TA551

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other malicious software. TA551 has partnered with elite cybercrime gangs and has established relationships with other threat actors such as ITG23, further extending its capabilities and reach. The first use of an ITG23 crypter with the Gozi banking trojan was observed in April 2022, which was traced back to a campaign operated by Hive0106 (TA551). Since late February 2022, at least one ITG23 crypter has been repeatedly used with the Qakbot banking trojan and at least once with the Gozi banking trojan, likely delivered by the ITG23 distribution affiliate TA551. These actions indicate TA551's continuous evolution and adaptation of new techniques and tools for their operations. In addition to these activities, TA551 has been identified as potentially being behind the SVCReady campaigns. Similarities were found between the templates and document builders used by TA551 and those used in SVCReady campaigns, as well as between the file names of the documents used to deliver both. The domains used to host the malware for both campaigns can also be traced back to TA551, indicating a possible link. TA551 activity was last seen at the end of January 2022, but given its history and partnerships, it remains a significant threat in the cybersecurity landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Hive0106
2
Hive0106, also known as TA551, is a notable threat actor recognized for its association with ITG23, another prominent entity in the cybercrime landscape. This partnership has been observed since mid-2021 by X-Force, a cybersecurity firm. Hive0106's primary role is as a distribution affiliate, delive
ITG23
2
ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
SVCReady
2
SVCReady is a relatively new malware family first observed in malicious spam campaigns at the end of April 2022. This harmful software, designed to exploit and damage computers or devices, was initially unknown but has since been identified through IDS rules published by Proofpoint. The malware infe
Shathak
1
Shathak, also known as TA551 and UNC2420, is a threat actor that has been particularly active in the cybersecurity landscape from April to November 2020. This entity is recognized for its email-based malware distribution campaigns, often targeting English-speaking victims. Shathak utilizes a distinc
Zevs
1
Zevs is a threat actor, identified as being affiliated with the prominent distribution group Hive0106 (also known as TA551). This affiliation was revealed through leaked chats, where there were several instances of Bentley delivering crypted malware samples to affiliates and partners such as Cherry,
Unc2420
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Windows
Malware Payl...
Ransomware
Proofpoint
Crypter
Github
Phishing
Cobalt Strike
Trojan
Spam
Cybercrime
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
IcedIDUnspecified
3
IcedID is a type of malware, or malicious software, designed to exploit and harm computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, IcedID can steal personal information, disrupt operations, or even hold dat
WikiloaderUnspecified
3
WikiLoader is a sophisticated malware, first documented by Proofpoint in August 2023, primarily targeting organizations through email campaigns. The malware often exploits themes like overdue deliveries or shipping invoices to trick users into interacting with infected content. A notable campaign wa
UrsnifUnspecified
2
Ursnif, also known as Gozi or ISFB, is a type of malware that poses significant threats to computer systems and user data. It's often distributed through suspicious downloads, emails, or websites, infiltrating systems without the user's knowledge. Once installed, Ursnif can steal personal informatio
QakBotUnspecified
2
Qakbot, also known as QBot, is a versatile piece of malware capable of executing several malicious activities such as brute-forcing, web injects, and loading other types of malware. It's often used to steal credentials and gather information, with the cybercriminal group Black Basta being one notabl
TrickBotUnspecified
1
TrickBot is a form of malware, or malicious software, that infiltrates systems to exploit and damage them. It can enter your system via dubious downloads, emails, or websites, often without the user's knowledge. Once inside, TrickBot can steal personal information, disrupt operations, or even hold d
EmotetUnspecified
1
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
NetwalkerUnspecified
1
NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that Ne
ValakUnspecified
1
Valak is a type of malware, or malicious software, that infiltrates systems to exploit and damage them. It was distributed by threat actor TA551, which has historically pushed various families of information-stealing malware such as Ursnif and IcedID. Valak, in particular, is known as a malware down
Ursnif Gozi/isfbUnspecified
1
None
BumblebeeUnspecified
1
Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
GoziUnspecified
1
Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Ta544Unspecified
3
TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, als
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TA551 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
7 months ago
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
MITRE
7 months ago
SVCReady: A New Loader Gets Ready | HP Wolf Security
SecurityIntelligence.com
8 months ago
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
Securityaffairs
a year ago
WikiLoader malware-as-a-service targets Italian organizations
CERT-EU
9 months ago
Virus Bulletin :: Teasing the secrets from threat actors: malware configuration extractors
CERT-EU
a year ago
Novel attack infrastructure established by Russian hackers to bypass detection
CERT-EU
a year ago
Russia, Serbia targeted by Space Pirates threat group
CERT-EU
a year ago
Python versions of stealer malware discovered targeting Facebook business accounts
CERT-EU
a year ago
Novel WikiLoader malware examined
CERT-EU
a year ago
Weaponized Excel, OneNote, or PDF Attachments Deliver New WikiLoader Malware
BankInfoSecurity
a year ago
New Malware WikiLoader Targeting Italian Organizations
SecurityIntelligence.com
a year ago
The Trickbot/Conti Crypters: Where Are They Now?
CERT-EU
a year ago
Proofpoint: ecco come il cybercrime colpisce l’Italia | Il corriere della sicurezza
MITRE
a year ago
TA551: Email Attack Campaign Switches from Valak to IcedID
MITRE
a year ago
Evolution of Valak, from Its Beginnings to Mass Distribution
MITRE
a year ago
The rise of QakBot
CSO Online
a year ago
Researchers warn of two new variants of potent IcedID malware loader