TA551

Threat Actor updated 7 months ago (2024-05-04T18:18:30.759Z)
Download STIX
Preview STIX
TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other malicious software. TA551 has partnered with elite cybercrime gangs and has established relationships with other threat actors such as ITG23, further extending its capabilities and reach. The first use of an ITG23 crypter with the Gozi banking trojan was observed in April 2022, which was traced back to a campaign operated by Hive0106 (TA551). Since late February 2022, at least one ITG23 crypter has been repeatedly used with the Qakbot banking trojan and at least once with the Gozi banking trojan, likely delivered by the ITG23 distribution affiliate TA551. These actions indicate TA551's continuous evolution and adaptation of new techniques and tools for their operations. In addition to these activities, TA551 has been identified as potentially being behind the SVCReady campaigns. Similarities were found between the templates and document builders used by TA551 and those used in SVCReady campaigns, as well as between the file names of the documents used to deliver both. The domains used to host the malware for both campaigns can also be traced back to TA551, indicating a possible link. TA551 activity was last seen at the end of January 2022, but given its history and partnerships, it remains a significant threat in the cybersecurity landscape.
Description last updated: 2024-05-04T17:18:45.009Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Hive0106 is a possible alias for TA551. Hive0106, also known as TA551, is a notable threat actor recognized for its association with ITG23, another prominent entity in the cybercrime landscape. This partnership has been observed since mid-2021 by X-Force, a cybersecurity firm. Hive0106's primary role is as a distribution affiliate, delive
2
SVCReady is a possible alias for TA551. SVCReady is a relatively new malware family first observed in malicious spam campaigns at the end of April 2022. This harmful software, designed to exploit and damage computers or devices, was initially unknown but has since been identified through IDS rules published by Proofpoint. The malware infe
2
ITG23 is a possible alias for TA551. ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The IcedID Malware is associated with TA551. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
3
The Wikiloader Malware is associated with TA551. WikiLoader, also known as WailingCrab, is a downloader malware first discovered in 2022 by Proofpoint and made public in 2023. This sophisticated malicious software is typically sold in underground marketplaces by an initial access broker (IAB) and is often spread through traditional phishing techniUnspecified
3
The Ursnif Malware is associated with TA551. Ursnif, also known as Gozi or ISFB, is a type of malware that has been distributed by threat actor group TA551. This harmful software can infiltrate systems via suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data for raUnspecified
2
The QakBot Malware is associated with TA551. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by dUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Ta544 Threat Actor is associated with TA551. TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, alsUnspecified
3
Source Document References
Information about the TA551 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
MITRE
a year ago
MITRE
a year ago
SecurityIntelligence.com
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
SecurityIntelligence.com
a year ago
CERT-EU
a year ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
CSO Online
2 years ago