Ta544

Threat Actor Profile Updated 20 days ago
Download STIX
Preview STIX
TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, also known as Gozi, is among the variety of malware tools that TA544 has deployed over the years. More recently, TA544 has been associated with the distribution of a sophisticated second-stage downloader called WikiLoader. Throughout 2022, TA544 was observed targeting Italian organizations with IcedID and Ursnif. In December 2022, Proofpoint first identified WikiLoader being delivered by TA544, primarily aimed at Italian firms. Following this initial identification, multiple subsequent campaigns were observed, the majority of which continued to target Italian organizations. These operations were part of broader phishing campaigns that also involved another threat actor, TA551. In addition to these activities, TA544 has been implicated in abusing the vulnerability CVE-2023-36025, as reported by a Proofpoint researcher. This abuse was part of a campaign involving Remcos, a remote access Trojan used by various threat actors over the years to remotely control and monitor compromised Windows devices. This activity coincided with a surge in campaigns distributing DarkGate and PikaBot, where TA544 leveraged new variants of loader malware, such as IDAT Loader, to deploy Remcos RAT or SystemBC malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Ursnif
5
Ursnif, also known as Gozi or ISFB, is a type of malware that poses significant threats to computer systems and user data. It's often distributed through suspicious downloads, emails, or websites, infiltrating systems without the user's knowledge. Once installed, Ursnif can steal personal informatio
Wikiloader
4
WikiLoader is a sophisticated malware, first documented by Proofpoint in August 2023, primarily targeting organizations through email campaigns. The malware often exploits themes like overdue deliveries or shipping invoices to trick users into interacting with infected content. A notable campaign wa
IcedID
2
IcedID is a type of malware, or malicious software, designed to exploit and harm computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, IcedID can steal personal information, disrupt operations, or even hold dat
Gozi
2
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Systembc
1
SystemBC is a malicious software (malware) that has been used in various cyber attacks to exploit and damage computer systems. This malware was observed in 2023, being heavily used with BlackBasta and Quicksand. It has been deployed by teams using BlackBasta during their attacks. Play ransomware act
Narwal Spider
1
None
Pikabot
1
PikaBot is a harmful malware that emerged in 2023, designed to exploit and damage computer systems. It infiltrates systems through dubious downloads, emails, or websites, often undetected by the user. Once inside a system, PikaBot can pilfer personal information, disrupt operations, or even ransom d
Darkgate
1
DarkGate is a malicious software (malware) known for its harmful impact on computer systems and devices. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data host
Remcos
1
Remcos is a software tool that can be used benignly or maliciously as part of a cyber attack. It has been frequently observed in recent campaigns, often being the most common payload, according to X-Force. Other Remote Access Trojans (RATs) such as njRAT and AsyncRAT have also been utilized, but Rem
Bamboo Spider
1
None
Zeus Panda
1
Zeus Panda is a malicious software (malware) known for its disruptive capabilities. It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operat
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Proofpoint
Loader
Downloader
Windows
Ransomware
Banking
Remcos
Phishing
Loader Malware
Malware Loader
Apt
Vulnerability
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BumblebeeUnspecified
1
Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
WailingcrabUnspecified
1
The WailingCrab malware, first observed in December 2022, has been used extensively in email campaigns to deliver the Gozi backdoor, primarily targeting Italian entities. The malware's attack chains start with emails containing PDF attachments with URLs that download a JavaScript file when clicked.
QakBotUnspecified
1
Qakbot, also known as QBot, is a versatile piece of malware capable of executing several malicious activities such as brute-forcing, web injects, and loading other types of malware. It's often used to steal credentials and gather information, with the cybercriminal group Black Basta being one notabl
EmotetUnspecified
1
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TA551Unspecified
3
TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-36025Unspecified
1
CVE-2023-36025 is a significant vulnerability, representing a flaw in the design or implementation of Microsoft's Windows SmartScreen security feature. This vulnerability was discovered as one of three zero-days affecting Microsoft Windows and Server. The exploit begins with the execution of a malic
Source Document References
Information about the Ta544 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
8 months ago
Exploit for Critical Windows Defender Bypass Goes Public
CSO Online
a year ago
Researchers warn of two new variants of potent IcedID malware loader
CERT-EU
6 months ago
New JinxLoader Targeting Users with Formbook and XLoader Malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
a year ago
Novel attack infrastructure established by Russian hackers to bypass detection
CERT-EU
a year ago
Russia, Serbia targeted by Space Pirates threat group
CERT-EU
a year ago
Out of the Sandbox : WikiLoader Digs Sophisticated Evasion – Global Security Mag Online
DARKReading
8 months ago
Proof of Concept Exploit Publicly Available for Critical Windows SmartScreen Flaw
CERT-EU
4 months ago
New CHAVECLOAK Banking Trojan Targets Brazilians via Malicious PDFs
CERT-EU
6 months ago
JinxLoader Malware: Next-Stage Payload Threats Revealed
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?
CERT-EU
a year ago
Novel WikiLoader malware examined
CERT-EU
a year ago
Python versions of stealer malware discovered targeting Facebook business accounts
Securityaffairs
a year ago
WikiLoader malware-as-a-service targets Italian organizations
DARKReading
8 months ago
Exploit for Critical Windows Defender Bypass Goes Public
CERT-EU
8 months ago
Updated WailingCrab malware loader ups stealth
CERT-EU
a year ago
Weaponized Excel, OneNote, or PDF Attachments Deliver New WikiLoader Malware
BankInfoSecurity
a year ago
New Malware WikiLoader Targeting Italian Organizations