Shathak

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Shathak, also known as TA551 and UNC2420, is a threat actor that has been particularly active in the cybersecurity landscape from April to November 2020. This entity is recognized for its email-based malware distribution campaigns, often targeting English-speaking victims. Shathak utilizes a distinct distribution method involving password-protected ZIP archives attached to malicious spam (malspam). The frequency of these attacks was notably high between April and June 2020, with waves of Valak malware being distributed two to four times a week on average through this network. The activities of Shathak have been documented across various platforms. It has been discussed on the Malware Don’t Need Coffee blog, where it is attributed to an actor named TA551. Furthermore, its operations have been mentioned on Twitter, where its use of malspam to push Valak has been highlighted. This threat actor is financially motivated and has been found to collaborate with elite cybercrime gangs, thereby expanding its reach and potential impact. In summary, Shathak represents a significant cybersecurity threat due to its prolific and sophisticated malware distribution methods. Its focus on English-speaking victims and collaboration with other cybercrime entities further enhances its threat level. By employing unique distribution techniques such as password-protected ZIP archives in malspam, Shathak demonstrates an evolving threat landscape that requires continuous vigilance and advanced countermeasures.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
TA551
1
TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma
Unc2420
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Cybercrime
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ValakUnspecified
1
Valak is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It was distributed by threat actor TA551, which has historically pushed various families of information-stealing malware such as Ursnif and IcedID. Valak, in particular, is known as a malware down
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Shathak Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
7 months ago
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
MITRE
a year ago
TA551: Email Attack Campaign Switches from Valak to IcedID
MITRE
a year ago
Evolution of Valak, from Its Beginnings to Mass Distribution