{ "id": "204b45a0-704f-4315-bb9c-2fa34c49cb1d", "created_at": "2026-04-06T00:13:00.887482Z", "updated_at": "2026-04-10T03:36:37.176795Z", "deleted_at": null, "sha1_hash": "f796ac6ab69815119ad35cfd7c348d18939ebde0", "title": "TA505 Uses HTML, RATs, Other Techniques in Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 116092, "plain_text": "TA505 Uses HTML, RATs, Other Techniques in Campaigns\r\nBy Hara Hiroaki, Loseway Lu ( words)\r\nPublished: 2019-06-12 · Archived: 2026-04-05 21:21:37 UTC\r\nTA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail\r\ncompanies using malicious spam campaigns and different malware. We have been following TA505 closely and\r\ndetected various related activities for the past two months. In the group's latest campaign, they started using\r\nHTML attachments to deliver malicious .XLS files that lead to downloader and backdoor FlawedAmmyyopen on\r\na new tab, mostly to target users in South Korea.\r\nintel\r\nFigure 1. TA505’s latest infection chain\r\nThis blog post covers three main points involving TA505: their recent activity in specific regions, shifting tactics\r\nand payloads, and suspicious activity possibly associated with the group. We also touch on the latest TA505\r\ndevelopments, including an email stealer, their use of legitimate software and MSI Installer, and more.\r\nRecent activity in Latin America and East Asia\r\nAs previously mentioned, TA505, first namedopen on a new tab by Proofpoint, is known for targeting financial\r\nenterprises. Since last December, TA505 has been very active and has been using legitimate or compromised\r\nRATs (remote access trojans) such as FlawedAmmyyopen on a new tab, FlawedGraceopen on a new tab, and\r\nRemote Manipulator System (RMSopen on a new tab).\r\nWhile monitoring their activities, we found that the group is still updating their tactics, techniques, and procedures\r\n(TTPs). In April, TA505 targeted Latin American countries Chile and Mexico, and even Italy using either\r\nFlawedAmmyy RAT or RMS RAT as payload. By the end of April, we learned that the group started to go after\r\ntargets in East Asian countries such as China, South Korea, and Taiwan using FlawedAmmyy RAT as its payload.\r\nTA505 has also recently usedopen on a new tab LOLbins and legitimate Windows OS processes to perform\r\nmalicious activities and deliver a payload without being detected. As the entry point of an attack, it delivers a\r\nsophisticated email containing a malicious Excel or Word file. The group notably abuses Excel 4.0 macro — a\r\nparticularly old macro likely used to evade typical macro detection.\r\nintel\r\nFigure 2. Korean language (left), simplified Chinese language (right) Microsoft Office instructions on how to\r\nenable macro\r\nintel\r\nFigure 3. Excel 4.0 macro\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/\r\nPage 1 of 7\n\nThis said macro executes a command to download the first stage payload using msiexec.exe, a Microsoft Installer\r\ntool that can download and run a Windows Installer file. The first stage payload is an MSI Installer that was\r\ncreated using an EXE to MSI converter.\r\nintel\r\nFigure 4. MSI Installer payload that used EXE to MSI converter\r\nThe actual malicious payload is in the MSI Installer package. The payload can vary in each campaign, but it\r\ntypically uses the FlawedAmmyy downloader, ServHelper, or RMS RAT launcher.\r\nPayload as FlawedAmmyy downloader\r\nThe MSI Installer itself contains a FlawedAmmyy downloader, which is always signed.\r\nintel\r\nFigure 5. FlawedAmmyy downloader\r\nintel\r\nFigure 6. Digitally signed FlawedAmmyy downloader\r\nThe downloader will check if the infected machine is running in the Active Directory (AD) network. It then runs\r\nthe “net group /domain” command and checks if “workgroup” is contained in the output result. (If it does not\r\nexist, it means that the PC is running in AD.) After performing the check, it downloads the RC4-encrypted\r\nFlawedAmmyy RAT, decrypts it, and executes it as the final payload.\r\nWe recently observed an instance where the FlawedAmmyy downloader was not digitally signed (FlawedAmmyy\r\nRAT payload is still signed, however). It could be a blip — perhaps a one-off — but it's still notable.\r\nPayload as ServHelper\r\nServHelper is classified as a backdoor, but it can also workopen on a new tab as a downloader for FlawedGrace. If\r\nthe MSI Installer package contains ServHelper as a payload, it will come with an NSIS (Nullsoft Scriptable Install\r\nSystem) installer.\r\nintel\r\nFigure 7. NSIS Installer\r\nNSIS is a legitimate tool that manages the installation for Windows, but some hacking groups also abuse it.\r\nTA505, for instance, abuses NSIS to install ServHelper. This NSIS installer has two files: (nsExec.dll and\r\nrepotaj.dll) and [NSIS].nsi. The latter is a configuration file that handles files to install.\r\nintel\r\nFigure 8. NSIS Installer sections\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/\r\nPage 2 of 7\n\nIn this case, repotaj.dll, which is ServHelper, will be extracted to %TEMP% and execute with the “feast”\r\nparameter as its export function. Once ServHelper is executed, it runs a PowerShell script to get information from\r\nthe infected machine.\r\nPayload as RMS RAT\r\nTA505 also uses RMS, a legitimate RAT, in their campaigns. If the MSI Installer package contains RMS RAT as\r\nits payload, it will include a self-extracting RAR.\r\nintel\r\nFigure 9. SFXRAR\r\nThis SFXRAR extracts three files to %TEMP% and executes one of the files, where exit.exe is a launcher for\r\ni.cmd; i.cmd renames kernel.dll to uninstall.exe, then executes it with parameters.\r\nintel\r\nFigure 10. Three files extracted from SFXRAR\r\nintel\r\nFigure 11. Executed parameters\r\nAs indicated in the parameter above, kernel.dll/uninstall.exe is also SFXRAR, but password-protected. It will\r\nextract the following files (Figure 12) and execute exit.exe, where the said executable is also a launcher of i.cmd\r\nthat registers winserv.exe (the actual RMS RAT) and executes it. The password used to extract from the RAR file\r\nwill be passed by the parameter “-p”, which is set in i.cmd.\r\nintel\r\nFigure 12. Extracted files\r\nintel\r\nFigure 13. RMS RAT is added to the startup registry and executed\r\nUpdates on TA505's tactics, techniques and procedures\r\nSince the tail end of April through early June, we observed TA505 changing its tactics, techniques, and procedures\r\n(TTPs) in a variety of ways. The following is a quick rundown of the group's varying methods.\r\nUsing Amadey to distribute EmailStealer\r\nOn April 24, we detected an attack that used Amadey as its first stage payload. Amadey is a known downloader\r\nfor another payload (FlawedAmmyy downloader) and EmailStealer, which steals email accounts or SMTP\r\ncredentials from infected PCs.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/\r\nPage 3 of 7\n\nIn this particular attack, we discovered that the C\u0026C server of EmailStealer had an open directory, allowing us to\nview the information that EmailStealer stole. We presume the information, primarily comprised of lists of email\naddresses, will be used in future attacks.\nUsing VBA macro\nTA505 has been using Excel 4.0 macro for a while, but we recently observed the group using the usual VBA\n(Visual Basic for Applications) macro along with Excel 4.0 macro. However, they still hide the command and\nmalicious URL in “UserForm” and not in VBA code.\nintel\nFigure 14. Malicious command and URL hidden in UserForm\nAvoiding the use of msiexec.exe\nAs previously mentioned, TA505 abuses msiexec.exe to install its first stage payload, but we recently observed the\ngroup just directly downloading the first stage payload binary and executing it. Like the VBA macro code, the\ngroup just executes the downloaded file 234.exe by cmd.exe. This is possibly because endpoint security solutions\neasily detect msiexec.exe.\nUsing HTML as an attack entry point\nTA505 has been using Excel file, Word document, or .WIZ filesopen on a new tab as its attack entry point.\nHowever, as mentioned earlier, the group has also started to attach an HTML link in emails to trick users into\nopening the Excel file.\nintel\nFigure 15. Attached HTML\nOpening this HTML link will redirect the user to a malicious URL that hosts the malicious Excel file. The Excel\nfile still has the same style of VBA macro, which was described in the previous section. This could mean that the\ngroup is trying to change the entry point's file type to bypass macro detection.\nIn early June, for instance, we saw HTML in emails that used a friendly tone so recipients would download the\nExcel file. Some recent cases we observed even had the Excel file directly attached to the emails.\nintel\nFigure 16. HTML shows a message before Excel download (Translation from Korean: Downloading ... ... will be\ntaken to the download page after a while .... If you wait a while and continue to see this message, please click on\n[link](\u003cMALICIOUS_URL\u003e)! Thank you.)\nSuspicious activity involving TA505\nWhile analyzing TA505's activities, we encountered strange attacks that were very similar to TA505’s TTPs but\nwith some differences. This section discusses a particular attack that, like the usual TA505 attack, distributes RMS\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/\nPage 4 of 7\n\nRAT via Excel and SFXRAR. But it also contains Kronos, a known banking trojan; and SmokeLoader, which is\r\nanother payload downloader. While the attack shows characteristics that are similar those of TA505's attacks, we\r\nsuspect that this could be a forged attack. As for the reason why we are dubious about this attack, another\r\nreportopen on a new tab has also since surfaced discussing that some threat actor was using similar tools to\r\nTA505’s.\r\nIn this attack, the basic TTPs and tools used seem similar, but we found five interesting points that set them apart:\r\nUsing .rar or .zip as attachment\r\nThe TA505 group usually attaches a malicious file without any compression. But this attack sent an email with a\r\n.rar or .zip attachment. However, this may not be a significant difference.\r\nUsing a similar image on Excel but with different macro and attribution\r\nThe following image on Excel appears similar to the one TA505 has been using.\r\nintel\r\nFigure 17. Display on Excel for this suspicious attack\r\nBut there are a few differences in this Excel file. For one thing, it has a different style of VBA macro. TA505 has\r\nbeen using Excel 4.0 macro and VBA macro without heavy obfuscation, but this particular Excel file was heavily\r\nobfuscated and had a different style.\r\nintel\r\nFigure 18. VBA macro with heavy obfuscation\r\nAnother factor is its different codepage. Malicious Excel files that TA505 distributed had information harvesting\r\ncapabilities. For example, the codepageopen on a new tab of Excel has always been “1251” Cyrillic (Windows),\r\nbut the code page of this particular attack was “1252” Western European (Windows).\r\nintel\r\nFigure 19. Information of Excel file used in this suspicious attack\r\nintel\r\nFigure 20. Information of the usual Excel file distributed by TA505\r\nLacking the use of fast flux infrastructure\r\nTA505 uses fast flux, a DNS technique used to mask botnets by quickly shifting among compromised hosts,\r\nwhich allows cybercriminals to delay or evade detection. The domains the group has been using to distribute\r\npayloads were usually resolved across a lot of IPs.\r\nBut in this attack, the domains used to distribute the payload only had one IP. It should be noted, however, that\r\nTA505 may have used different infrastructure for this instance, or another attacker may have performed malicious\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/\r\nPage 5 of 7\n\nactivities under the guise of TA505.\r\nUsing Kronos and SmokeLoader (v2019)\r\nTA505 previously used Amadey to distribute the FlawedAmmyy downloader before, so the use of Kronos and\r\nSmokeLoader can’t be considered strong evidence of false attribution.\r\nUsing a different infrastructure to distribute spam\r\nThe strongest evidence that this attack might not come from TA505 is that this attack operator used a different\r\nspam infrastructure. Our daily monitoring of TA505's activities show that the group sends spam from specific IPs;\r\nthis suspicious attack used different sender IPs. We couldn’t find any of the IPs used in previous attacks.\r\nWe can’t say for sure if this particular attack comes from TA505, another threat actor, an imitator, or perhaps just\r\nTA505 using another infrastructure. This reiterates the tricky business of attribution in cybersecurity, which calls\r\nfor careful inspection. While it's easy to attribute similar incidents to certain threat actors, groups, or even\r\ncountries, attribution should ultimately be based on technically provable information. After all, attributions can be\r\nused to operationalize appropriate incident response and remediation.\r\nDefending against TA505's malicious activities\r\nTA505 has been responsible for many large-scale attacks since at least 2014, using malicious email campaigns to\r\ndistribute various banking trojans, ransomware, RATs, and backdoors. They had also targeted retail brandsopen on\r\na new tab and even different financial companies across the world. TA505 has been focused on delivering\r\ndownloaders, information stealers, and other malware — threats that can remain in affected systems if not\r\nprevented or remediated. With the group's use of email as an entry point for malicious activities, the threat has\r\nbecome more serious for unwitting users and organizations. Here are some best practices:\r\nRegularly update systems and applications.\r\nIncorporate multilayered security mechanisms such as firewallsopen on a new tab and intrusion detection\r\nand prevention systemsopen on a new tab.\r\nFor system administrators, secure the email gatewayopen on a new tab to prevent it from becoming an\r\nattack entry point and proactively monitoropen on a new tab possible attack vectors.\r\nTo defend against spamopen on a new tab and threats from the TA505 group, businesses can consider Trend\r\nMicro™ endpoint solutions such as Trend Micro Smart Protection Suitesopen on a new tab and Worry-Free™\r\nBusiness Securityopen on a new tab. Both solutions can protect users and businesses from threats by detecting\r\nmalicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep\r\nDiscovery™open on a new tab has an email inspection layer that can protect enterprises by detecting malicious\r\nattachments and URLs.\r\nTrend Micro™ Hosted Email Securityopen on a new tab is a no-maintenance cloud solution that delivers\r\ncontinuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted\r\nattacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365open on a new tab,\r\nGoogle Apps, and other hosted and on-premises email solutions.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/\r\nPage 6 of 7\n\nThe list of indicators of compromise (IoCs) related to this threat can be found in this appendixopen on a new tab.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-te\r\nchniques-in-latest-campaigns/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/" ], "report_names": [ "shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434380, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f796ac6ab69815119ad35cfd7c348d18939ebde0.pdf", "text": "https://archive.orkl.eu/f796ac6ab69815119ad35cfd7c348d18939ebde0.txt", "img": "https://archive.orkl.eu/f796ac6ab69815119ad35cfd7c348d18939ebde0.jpg" } }