TA505

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersecurity and Infrastructure Agency (CISA) estimated that TA505 had compromised more than 3,000 US-based organizations and approximately 8,000 victims globally. This group has leveraged CL0P ransomware in its attacks and has exploited zero-day vulnerabilities such as the MOVEit exploit, emphasizing the need for enhanced cybersecurity measures. The group's recent campaigns have involved the use of Get2, a new downloader malware written in C++, and SDBbot, a new remote access Trojan (RAT) also written in C++ and delivered by the Get2 downloader. These campaigns culminated with the deployment of Get2 and SDBbot in September and October of 2019. Furthermore, TA505 has been linked to other criminal hacking groups like BeagleBoyz, potentially contracting them for initial access development. In addition to its own activities, TA505 has been associated with Raspberry Robin, a popular initial access option for threat actors contributing to major breaches of public and private sector organizations. Other crime groups associated with Raspberry Robin include EvilCorp, among others. This malware acts as an initial access broker for these groups, continually shifting its delivery methods and improving its stealthiness. Therefore, understanding TA505's operations and affiliations is crucial for developing effective defenses against this significant cyber threat.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Clop
9
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
fin11
5
FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after ste
CVE-2023-34362
4
CVE-2023-34362 is a critical SQL injection vulnerability discovered in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer. This flaw in software design or implementation was first exploited by the CL0P Ransomware Gang, also known as TA505, beginning on May 27, 2023. Th
Lace Tempest
3
Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi
Truebot
3
Truebot is a highly potent malware used by the threat actor group CL0P, which has been linked to various malicious activities aimed at exploiting and damaging computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded,
cl0p
3
Cl0p is a threat actor group that has emerged as the most used ransomware in March 2023, dethroning LockBit. The group has successfully exploited zero-day vulnerabilities in the past, but such attacks are relatively rare. Recent research by Malwarebytes highlights the bias of ransomware gangs for at
Snakefly
2
Snakefly, also known as FIN11 and TA505, is a threat actor known for its malicious activities primarily aimed at organizations in North America and Europe. The group is financially motivated and has been active since at least early 2019. Snakefly is particularly associated with the deployment of Cl0
Get2 Downloader
1
The Get2 downloader is a type of malware that has been recently used by the threat actor TA505 in its campaigns. The malicious software, which can infiltrate systems through suspicious downloads, emails, or websites, has been incorporated into new Microsoft Office macros. These macros are embedded w
Hive0065
1
Hive0065, also known as Graceful Spider, TA505, Gold Evergreen, TEMP.Warlock, Chimborazo, or FIN11, is a financially motivated cybercrime group that has been actively targeting various industries such as finance, retail and restaurants since at least 2014. The group has been notorious for distributi
Lemurloot
1
LemurLoot is a malicious software, or malware, specifically a web shell written in C# that targets the MOVEit Transfer platform. It was developed and deployed by the CL0P ransomware group to exploit vulnerabilities in systems and steal data. In May 2023, the group exploited a SQL injection zero-day
Silence Cybercrime Group
1
The Silence cybercrime group, a threat actor predominantly Russian-speaking, has been associated with significant cybersecurity threats. This entity is known for its malicious activities, including the use of TrueBot, a malware downloader. Since December 2022, this malware has been co-opted by anoth
Graceful Spider
1
Graceful Spider, also known as TA505, is a threat actor recognized for its malicious cyber activities. This entity has been identified by the cybersecurity industry as the driving force behind various targeted campaigns with harmful intent. The group could be a single individual, a private organizat
Clop Ransomware Group
1
The Clop ransomware group, a threat actor in the cybersecurity realm, has been recognized for its malicious activities involving the exploitation of software vulnerabilities. These entities, which can range from individuals to government entities, are responsible for executing actions with harmful i
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
exploitation
Phishing
Exploit
Zero Day
Mft
Moveit
Payload
Microsoft
CISA
Cybercrime
exploited
Trojan
Vulnerability
Extortion
Cobalt Strike
Web Shell
Ransom
Exploits
Rat
Backdoor
Papercut
Skype
Malware Drop...
Iran
Downloader
Windows
Huntress
Apt
Proofpoint
Fbi
Loader
Spam
Bitcoin
bugs
flaw
Spearphishing
Cloudzy
Goanywhere
Encrypt
Data Leak
Expressvpn
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Get2Unspecified
4
Get2 is a type of malware, harmful software designed to infiltrate and damage computer systems or devices. It can be unknowingly downloaded through suspicious emails, downloads, or websites, enabling it to steal personal information, disrupt operations, or hold data hostage for ransom. Among the mos
DridexUnspecified
4
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
FlawedGraceUnspecified
4
FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, Truebo
LobshotUnspecified
3
Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded in
truebot malwareUnspecified
2
Truebot malware is a malicious software that infiltrates computer systems, often without the user's knowledge, to exploit and damage the device. It was primarily delivered by cyber threat actors via malicious phishing email attachments, but newer versions observed in 2023 also gained initial access
Raspberry RobinUnspecified
2
Raspberry Robin is a sophisticated malware that has been designed to exploit and damage computer systems. This malicious software infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded, Raspberry Robin can steal personal information, di
DewmodeUnspecified
2
DEWMODE is a malicious web shell malware, written in PHP, designed to interact with MySQL databases and specifically target Accellion FTA devices. It operates by infiltrating the compromised network and exfiltrating data. During 2020-2021, threat actor group TA505 exploited several zero-day vulnerab
SdbotUnspecified
2
SDBot is a malicious software, or malware, that has been leveraged by threat actors known as TA505 and CL0P to exploit vulnerabilities in computer systems. It is used as a backdoor to enable the execution of commands and functions in the compromised computer, often without the user's knowledge. The
LockbitUnspecified
1
LockBit is a type of malware, specifically ransomware, that has been implicated in a series of high-profile cyber attacks on various organizations worldwide. The LockBit ransomware gang infiltrates systems often through suspicious downloads, emails, or websites, and once inside, it can steal persona
TinymetUnspecified
1
TinyMet is a type of malware, specifically a tiny, flexible Meterpreter stager, that can infiltrate systems and cause significant damage. It has been used by threat actors like GOLD TAHOE to retrieve the TinyMet Meterpreter stager in Clop ransomware incidents. This harmful program can infect your sy
KONNIUnspecified
1
Konni is a malware, short for malicious software, that poses a significant threat to computer systems and data. It's designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, Konni can wreak havoc by stealin
BitPaymerUnspecified
1
BitPaymer is a type of malware that operates as ransomware, encrypting files and demanding payment for their release. It was operated by the GOLD DRAKE threat group and was later reworked and renamed DoppelPaymer by the GOLD HERON threat group. As part of the Ransomware as a Service (RaaS) model tha
SDBbotUnspecified
1
SDBbot is a malicious software (malware) that infiltrates computer systems typically through deceptive downloads, emails, or websites. In the context of cyber threats, it falls under the category of custom malware, used by threat groups such as GOLD TAHOE. Other common offensive security tools and c
FlawedAmmyyUnspecified
1
FlawedAmmyy is a notable malware, specifically a Remote Access Trojan (RAT), that has been leveraged by threat actors for malicious purposes. The malware is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites unbeknownst to the user.
ServHelperUnspecified
1
ServHelper is a malicious software (malware) first introduced by TA505, a notorious cybercriminal group, in November 2018. It was initially observed in a relatively small email campaign on November 9, 2018, where thousands of messages were used to distribute this new malware family. The campaign uti
AmadeyUnspecified
1
Amadey is a malicious software (malware) that has been found to be used in conjunction with other malware such as Remcos, GuLoader, and Formbook. Analysis of the infection chains revealed that the individual behind the sales of Remcos and GuLoader also uses Amadey and Formbook, using GuLoader as a p
REvilUnspecified
1
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Evil CorpUnspecified
4
Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
FIN7Unspecified
2
FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
PasscvUnspecified
1
PassCV is a threat actor, or hacking team, that has been identified as part of the Chinese intelligence apparatus. This group has operated under various names including Winnti, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF, indicating a broad and complex network of cyber operations. The group i
Indrik SpiderUnspecified
1
Indrik Spider is a notable threat actor known for its cybercriminal activities, particularly in the realm of ransomware. In July 2017, the group entered the targeted ransomware sphere with BitPaymer, using file-sharing platforms to distribute the BitPaymer decryptor. This shift in operations saw Ind
AnunakUnspecified
1
Anunak, also known as Carbanak or FIN7, is a prominent threat actor in the cybercrime landscape. The group emerged around 2013 and specializes in financial theft, primarily targeting Eastern European banks, U.S. and European point-of-sale systems, and other entities. The name "Carbanak" was coined b
BeagleBoyzUnspecified
1
The BeagleBoyz, also known as threat activity group 71 (TAG-71), is a significant cybersecurity threat actor with strong ties to the North Korean state-sponsored APT38. This group, recognized under various aliases such as Bluenoroff and Stardust Chollima, has been involved in extensive cyber operati
BluenoroffUnspecified
1
BlueNoroff, a threat actor closely associated with the notorious Lazarus Group, has been actively involved in malicious cyber activities primarily targeting financial institutions and cryptocurrency businesses. Known for its sophisticated attacks on banks, casinos, fintech companies, POST software,
KimsukyUnspecified
1
Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi
BITTERUnspecified
1
Bitter, also known as T-APT-17, is a suspected South Asian threat actor that has been involved in various cyber campaigns. The group has been active since at least August 2021, with its operations primarily targeting government personnel in Bangladesh through spear-phishing emails. The similarities
SidewinderUnspecified
1
The Sidewinder threat actor group, also known as Rattlesnake, BabyElephant, APT Q4, APT Q39, Hardcore Nationalist, HN2, RAZOR Tiger, and GroupA21, is a significant cybersecurity concern with a history of malicious activities dating back to 2012. This report investigates a recent campaign by Sidewind
FIN12Unspecified
1
FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware
DarkSideUnspecified
1
DarkSide is a notorious threat actor known for its malicious activities involving ransomware attacks. The group gained significant notoriety in 2021 when it attacked the largest oil pipeline in the United States, leading to a temporary halt of all operations for three days. This incident, along with
Aquatic PandaUnspecified
1
Aquatic Panda, also known as Budworm, Charcoal Typhoon, ControlX, RedHotel, and Bronze University, is a significant threat actor suspected of state-backed cyber espionage activities. This group has been particularly active in the recent quarter, ranking amongst the top geopolitical groups targeting
Clop GangUnspecified
1
The Clop Gang, a threat actor with malicious intent, has been responsible for significant cybercrimes. This group, like others in the cybersecurity landscape, is known for its harmful actions against various targets. The Clop Gang's activities underscore the need for robust and effective cybersecuri
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-27351Unspecified
2
None
CVE-2023-27350Unspecified
2
CVE-2023-27350 is a significant software vulnerability discovered in PaperCut NG/MF, a popular print management software. This flaw in software design or implementation allows attackers to bypass authentication and execute code with system privileges, posing a serious threat to both server and inter
ChimborazoUnspecified
1
None
Source Document References
Information about the TA505 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
5 months ago
Raspberry Robin Jumps on 1-Day Bugs to Nest Deep in Windows Networks
Checkpoint
5 months ago
Raspberry Robin Keeps Riding the Wave of Endless 1-Days - Check Point Research
Checkpoint
5 months ago
12th February – Threat Intelligence Report - Check Point Research
Unit42
5 months ago
Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
CERT-EU
6 months ago
The Top 10 Ransomware Groups of 2023
InfoSecurity-magazine
7 months ago
2023 Cyber Threats: 26,000+ Vulnerabilities, 97 Beyond CISA List
CERT-EU
7 months ago
CyberTalk with Ray Canzanese
CERT-EU
8 months ago
Threat Spotlight: Data Extortion Ransomware: Key Trends in 2023
CERT-EU
8 months ago
Cyber Security Week In Review: November 17, 2023
CERT-EU
8 months ago
SysAid Zero-Day Vulnerability Exploited by Threat Actors
CERT-EU
8 months ago
Clop ransomware gang targets SysAid server bug
CERT-EU
8 months ago
CVE-2023-47246: SysAid Flaw Used in Clop Ransomware Attacks
InfoSecurity-magazine
8 months ago
MOVEit Gang Targets SysAid Customers With Zero-Day Attacks
CERT-EU
9 months ago
Netskope Threat Labs report says highest percentage of cybercrime activity originates in Russia
CERT-EU
9 months ago
Criminal groups focus on Australia and US
CERT-EU
9 months ago
TA505 Hacker's Sneaky RMS Tool Phishing Campaign Detected
CERT-EU
10 months ago
Clop at the top – but for how long? | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
10 months ago
Clop at the top – but for how long?
CERT-EU
10 months ago
Cyber Security Week in Review: September 8, 2023
CERT-EU
a year ago
Illinois a victim of CL0P's MOVEit ransomware attack | #ransomware | #cybercrime | National Cyber Security Consulting