and private data under one threat activity cluster we call TA2541,”\r\nresearchers wrote.\r\nIndeed, previously reported attacks related to TA2541 include a two-year spyware campaign against the aviation\r\nindustry using the AsyncRAT called Operation Layover and uncovered by Cisco Talos last September, and a\r\ncyberespionage campaign against aviation targets spreading RevengeRAT or AsyncRAT revealed by Microsoft\r\nlast May, among others.\r\nFive Years and Still Flying High\r\nProofpoint first started tracking the actor in 2017 when its tactic of choice was to send messages with “macro-laden Microsoft Word attachments” that downloaded RAT payloads. The group has since tweaked this tactic and\r\nnow most frequently sends messages with links to cloud services such as Google Drive or OneDrive hosting the\r\npayload, according to the report.\r\nHowever, although the approach to how they hide their malicious payload has varied, the group has mostly\r\nremained consistent in its choice of targets, lures and the type of payloads it uses, observed Sherrod DeGrippo,\r\nvice president of Threat Research \u0026 Detection at Proofpoint.\r\nhttps://threatpost.com/ta2541-apt-rats-aviation/178422/\r\nPage 1 of 3\n\n“What’s noteworthy about TA2541 is how little they’ve changed their approach to cybercrime over the past five\r\nyears, repeatedly using the same themes, often related to aviation, aerospace, and transportation, to distribute\r\nremote access trojans,” she said in an email to Threatpost. “This group is a persistent threat to targets throughout\r\nthe transportation, logistics, and travel industries.”\r\nIn terms of which specific RATs are used, attackers tap a variety of low-hanging fruit – that is, commodity\r\nmalware that’s available for purchase on criminal forums or available in open-source repositories. Currently,\r\nTA2541 prefers to drop AsyncRAT on victims’ machines but also is known to use NetWire, WSH RAT and\r\nParallax, researchers said.\r\nSo far, all of the malware distributed by the group has been aimed at information-gathering purposes and to gain\r\nremote control of an infected machine, with researchers acknowledging that they don’t know the threat actor’s\r\n“ultimate goals and objectives” beyond this initial compromise, they said.\r\nTypical Malicious Emails\r\nA typical malicious message in a TA2541 campaign uses a lure related to some type of logistical or transportation\r\ntheme related to one of the particular industries it’s targeting, researchers said.\r\n“In nearly all observed campaigns, TA2541 uses lure themes that include transportation-related terms such as\r\nflight, aircraft, fuel, yacht, charter, etc.,” according to the report.\r\nFor example, researchers revealed an email that impersonated an aviation company requesting information on\r\naircraft parts, as well as another that requested info on how to transport a medical patient on a stretcher on an\r\nambulatory flight.\r\nOnce the COVID-19 pandemic hit in March 2020, the group shifted bait tactics slightly and – like many other\r\nthreat actors – adopted COVID-related lures consistent with their overall theme of cargo and flight details,\r\nresearchers noted.\r\n“For example, they distributed lures associated with cargo shipments of personal protective equipment (PPE) or\r\nCOVID-19 testing kits,” researchers noted.\r\nHowever, this shift was short-lived, and TA2541 rather quickly returned to its more generic, transportation-related\r\nemail themes, they added.\r\nCurrent Attack Vector\r\nIn current campaigns observed by Proofpoint, if victims take the bait, they will usually be directed to click on a\r\nGoogle Drive URL that leads to an obfuscated Visual Basic Script (VBS) file, researchers said.\r\n“If executed, PowerShell pulls an executable from a text file hosted on various platforms such as Pastetext,\r\nSharetext, and GitHub,” researchers wrote. “The threat actor executes PowerShell into various Windows processes\r\nand queries Windows Management Instrumentation (WMI) for security products such as antivirus and firewall\r\nsoftware, and attempts to disable built-in security protections.”\r\nhttps://threatpost.com/ta2541-apt-rats-aviation/178422/\r\nPage 2 of 3\n\nIn this way, TA2541 collects system information before then downloading the RAT on the host machine,\r\naccording to the report.\r\nGoogle Drive has been a consistent tool of the threat group, but occasionally TA2541 also will use OneDrive to\r\nhost the malicious VBS files, researchers said. In late 2021, Proofpoint also observed the group using DiscordApp\r\nURLs that link to a compressed file that led to either AgentTesla or Imminent Monitor as an attack vector,\r\nresearchers said. Indeed, the Discord content delivery network (CDN) has been an increasingly popular way for\r\nthreat actors to use a legitimate and popular app for nefarious purposes.\r\nOccasionally TA2541 also will use email attachments instead of cloud-based service links, including compressed\r\nexecutables such as RAR attachments with an embedded executable containing URL to CDNs hosting the\r\nmalware payload, they added.\r\nJoin Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping\r\nSecrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most\r\nsensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to\r\nprotect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and\r\nplease Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.\r\nSource: https://threatpost.com/ta2541-apt-rats-aviation/178422/\r\nhttps://threatpost.com/ta2541-apt-rats-aviation/178422/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://threatpost.com/ta2541-apt-rats-aviation/178422/" ], "report_names": [ "178422" ], "threat_actors": [ { "id": "4f5da0b4-5d47-4ae4-87cb-dfcb3c3524ae", "created_at": "2022-10-25T16:07:23.96921Z", "updated_at": "2026-04-10T02:00:04.812941Z", "deleted_at": null, "main_name": "Operation Layover", "aliases": [], "source_name": "ETDA:Operation Layover", "tools": [ "AsyncRAT", "Bladabindi", "CyberGate", "CyberGate RAT", "Jorik", "Rebhip", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "99468ac6-ccfd-4cd8-b726-791600e61431", "created_at": "2023-11-01T02:01:06.647272Z", "updated_at": "2026-04-10T02:00:05.313262Z", "deleted_at": null, "main_name": "TA2541", "aliases": [ "TA2541" ], "source_name": "MITRE:TA2541", "tools": [ "Snip3", "Revenge RAT", "jRAT", "WarzoneRAT", "Imminent Monitor", "AsyncRAT", "NETWIRE", "Agent Tesla", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "97dc332f-2241-4755-ae33-54e5eff3990a", "created_at": "2023-01-06T13:46:39.307201Z", "updated_at": "2026-04-10T02:00:03.282272Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "MISPGALAXY:TA2541", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "878ce40c-9fbc-4cff-a5c4-771086979fa7", "created_at": "2022-10-25T16:07:24.264056Z", "updated_at": "2026-04-10T02:00:04.915395Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "ETDA:TA2541", "tools": [ "AVE_MARIA", "AgenTesla", "Agent Tesla", "AgentTesla", "AsyncRAT", "Ave Maria", "AveMariaRAT", "DarkRAT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Imminent Monitor", "Imminent Monitor RAT", "Iniduoh", "Jenxcus", "Kognito", "Luminosity RAT", "LuminosityLink", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Njw0rm", "Origin Logger", "Parallax", "Parallax RAT", "ParallaxRAT", "Recam", "Revenge RAT", "RevengeRAT", "Revetrat", "WSHRAT", "ZPAQ", "avemaria", "dinihou", "dunihi" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434504, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f6e922284e2c8128b77bbe52caf11f3b8aa0a19e.pdf", "text": "https://archive.orkl.eu/f6e922284e2c8128b77bbe52caf11f3b8aa0a19e.txt", "img": "https://archive.orkl.eu/f6e922284e2c8128b77bbe52caf11f3b8aa0a19e.jpg" } }