TA2541

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
TA2541, a cybercriminal threat actor identified by Proofpoint, has been actively executing malicious actions since January 2017. This group demonstrates persistent and ongoing threat activity, targeting sectors related to aviation, transportation, and travel. Unlike many similar entities, TA2541 does not typically use current events, trending topics, or news items in its social engineering lures. Instead, it uses specific themes related to its target industries. The group frequently utilizes commodity malware, high volume messaging, and command and control infrastructure, indicating a broad and consistent approach to cybercrime. The group's technical tactics, techniques, and procedures (TTPs) include the use of Virtual Private Servers for email sending infrastructure and Dynamic DNS (DDNS) for command and control infrastructure. Notably, TA2541 regularly uses the same domain registrars, including Netdorm and No-IP DDNS, and hosting providers such as xTom GmbH and Danilenko, Artyom. A common pattern observed with TA2541 C2 domains and payload staging URLs includes the keywords “kimjoy,” “h0pe,” and “grace”. TA2541 has shown a varied approach to malware use over time, with AsyncRAT currently being the malware of choice. However, in 2020, Proofpoint observed TA2541 distributing over 10 different types of malware, all using the same initial infection chain. All the malware used by TA2541 serves information gathering purposes and facilitates remote control of an infected machine. It is likely that TA2541 will continue using AsyncRAT and vjw0rm in future campaigns, along with other commodity malware to support its objectives, posing a continuous and significant threat to its targeted sectors.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Cybercrime
Exploit
Rat
Payload
Proofpoint
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NETWIREUnspecified
1
NetWire is a type of malware, specifically a remote access trojan (RAT), that has been utilized for various malicious activities since at least 2014. Initially promoted as a legitimate tool for managing Windows computers remotely, NetWire was quickly adopted by cybercriminals and used in phishing at
AsyncRATUnspecified
1
AsyncRAT is a malicious software (malware) that targets computer systems to exploit and damage them, often infiltrating the system without the user's knowledge through suspicious downloads, emails, or websites. The malware operates by loading an executable which unpacks a DLL in memory, subsequently
DarkgateUnspecified
1
DarkGate is a malicious software (malware) known for its harmful impact on computer systems and devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data host
AgentteslaUnspecified
1
AgentTesla is a well-known remote access trojan (RAT) that has been used extensively in cybercrime operations. It infiltrates systems through various methods, including malicious emails and suspicious downloads. Once inside, it can steal personal information, disrupt operations, or hold data hostage
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TA2541 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
5 months ago
Bumblebee Malware Buzzes Back on the Scene After 4-Month Hiatus
MITRE
7 months ago
TA2541: Threats to Aviation, Aerospace, & Travel | Proofpoint US