Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

TA577 (Cybercriminals) – Threat Actor

February 16, 2025
Reading Time: 4 mins read
in Threat Actors
TA577 (Cybercriminals) – Threat Actor

TA577

Other Names

Hive0118

Location

Russia

Date of initial activity

2020

Suspected Attribution 

Cybercriminals

Motivation

Financial Gain

Software

Windows

Overview

TA577 is a prolific and highly active cybercrime threat actor that has been tracked by Proofpoint since mid-2020. Known for its wide-reaching campaigns across various industries and geographies, TA577 has established itself as a significant player in the world of cybercrime. This group is notorious for its use of sophisticated techniques and multiple malware families, including Qbot, IcedID, Ursnif, and SystemBC, to carry out its attacks. TA577’s operations often start with phishing emails that contain malicious Microsoft Office attachments, exploiting macro vulnerabilities to download and execute malware on compromised systems. One of the key tactics used by TA577 is the delivery of IcedID, a well-known banking trojan, which it deploys to gain initial access to victim networks. This access is often a stepping stone for later stages of the attack, including ransomware deployment. Proofpoint has high confidence that TA577 was behind several Sodinokibi ransomware infections, where IcedID was used as the initial malware payload. The group’s ability to successfully infiltrate organizations and deliver subsequent stages of malware underscores the ongoing threat they pose to industries worldwide.

Common targets

Information

Public Administration

United States

Attack Vectors

Phishing

How they operate

TA577 operates as a multi-stage threat actor capable of executing intricate, large-scale cyberattacks. The group primarily uses phishing emails containing malicious attachments, often Microsoft Office documents with macros, as the initial vector for compromise. Upon opening the infected attachment and enabling macros, the victim unwittingly executes the payload, which typically involves malware like IcedID, Ursnif, and Qbot. These trojans act as initial access tools, granting TA577 control over the victim’s network. Once IcedID or other similar trojans are executed on a compromised system, TA577 leverages these malware to establish persistence and escalate its control over the network. IcedID, for example, is often used to download additional payloads, including ransomware, from the threat actor’s command-and-control (C2) infrastructure. This malware acts as a conduit for further exploitation, enabling the group to deploy additional stages of malicious activity such as data theft, lateral movement, and, most critically, ransomware deployment. IcedID also facilitates the deployment of secondary tools like Cobalt Strike, allowing the threat actor to further expand its foothold in the targeted network and carry out subsequent stages of the attack. TA577’s use of phishing campaigns and banking trojans is not a one-off but part of a well-established attack chain that the group frequently replicates. In many observed attacks, TA577 is seen using IcedID to deliver ransomware payloads such as Sodinokibi (REvil). This operation involves the malware downloading the ransomware from a remote server and executing it on the victim’s system, encrypting critical data and demanding a ransom for decryption. The group’s ability to use banking trojans as “loaders” for ransomware highlights their ability to adapt and integrate different tools into a seamless attack strategy. Additionally, TA577 has been observed making use of custom, encrypted communication channels to control infected systems, allowing them to exfiltrate sensitive data or escalate their attack without detection. TA577’s operations extend beyond phishing emails and malware loaders. The group is also known for its use of social engineering tactics, such as impersonating trusted entities in their phishing campaigns. These campaigns often exploit current events or target organizations’ specific business practices to maximize the likelihood of successful infections. The phishing emails are typically designed to appear legitimate, such as invoices, tax documents, or security updates, further enhancing the likelihood that the victim will fall for the bait. A defining feature of TA577 is its continued evolution. As the group learns from past attacks and adapts to new cybersecurity defenses, it continuously refines its techniques and tools. In particular, the use of banking trojans like IcedID and the subsequent deployment of ransomware represents a significant shift in the tactics and strategies employed by cybercriminals. The group’s success lies in its ability to blend tried-and-true malware techniques with innovative attack methodologies, allowing it to evade detection and increase its chances of financially benefiting from each compromise. In conclusion, TA577 is a versatile and dynamic threat actor whose operations on a technical level are complex and multifaceted. By leveraging a combination of phishing attacks, malware distribution, lateral movement tactics, and ransomware deployment, TA577 operates as a highly effective and dangerous cybercriminal group. Their focus on persistence and adaptability makes them a persistent threat to businesses, governments, and other organizations worldwide. Organizations must remain vigilant to these evolving tactics and invest in robust security measures to detect and respond to such sophisticated attacks.  
References:
  • The First Step: Initial Access Leads to Ransomware
Tags: CybercrimeCybercriminalsHive0118IcedIDMicrosoftPhishingProofpointQbotRansomwareSodinokibiSystemBCTA577Threat ActorsUnited StatesUrsnifVulnerabilitiesWinndows
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

New OttoKit Flaw Targets WordPress Sites

Mirai Botnet Exploits Vulnerabilities in IoT

Critical Kibana Flaws Allows Code Execution

Subscribe to our newsletter

    Latest Incidents

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    UK Legal Aid Agency Faces Cyber Incident

    South African Airways Hit by Cyberattack

    Coweta County School System Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial