TA551

Threat Actor updated 4 months ago (2024-05-04T18:18:30.759Z)

Download STIX

Preview STIX

TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other malicious software. TA551 has partnered with elite cybercrime gangs and has established relationships with other threat actors such as ITG23, further extending its capabilities and reach. The first use of an ITG23 crypter with the Gozi banking trojan was observed in April 2022, which was traced back to a campaign operated by Hive0106 (TA551). Since late February 2022, at least one ITG23 crypter has been repeatedly used with the Qakbot banking trojan and at least once with the Gozi banking trojan, likely delivered by the ITG23 distribution affiliate TA551. These actions indicate TA551's continuous evolution and adaptation of new techniques and tools for their operations. In addition to these activities, TA551 has been identified as potentially being behind the SVCReady campaigns. Similarities were found between the templates and document builders used by TA551 and those used in SVCReady campaigns, as well as between the file names of the documents used to deliver both. The domains used to host the malware for both campaigns can also be traced back to TA551, indicating a possible link. TA551 activity was last seen at the end of January 2022, but given its history and partnerships, it remains a significant threat in the cybersecurity landscape.

Description last updated: 2024-05-04T17:18:45.009Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Hive0106	2	Hive0106, also known as TA551, is a notable threat actor recognized for its association with ITG23, another prominent entity in the cybercrime landscape. This partnership has been observed since mid-2021 by X-Force, a cybersecurity firm. Hive0106's primary role is as a distribution affiliate, delive
SVCReady	2	SVCReady is a relatively new malware family first observed in malicious spam campaigns at the end of April 2022. This harmful software, designed to exploit and damage computers or devices, was initially unknown but has since been identified through IDS rules published by Proofpoint. The malware infe
ITG23	2	ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
IcedID	Unspecified	3	IcedID is a malicious software (malware) that has been linked to various cybercrime operations. The malware can infiltrate systems via suspicious downloads, emails, or websites and proceed to steal personal information, disrupt operations, or hold data for ransom. IcedID has been associated with oth
Wikiloader	Unspecified	3	WikiLoader is a sophisticated malware that has been used in notable campaigns identified by HP Wolf Security. It exploits open redirect vulnerabilities within websites to circumvent detection, a tactic known as 'Cat-Phishing'. The malware has been particularly active in Italy, where it's being used
Ursnif	Unspecified	2	Ursnif, also known as Gozi or ISFB, is a type of malware that poses significant threats to computer systems and user data. It's often distributed through suspicious downloads, emails, or websites, infiltrating systems without the user's knowledge. Once installed, Ursnif can steal personal informatio
QakBot	Unspecified	2	Qakbot is a type of malware that has been linked to various cybercriminal activities, with its presence first observed as early as 2020. It gained notoriety for its role in the operations of the Black Basta ransomware group, which used Qakbot extensively in sophisticated phishing campaigns. The malw

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Ta544	Unspecified	3	TA544 is a financially motivated, advanced persistent threat (APT) actor that has been tracked by cybersecurity firm Proofpoint and others since at least 2017. This malicious actor typically uses Ursnif malware to target organizations, predominantly in Italy and Japan. The Ursnif banking trojan, als

Source Document References

Information about the TA551 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	9 months ago	Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
MITRE	9 months ago	SVCReady: A New Loader Gets Ready \| HP Wolf Security
SecurityIntelligence.com	10 months ago	ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
Securityaffairs	a year ago	WikiLoader malware-as-a-service targets Italian organizations
CERT-EU	a year ago	Virus Bulletin :: Teasing the secrets from threat actors: malware configuration extractors
CERT-EU	a year ago	Novel attack infrastructure established by Russian hackers to bypass detection
CERT-EU	a year ago	Russia, Serbia targeted by Space Pirates threat group
CERT-EU	a year ago	Python versions of stealer malware discovered targeting Facebook business accounts
CERT-EU	a year ago	Novel WikiLoader malware examined
CERT-EU	a year ago	Weaponized Excel, OneNote, or PDF Attachments Deliver New WikiLoader Malware
BankInfoSecurity	a year ago	New Malware WikiLoader Targeting Italian Organizations
SecurityIntelligence.com	a year ago	The Trickbot/Conti Crypters: Where Are They Now?
CERT-EU	a year ago	Proofpoint: ecco come il cybercrime colpisce l’Italia \| Il corriere della sicurezza
MITRE	2 years ago	TA551: Email Attack Campaign Switches from Valak to IcedID
MITRE	2 years ago	Evolution of Valak, from Its Beginnings to Mass Distribution
MITRE	2 years ago	The rise of QakBot
CSO Online	a year ago	Researchers warn of two new variants of potent IcedID malware loader