TA505

Also known as: SectorJ04, SectorJ04 Group, GRACEFUL SPIDER, GOLD TAHOE, Dudear, G0092, ATK103, Hive0065, CHIMBORAZO, Spandex Tempest, TA505

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.

🌍 Country Russia
Education Finance Health Retail Hospitality

Targeted Victims

Australia Canada Czech Republic Germany Hungary India Japan Romania Serbia Singapore South Korea Spain Thailand Turkey United Kingdom United States

Introduction

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.

Activities and Tactics

Targeted Sectors: Education, Finance, Health, Retail, Hospitality

Country of Origin: πŸ‡·πŸ‡Ί Russia

Suspected Victims: Australia, Canada, Czech Republic, Germany, Hungary, India, Japan, Romania, Serbia, Singapore…

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Trojan.Karagany
  • Trojan.Mebromi
  • CyberGate
  • Cyber Eye RAT

Attribution and Evidence

Country of Origin: Russia Additional attribution information pending cataloguing.

References

References pending cataloguing.