Analyst note: Proofpoint uses the UNK_ designator to define clusters of activity that are still developing and have not been observed for long enough to receive a numerical TA designation. This report reflects Proofpoint Threat Research’s observations as of the date of publication and does not constitute geopolitical analysis or policy commentary.  What happened  On 28 February 2026, the US and Israel conducted strikes targeting assets inside Iran, in a campaign the US called Operation Epic Fury. According to public sourcing, the attacks targeted Iranian missiles and air defenses, other military infrastructure, and Iranian leadership. Iran responded with retaliatory missile and drone strikes in the region, targeting US embassies and military installations.  As the war continues into its second week, several Iranian hacktivist groups and personas have claimed responsibility for various disruptive operations. Iranian espionage-focused threat groups remain somewhat active despite the Iranian government’s shutdown of the internet immediately following the initial US and Israeli attacks. For instance, on 8 March, Proofpoint observed the Iran-aligned threat actor TA453 (Charming Kitten, Mint Sandstorm, APT42) conduct a credential phishing attempt against a US thinktank target. The email correspondence culminating in this credential phishing attempt commenced prior to the beginning of the conflict, indicating that TA453 is continuing to prioritize intelligence collection against its traditional target set.  While it is unclear how wider Iranian cyber operations will continue, Proofpoint Threat Research has also observed an increase in campaigns from other state-sponsored threat actors targeting Middle East government organizations since the war began. These campaigns were conducted by both known groups and previously unobserved actors, with suspected attribution to China, Belarus, Pakistan, and Hamas. The campaigns heavily relied on aspects of the conflict as topical lure content to engage the targets and often used compromised accounts belonging to government organizations to send phishing emails. Proofpoint assesses that this activity reflects a mixture of threat actors opportunistically using the war as lure content to conduct routine operations and those with an increased focus on intelligence collection targeting Middle Eastern government and diplomatic entities.  Campaign #1: UNK_InnerAmbush  In early March 2026, the suspected China-aligned threat actor UNK_InnerAmbush conducted a phishing campaign targeting Middle Eastern government and diplomatic organizations. The emails were sent from a likely compromised email address "uzbembish@elcat[.]kg" and linked to a Google Drive URL. The initial wave began on March 1, one day after the conflict began. The theme of phishing emails observed in this initial wave was Ayatollah Khamenei’s death with an attempt to share sensitive images from the US “Department of Foreign Affairs”. Later waves purported to share evidence that “Israel prepares to attack Gulf oil and gas infrastructure to frame Iran.”  Figure 1.UNK_InnerAmbush phishing email linking to archive hosted on Google Drive.  The Google Drive URL hosted a password protected ZIP or RAR archive named "Photos from the scene.rar" or "Strike at Gulf oil and gas facilities.zip". These archives contained several Microsoft Shortcut (LNK) files disguised as JPG images, which run a loader executable stored within a hidden subfolder.  A decoy image is shown to the user, and the loader executes a benign signed executable vulnerable to DLL sideloading ("nvdaHelperRemoteLoader.exe"). Upon execution, "nvdaHelperRemoteLoader.exe" loads the malicious loader DLL "nvdaHelperRemote.dll" which decrypts a Cobalt Strike payload from WinHlp.hlp and loads it into memory. The Cobalt Strike payload uses a customized malleable C&C profile and communicates with the C&C domain "support.almersalstore[.]com".  The phishing emails also contained unique tracking pixels hosted on a likely compromised website to track target engagement. These were in the format: "hxxps://deepdive.hypernas[.]com/hypernas/api/page.php?uid= <target-email-address>".  Campaign #2: TA402  In early March 2026, TA402 (Frankenstein, Cruel Jackal) targeted a Middle Eastern government entity with an email credential phishing campaign. The actor used a compromised Ministry of Foreign Affairs of Iraq sender account ("ban.ali@mofa.gov[.]iq") and an attacker-controlled account ("nqandeel04@gmail[.]com") to send the phishing emails. The emails had conflict-themed subjects referencing a potential US ground operation in Iran and a Gulf military alliance to confront Iranian threats.  The emails contained a URL that selectively served either a decoy PDF or a credential harvesting page depending on the target’s IP geolocation.  The actor-controlled site was designed to impersonate Microsoft Outlook Web Application (OWA):  "hxxps[:]//mail[.]iwsmailserver[.]com/owa/auth/logon.aspx?uid=<target_specific_uuid>"  Figure 2. TA402 Outlook Web App (OWA) phish hosted on iwsmailserver[.]com.  If the target enters credentials, the values are sent via HTTP POST to an authentication endpoint on the same host.  Campaign #3: UNK_RobotDreams  On 5 March 2026, a suspected Pakistan-aligned actor Proofpoint calls UNK_RobotDreams sent spearphishing emails to India-based offices of Middle East government organizations. The email was sent from an Outlook freemail address impersonating India's Ministry of External Affairs: "jscop.mea.gov.in@outlook[.]com". The email used the subject “Gulf Security Alert: Iran Retaliation Impacts” referencing the Iran war to increase credibility and urgency.  The emails delivered a PDF attachment containing a blurred decoy and a fake Adobe Reader button.  Figure 3. UNK_RobotDreams PDF attachment leading to executable hosted on defenceprodindia[.]site.  Clicking the button redirected the victim to an actor-controlled URL: "hxxps://defenceprodindia[.]site/server.php?file=Reader_en_install". The URL implemented geofencing and served a decoy PDF to users outside the target region and an EXE payload to intended targets.  The downloaded executable ("Reader_en_install.exe") functioned as a .NET loader that used PowerShell (via "conhost.exe") to retrieve a Rust backdoor from the C&C host "endpoint1-b0ecetbuabcdg9cp[.]z01[.]azurefd[.]net", which was written to a file named "VLCMediaPlayer.exe". The Rust backdoor performed host fingerprinting and communicated with command and control using the same Azure Front Door hosted infrastructure.  This campaign and infrastructure overlapped with public reporting by Bitdefender; however, Proofpoint does not currently track the activity as a named actor.  Campaign #4: UNK_NightOwl  On 2 March 2026, a suspected state-aligned actor that Proofpoint Threat Research calls UNK_NightOwl sent emails from both a likely compromised account and an attacker-owned freemail account to a government ministry in the Middle East. The compromised account appears to belong to the Ministry of Emergency and Disaster Management in Syria ("ali.mo@med.gov[.]sy"), and the freemail account was for a fake organization called War Analyse Ltd ("war.analyse.ltd@outlook[.]com"). The attackers targeted a government ministry in the Middle East and referred to the conflict in the Middle East as a lure topic with the subject “About Escalating Situation.”  The emails included a domain that spoofed Microsoft OneDrive, but the URL led to a Microsoft Outlook Web Application (OWA)-themed credential harvesting page. The URL was target-specific with a client ID showing a fake session error and prompting the target to sign in again: "hxxps://iran.dashboard.1drvms[.]store/errors/sessionerrors/expire?client=<redacted>" Figure 4. UNK_NightOwl OWA credential phishing site hosted on 1drvms[.]store.  If the user enters credentials and clicks the sign in button, the target is redirected to "hxxps://iran.liveuamap[.]com/", a legitimate open-source platform called Liveuamap with news updates on the Middle East conflict.  Figure 5. Redirection to iran.liveuamap[.]com after target enters credentials.  Proofpoint attributes this campaign to a new cluster called UNK_NightOwl as the observed activity does not align with any currently tracked actors.  Campaign # 5: TA473  Between 3-5 March 2026, the Belarus-aligned threat actor TA473 (Winter Vivern) sent emails to government organizations in Europe and the Middle East. These messages originated from likely compromised infrastructure and purported to be a European Council President spokesperson. The phishing emails contained a HTML attachment titled "european union statement on the situation in iran and the middle east.html". Notably, Proofpoint has not previously observed TA473 targeting Middle Eastern government organizations.  Figure 6. TA473 phishing email spoofing spokesperson for the European Council President.  The HTML file, if opened, displays a decoy image to the user and conducts HTTP request to a URL of the format "hxxps://unityprogressall[.]org/imagecontent/getimgcontent.php?id=<target-email-address>". Proofpoint Threat Research was unable to retrieve any next-stage payloads at the time of analysis. Based on the HTML content, these HTTP requests were likely intended for tracking purposes rather than delivering follow-on malicious payloads.  Campaign #6: TA453  Proofpoint’s tracking of known Iranian actors has surfaced only one campaign so far since the beginning of the war. In late February into early March, Iran-aligned actor TA453 (Charming Kitten, Mint Sandstorm, APT42) used an attacker-owned freemail account "McManus.Michael@hotmail[.]com" spoofing Michael McManus, the head of research at the Henry Jackson Society, to target an individual at a thinktank in the US.  The initial thread had begun prior to the war as part of typical TA453 espionage activity with a benign email invitation sent to a target’s personal account in February. The email exchange then continued with further targets' corporate accounts after the war, suggesting that TA453 is maintaining its intelligence collection efforts during the ongoing conflict.  The email was themed around an invitation to participate in a roundtable on air defense in the Middle East. Part of the benign outreach included a OneDrive link to a benign PDF ("Air Defense Depletion & Deterrence in the Middle East.pdf") with the proposal for the roundtable to support a credible lure.  "hxxps://1drv[.]ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd"  Figure 7. Benign OneDrive link hosting PDF proposal for Henry Jackson Society roundtable.  Once a rapport had been established with the target, the following email in the exchange included a malicious URL disguised as a link to another PDF called "Air Defense Depletion & Deterrence in the Middle East-Event Overview.pdf".  The URL used an attacker-owned domain ("transfergocompany[.]com") that then redirected to a OneDrive-themed credential phishing page hosted on the cloud-hosting service Netlify ("fileportalshare.netlify[.]app") pre-filled with the target’s email.  Figure 8. OneDrive spoofing credential phishing landing page.  Why it matters  As the conflict involving Iran and regional actors continues, the operations of Iranian threat actors remain a mix of traditional espionage and disruptive campaigns in support of war efforts. Proofpoint also observed a range of non-Iranian threat groups targeting Middle Eastern governments with conflict-themed social engineering. While several of these groups incorporated the war-themed lure content in operations that are largely consistent with typical targeting remits, others demonstrated a shift toward intelligence collection against Middle Eastern government and diplomatic entities. This likely reflects an effort to gather regional intelligence on the standing, trajectory, and broader geopolitical implications of the conflict. This suggests the conflict is being used both as a topical social engineering pretext and a driver of collection priorities for a range of state-aligned threat actors.  Indicators of compromise  UNK_InnerAmbush  Indicator   Type   Description   First Seen    uzbembish@elcat[.]kg  Email address  Sender email (likely compromised)  March 2026  fed6ebb87f7388adf527076b07e81dfa432bac4e899b0d7af17b85cc0205ffad  SHA256  Photos from the scene.rar  March 2026  a9de383c6a1b00c9bd5a09ef87440d72ec7fc4bcd781207b3cace2f246788d4d  SHA256  Strike at Gulf oil and gas facilities.zip  March 2026  dfaaaf75147afbd57844382c953ec7ef36f68a9c17c66a47a847279a6b1109c9  SHA256  _1c9fe357-a209-4c71-923f-34acd3d337a5.jpg.lnk  March 2026  4b9661092051839496c04169ccb52b659c0f65cefd14a990e23565a0c0e8eeaf  SHA256  20260301_100324.jpg.lnk  March 2026  d518262dd687a48f273966853f3ed4eb7404eb918b165bb71ff83f75962c0104  SHA256  LaunchWlnApp.exe  March 2026  b58ec14b0119182aef12d153280962ad76c30e3cd67533177d55481704eba705  SHA256  OfficeClickToRun.scr  March 2026  7b6d69a249fe2adf43eefc31cdeca62cf48ab428fcbf199322feeb99d24fb001  SHA256  nvdaHelperRemote.dll  March 2026  a8acb9864e6f64323ed75e69038ca9bfe76f7b1b0d24ec7df8ac07b6dbd641a3  SHA256  nvdaHelperRemote.dll  March 2026  14efa1194cc4c6aa5585d63c032268794364123d41a01121cbd5e56f7c313399  SHA256  WinHlp.hlp  March 2026  support.almersalstore[.]com  Hostname  Cobalt Strike C&C  March 2026  almersalstore[.]com  Domain  Cobalt Strike C&C  March 2026    TA402  Indicator   Type   Description   First Seen    ban.ali@mofa.gov[.]iq  Email address  Sender email (likely compromised)  March 2026  nqandeel04@gmail[.]com  Email address  Sender email  March 2026  hxxps://mail.iwsmailserver[.]com/owa/auth/logon.aspx?uid=<target_specific_uuid>  URL  OWA credential phishing URL format  March 2026  iwsmailserver[.]com  Domain  TA402-controlled domain  March 2026    TA473  Indicator   Type   Description   First Seen    maria.tomasik@denika[.]se  Email address  Sender email (likely compromised infrastructure)  March 2026  hxxps://unityprogressall[.]org/imagecontent/getimgcontent.php?id=<target-email-address>  URL  URL format contacted by HTML attachment  March 2026  unityprogressall[.]org  Domain  TA473-controlled domain  March 2026  72.60.90[.]32  IP address  Hosting IP address for unityprogressall[.]org  March 2026    UNK_NightOwl  Indicator  Type  Description  First Seen  war.analyse.ltd@outlook[.]com  Email address  Sender email  March 2026  ali.mo@med.gov[.]sy  Email address  Sender email (likely compromised)  March 2026  hxxps://iran.dashboard.1drvms[.]store/errors/sessionerrors/expire?client=[redacted]  URL  Credential harvesting page  March 2026      UNK_RobotDreams  Indicator  Type  Description  First Seen  jscop.mea.gov.in@outlook[.]com  Email address  Sender email  March 2026  hxxps://defenceprodindia[.]site/server.php?file=Reader_en_install  URL  Delivery URL  March 2026  defenceprodindia[.]site  Domain  UNK_RobotDreams-controlled domain  March 2026  hxxps://endpoint1-b0ecetbuabcdg9cp.z01.azurefd[.]net:443/download.php?file=cnVzdHVwaW5pdA  URL  Azure Front Door staging URL  March 2026  endpoint1-b0ecetbuabcdg9cp[.]z01[.]azurefd[.]net  Hostname  Azure Front Door staging and C&C hostname  March 2026  9477d9cd1435dc465b4047745e9c71103a114d65ed0d5f02ac3c97ac3f1dbf47  SHA256  gulf_disruption_advisory_march2026.pdf  March 2026  a9f4f4bc12896d0f0d2eeff02dd3e3e1c1406d8a6d22d59aa85f151d806ba390  SHA256  Reader_en_install.exe  March 2026  ea1d98a41ad9343d017fa72f4baeeca0daa688bec6e0508e266c5e37e9d330de  SHA256  VLCMediaPlayer.exe  March 2026      TA453  Indicator  Type  Description  First Seen  McManus.Michael@hotmail[.]com  Email address  Sender email  February 2026  hxxps://1drv[.]ms/b/c/cbec61ab8028f986/IQDa9igU3D3BRqiyNtth76AzAbOM6jUpa8apnuRl-zKXKow?e=E8bIfd  URL  Delivery URL  March 2026  16db04b632668dae081359fc07c97e5a9b79dad61713642e48b494aa6b7828be  PDF  Benign lure PDF  March 2026  transfergocompany[.]com  Domain  TA453-controlled domain  March 2026 

Key findings  Tycoon 2FA is one of the most popular phishing-as-a-service (PhaaS) platforms currently used by threat actors, and highest volume adversary-in-the-middle (AiTM) phishing threat in Proofpoint data.  Tycoon 2FA infrastructure was disrupted by public and private partners, including Proofpoint, Microsoft, Europol, Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel 471, Resecurity, The Shadowserver Foundation, SpyCloud, and TrendAI, and additional European law enforcement partners.  The Tycoon 2FA disruption and associated lawsuit naming the creator will have a significant impact on Tycoon 2FA, related infrastructure, and threat actor activity.    Proofpoint was proud to assist in the law enforcement and private sector investigations into Tycoon 2FA activity and supported Microsoft’s action with data, including malicious domains and information related to Tycoon 2FA campaigns.  Overview  Tycoon 2FA operates as an AitM phishing kit. Its primary function is to harvest usernames, passwords, and Microsoft 365 and Gmail session cookies. Attackers use these cookies to circumvent multifactor authentication (MFA) access controls during subsequent authentication. That allows them to achieve full account takeover (ATO) and gain unauthorized access to a user’s accounts, systems and cloud services—even those that have MFA as an additional security measure.  According to Proofpoint threat data, in 2025, 99% of organizations experienced account takeover attempts, and 67% experienced a successful account takeover. Of these, 59% of taken over accounts had MFA enabled. While not all MFA bypassing ATO campaigns are attributable to Tycoon 2FA, Tycoon 2FA is the highest volume AiTM phishing threat in Proofpoint visibility. Tycoon 2FA threat volumes vary based on actor activity, and in February 2026, Proofpoint observed over three million messages associated with Tycoon 2FA.   Tycoon 2FA infrastructure, including domains and servers, was disrupted in collaboration with private and public partners including Proofpoint, Microsoft, Europol, Cloudflare, Coinbase, Crowell, eSentire, Health-ISAC, Intel 471, Resecurity, The Shadowserver Foundation, SpyCloud, and TrendAI. In coordination with Europol, law enforcement in Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom carried out a seizure of infrastructure and other operational measures. Microsoft and co-plaintiff Health-ISAC also filed a lawsuit against the alleged Tycoon 2FA creator, Saad Fridi, and unnamed associates. The disruption and associated civil filing in the United States Southern District of New York will have a significant impact on Tycoon 2FA operations and overall threat activity.   Proofpoint supported Microsoft’s action with threat data from our visibility, including malicious domains and information related to Tycoon 2FA campaigns, and provided a declaration for the suit.   In addition to the disruption, the following splash page was displayed on the seized Tycoon 2FA domains:    Figure 1. Tycoon 2FA splash page.  Tycoon 2FA campaign details  Tycoon 2FA relies on attacker-controlled infrastructure to host the phishing webpages. Using a synchronous proxy the platform allows the interception of victims’ entered credentials. The credentials are then relayed to the legitimate service for a transparent, successful login, prompting MFA requests. The resulting session cookies are relayed back to the threat actors.    Tycoon 2FA is sold as a phishing-as-a-service (PhaaS), meaning that threat actors purchase access to the phishing tool and then they can customize it to suit their specific needs. The kit can be used multiple times through the duration of the subscription. Tycoon 2FA is used by multiple different threat actors, and sold by one main individual. It has been sold on Telegram since 2023 and was initially distributed via the “Saad Tycoon Group” channel.  Some Tycoon 2FA users are leveraging “ATO Jumping” whereby the actor compromises an initial email account, uses the compromised sender to broadly distribute Tycoon 2FA URLs, and attempts further account takeover (ATO) activities. Using this technique enables emails to look like they are authentically coming from a victim’s trusted contact, increasing the likelihood of a successful compromise.  Tycoon 2FA infections can lead to a variety of malicious activities including theft of private data including financial information, personally identifiable information, proprietary business information; full account takeover and access to M365 hosts that can be sold to additional threat actors; and potentially lead to follow-on malware compromises including ransomware.  Proofpoint has regularly tracked actors using the Tycoon 2FA phishing kit since 2024. We observe Tycoon 2FA distributed via email campaigns. A campaign is a time-bound set of related activity that is clustered by indicators of compromise (IOCs) such as senders, URLs, attachments, Tycoon 2FA configuration, etc. Tycoon 2FA campaigns vary in terms of scale; some include just a handful of messages; some include millions of messages. Campaign timelines can range from one day to one week.  Tycoon 2FA distribution depends on the criminals’ preferred method of email spam. Emails may contain malicious links, QR codes, SVGs, or attachments with URLs. In all cases, a user is redirected to an actor-controlled URL that displays a unique CAPTCHA resolution that, if solved, will direct to an attacker-controlled site impersonating a Microsoft or Google login portal. In many cases, the threat actor will display a target organization’s Azure Active Directory branding to further the social engineering component and trick a user into thinking they are entering their credentials into a real corporate site.   Figure 2. Email lure observed in late January 2026 with a PDF attachment containing a QR code leading to Tycoon 2FA.  Figure 3. Example CAPTCHA used by Tycoon 2FA, January 2026.   Figure 4. Tycoon 2FA landing page with the target organization’s logo redacted, January 2026.  Tycoon 2FA campaigns are typically opportunistic and target a broad range of organizations and often leverage compromised accounts to spread their phishing kits. Proofpoint has observed Tycoon 2FA distributed via compromised accounts from various industries including legal, real estate, healthcare, government, education, construction, and technology, as well as personal emails such as Gmail addresses.  Tycoon 2FA customers manage their campaigns via a panel provided by the Tycoon 2FA creator. The panel landing pages have changed slightly since 2023, but overall, the general URL structure and landing page functionality has remained the same.   Figure 5. Tycoon panel login screen, February 2026.   The current panel (as of February 2026) also requires a CAPTCHA.  Impact  The majority of tracked Tycoon 2FA campaigns impact North America, mainly the U.S. and Canada, with additional activities targeting many European countries including Germany, Spain, France, and the UK. According to Microsoft, Tycoon 2FA enabled cybercriminals to access almost 100,000 organizations, including schools, hospitals, non-profits, and public institutions.  Based on Proofpoint’s visibility, the following is an example of industries that were targeted in observed Tycoon 2FA campaigns in our threat data, and the percent of campaigns in which they appeared. (Individual campaigns impact multiple different targets).  Vertical  Percent of Tycoon 2FA Campaigns  Aerospace  73%  Business Services  82%  Defense  64%  Education  75%  Energy  78%  Financial Services  84%  Government  79%  Healthcare  83%  Hospitality  76%  Manufacturing  83%  Real Estate  77%  Technology  85%  Utilities  76%    Disruption  On 4 March 2026, Microsoft announced a lawsuit and disruption action against the Tycoon 2FA creator and multiple unnamed associates. Proofpoint supported the civil filing by providing a declaration regarding Tycoon activity, including infrastructure and campaign details. Microsoft seized 330 control panel domains associated with Tycoon 2FA. This action will have a significant impact on operations, disrupting ongoing criminal activity.    Successful account takeovers can cause significant harm to compromised organizations including financial and reputational damage, loss of proprietary data, and potentially lead to follow-on attacks like ransomware that can have destructive and potentially organizational damaging consequences.  Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever it is possible and appropriate to do so, and as is the case with the Tycoon 2FA disruption, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware and phishing threats. Proofpoint was proud to assist in the law enforcement and private sector investigations into Tycoon 2FA activity.   Through its unique vantage point, Proofpoint is able to identify the largest and most consequential malware distribution campaigns, providing the authorities with much-needed insight into the biggest threats to society, affecting the greatest number of people around the world. 

Key findings  Proofpoint observed a new malware-as-a-service (MaaS) masquerading as a legitimate remote monitoring and management (RMM) tool. It calls itself TrustConnect.   The “business page” – clearly created by automated tooling of some kind– is actually the login for the MaaS. As of this writing, access was advertised at $300 per month.  Based on details of the malware creator, capabilities of the malware, and knowledge of the ecosystem, we assess with moderate confidence the threat actor behind TrustConnect was also a prominent user of Redline stealer.  Proofpoint, in collaboration with intelligence partners, disrupted some of the malware’s infrastructure, causing an impact to cybercrime activities. But the actor demonstrated resilience, with another fake RMM website identified shortly before publication that advertised malware called DocConnect.  Overview  RMM tools continue to be many attackers’ top choice for initial access. Such enterprise remote support software like SimpleHelp, SuperOps, Datto, N-able and others are frequently delivered via email campaigns by cybercrime actors or used as follow-on payloads once an actor achieves initial access. (As always, the legitimate RMM tools mentioned in this report are just that — legitimate. It’s the threat actors doing the abusing. We call out brand names strictly to explain what the actors misused, not because the vendors themselves had any hand in the activity.)  But at the end of January, Proofpoint observed a weird twist on the RMM landscape: a threat actor created a malware masquerading as an RMM called “TrustConnect Agent.”  Initially, TrustConnect appeared to be another legitimate RMM tool being abused. Given the sheer number of existing remote administration tools available for threat actors to choose from, and their prevalence in the threat landscape, it could have made sense. But upon investigation, Proofpoint researchers identified evidence that showed TrustConnect is actually new malware-as-a-service (MaaS) classified as a remote access trojan (RAT).   TrustConnect details  Malware portal  The malware domain, trustconnectsoftware[.]com, was created on 12 January 2026. This site purports to be an RMM tool called TrustConnectAgent. The malware creator uses the domain as the “business website” designed to convince the public (including certificate providers) that the software is a legitimate RMM app, providing fake details like customer statistics and software documentation. Proofpoint suspects the actor used an LLM to create the site.  This website is also the portal for criminals to sign up for the service and acts as the command and control (C2) for the malware. Cybercriminals are instructed to sign up for a "free trial", instructed on how to pay in cryptocurrency, and then verify payment in the TrustConnect portal.   Figure 1. TrustConnect “business website”.  The website is also the front they used to purchase a legitimate Extended Validation (EV) certificate in the name of "TrustConnect Software PTY LTD", supposedly based in Alexandra, South Africa. The certificate was valid from 27 January, and the actor used this EV certificate to sign the malware. Obtaining EV certificates costs thousands of dollars and requires additional levels of validation on behalf of the domain holder. Such certificates are supposed to demonstrate that the domain and related business is trustworthy. When used by threat actors, they can help criminals evade signature-based detections. Threat actors can pay malicious providers for EV certificates or attempt to create them on their own.   In collaboration with fellow researchers at The Cert Graveyard, Proofpoint was able to get the EV certificate revoked on 6 February 2026, removing the trick the actor was using to bypass security tools and adding friction to their operations. However, the revocation of the certificate was not backdated, so the old signed files remained valid. This aligns with the actor stopping new subscriptions, but current customers could still distribute the files via email campaigns.  Campaign details  Threat actors in the RMM ecosystem frequently rotate payloads, which allows a specific URL to lead to different malware or abused RMMs throughout a campaign. Though likely that some low volume testing was done in previous weeks based on similar file sizes and file naming, threat actors were confirmed distributing TrustConnect on 27 January, correlating with the date the seller began digitally code signing the software. Proofpoint has observed campaigns from multiple different threat actors distributing this malware.   For example, beginning on 26 January we observed a campaign purporting to be invitations for bids and to an event. Messages were sent from compromised senders and email body copy included both English and French.   Figure 2. Bid invite lure distributing TrustConnect RAT.  Figure 3. French language lure distributing TrustConnect RAT.  Messages contained URLs leading to an executable file "MsTeams.exe". The MsTeams file Proofpoint retrieved on 30 January 2026 was signed with the original filename “MsTeams.dll” with the EV certification dated 29 January and belonging to “TrustConnect Software PTY LTD.”, meaning that the threat actor either used an unsigned executable or some other payload early in the campaign  The executable dropped a file called "TrustConnectAgent.exe" which communicated with the TrustConnect RAT C2 server, and likely led to the installation of additional payloads.  Figure 4. Payload EV cert timeline.  Threat actors distributing TrustConnect have used a variety of lure themes including taxes, document shares, meeting invitations, events, and government themes. The MaaS provides templates for many different kinds of brand abuse, which we will describe in the next section.   Interestingly, researchers also observed campaigns delivering multiple different RMMs alongside TrustConnect. One campaign observed over a four-day period leveraged a single sender, with lures containing overlapping payload URLs, to deliver multiple executables in late January 2026.  Figure 5. Due diligence themed lure delivering LogMeIn RMM.  Proofpoint observed the following variations of the campaign:   31 January and 01 February: messages contained URLs leading to an executable file which, if executed, installed ScreenConnect.  03 February: observed messages contained URLs leading to an executable file which, if executed, installs LogMeIn Resolve.  03 February: observed messages contained URLs leading to an executable file "reference_letter_sign.exe". This dropped a file called "TrustConnectAgent.exe" leading to the installation of TrustConnect RAT.  Additionally, Proofpoint has observed TrustConnect campaigns leading to the follow-on deployment of a legitimate remote access tool, typically ScreenConnect. Proofpoint observed TrustConnect deploying ScreenConnect from at least nine distinct on‑premises (self‑hosted) ScreenConnect servers over a 10‑day period. All were older versions signed with expired or revoked certificates, suggesting the instances were illegitimately purchased previously or possibly pirated. Proofpoint also observed deployment of Level RMM via an abused account as well as hands‑on-keyboard activity. This activity occurred within minutes of TrustConnect installation, reinforcing the assessment that it is used by multiple threat actors. (We reported it to Level, and the account was disabled by the vendor.)  The use of legitimate remote enterprise tooling both alongside and as a follow-on malware suggest this RAT is very much embedded with the overall ecosystem of threat actors abusing these tools, and the MaaS provider is likely selling to the same customers abusing real RMM payloads and infrastructure in campaigns.  Malware capabilities and C2 panel  The platform provides a web-based C2 dashboard, automated payload generation with digital signatures, and a subscription-based access model which costs $300 per month paid via cryptocurrency. The centralized C2 server, trustconnectsoftware[.]com, manages multiple customers.  Figure 6. TrustConnect public sign-in page with link to free sign up.  After registering for a free account, which requires that the user enter their email, "company name", and create a password, they are then prompted to verify their account with an one-time password (OTP) provided in an email that is sent via integration with Zoho transactional email service.  Figure 7. OTP code for account verification at sign-up.  Figure 8. OTP entry.  Once the email has been verified, the visitor is redirected to a subscription page, that despite previously stating that a free trial was available, claims that the account is blocked and that payment is needed to continue using the service.  Figure 9. TrustConnect subscription dashboard.  The subscription dashboard states that the subscription costs U.S. $300/month, and that the payments can be made in the cryptocurrencies Bitcoin or USDT. It provides wallet addresses to pay in either of these currencies. After manual payment, the customer needs to paste the transaction hash (publicly available on the blockchain) and click a button to verify the transaction. The verification is performed automatically by the server, by verifying in the blockchain that the transaction has occurred to the wallet, and that the transaction hasn’t been registered in the panel previously. This suggests that the seller has a database of payments and who paid when. This, in combination with the requirement of an email address, makes the payment not as anonymous as customers thought.  Even though the server-side blockchain verification checks that the transaction has happened, it doesn’t check if the transaction happened before the service opened for registration.  Figure 10. Infected devices page (with mock devices).  The Device page of the C2 dashboard lets the attacker see the devices that have the RAT installed. It’s possible to execute pre-defined commands or run custom commands directly on the device, transfer files to the device, view system information and connect to the device via a remote desktop function. It’s also possible to organize the devices into different custom groups. This page as well as others have a scrolling text that states “Note: Download the EXE, then upload to your own hosting/domain. Send your hosted link to targets for best results - avoids browser flagging.”  The C2 dashboard provides a real-time audit of connected devices, with a timeline feature that shows the relevant actions taken by the MaaS, such as registration, deployment of the RAT, commands executed and so on.   Figure 11. TrustConnect audit dashboard.  Notably, there doesn’t seem to be any functionality to disable or clear the audit log, making it hard for the attacker to erase evidence of malicious activity.  Figure 12. RDP dashboard view.  The remote desktop management function includes features for full mouse and keyboard control, surveillance on the compromised host, UAC bypass, ability to hide operator activity from the victim, screen recording, and the ability to switch between victim displays. The screen is streamed via unauthenticated WebSocket.  TrustConnect generates “branded” installers that bundle legitimate icons and metadata with payload delivery. The brands used are commonly observed across the ecrime threat landscape and are frequently seen used as lures in other cybercriminal RMM campaigns. Lures include:   Corporate: Zoom, Microsoft Teams, Adobe Reader, Google Meet.  Government and Business: "Proposal", "Special Events", "Social Security Administrative"  As well as a generic installer just branded as “TrustConnect” likely designed to masquerade as a real RMM.  Figure 13. Advertised "branded" installers.  Each one of the installers can be downloaded from the C2 via an URL without being signed in, allowing direct download of the malicious installers. The EXE files are named in line with the impersonated brand:  ZoomWorkspace.exe  AdobeReader.exe  MsTeams.exe  Proposal.exe  GoogleMeet.exe  Ssa.exe  SpecialEvents.exe  Installer.exe  The downloaded file is around 35 MB, containing metadata from the impersonated brand as well as pre-configured with the attackers install token so it will join the corresponding “organization” in the C2 panel. The internal name of the file matches the EXE but uses the file extension .dll. This is likely an artifact of the application being compiled as a .NET Core single-file executable, which inherits the name of the source DLL it was built from. Each EXE is signed, and since each installer type contains the specific metadata of the impersonated brand, each customer will at minimum have access to files with eight different hashes. In addition to this, it’s possible to generate a new install token in the panel, which would generate new hashes.  Example EXE download URL:          <hxxps://trustconnectsoftware[.]com/downloads/brands/[organization_name]/MsTeams.exe>   The page also has instructions on how to run a one-liner PowerShell script to run a remote intermediate script that will install the RAT (possibly to be used in ClickFix attacks), as well as system requirements and deployment instructions.  Figure 14. Quick deploy commands.  Figure 15. Deployment guide and system requirements.  Customers also have access to a settings page, where they can enable two-factor authentication and set up Telegram bots to receive notifications when devices connect or disconnect, which means that the MaaS owner has stored ample information about the customers, from email and organization name to cryptocurrency wallet and Telegram tokens.  In addition to the customer-accessible pages above, there is also a hidden “admin-approvals” page that the user will be redirected to if logged in as a “SuperAdmin.”  Figure 16. JavaScript redirect for hidden “admin-approvals” page for SuperAdmin.  This page is an internal admin dashboard intended to be accessed by the MaaS owner or support.   Figure 17. Admin Dashboard (with mock data). In addition to managing customers, like adding days to the subscription or deleting them, the administrator can also list all online devices that the RAT is installed on, independent of which customer installed it. Notably, at this page the creator clearly labels these devices as “Victims”.  The platform links the operator's identity to the payload through a specific chain:  Operator Email: [Registered email in clear text] (Login credential)  Organization ID: [Internal UUID]  Organization Name: [organization name] (User-defined display name on sign up)  Download Path: .../brands/organization_name/... (Derived from Organization Name, used for EXE generation)  Installer Token: [token] (Unique key embedded in the EXE/Script to map victims back to the Org ID, can be expired and rotated by the customer in the panel)  Additional malware details  The malware communicates with the C2 on the same API as the web panel and doesn’t use any additional encryption other than standard SSL/TLS. Below are some examples of traffic:  POST /api/agents/register  Figure 18. TrustConnect check-in.  GET /api/agent-commands/  Figure 19. TrustConnect receiving PowerShell command to install ScreenConnect.  The following is a partial API endpoint map documenting methods and functions of the malware:  Category  Endpoint  Method  Function  Auth   /api/auth/login   POST   JWT Authentication      /api/auth/verify-login   POST   2FA Verification   C2   /api/devices   GET   List victims      /api/commands/run   POST   Execute shell command      /api/files/upload   POST   Upload file to victim   Viewer   /ws/viewer   WS   Remote Desktop Stream      /api/screen/start   POST   Initialize session      /api/recordings/chunk/{id}   POST   Upload screen recording   Malware   /api/agents/register   POST   Agent registration      /api/installer/script   GET   Get PowerShell loader     /api/agents/heartbeat  POST  Agent Heartbeat    /agent-update  GET  Agent Update    /api/files/browse/pull  GET  Agent file browse    /api/files/pull  GET  Agent file download    /api/agent-commands/  GET  Agent command retrieval    /ws/screen  GET  WebSocket Upgrade (RDP)    /api/agent-commands/result  POST  Agent command result  Admin   /api/admin/devices/online   GET   Super-Admin Global victim list      /api/admin/control-mode/check/{id}   GET      The malware C2 was hosted on 178[.]128[.]69[.]245. Proofpoint initiated coordinated remediation of the service, which concluded at ~00:00 UTC on 17 February 2026 and impacted the actor’s infrastructure. Supporting industry partners wish to stay anonymous.   Shortly before publication of this report, Proofpoint analysts identified a pivot to parallel infrastructure and testing of a new agent payload, called "DocConnect" or "SHIELD OS v1.0". Preliminary analysis reveals the new C2 panel is a React Single Page Application (SPA) backed by Supabase. Despite the architectural shift, the platform shares the distinct "vibe-coded" style observed in the TrustConnect website.  Initial analysis of the new agent shows the integration of SignalR instead of raw WebSockets, as well as giving users of the reworked MaaS the ability to include custom PDF lures in the installer itself. The new default name the installer is "DocConnect.Agent.exe".  Attribution  The malware panel includes a Telegram handle (@zacchyy09) for support and sales inquiries.   Figure 20. Support Telegram handle.  In addition, on 6 February 2026 (the same date the EV certificate was revoked), the open registration was closed and replaced with instructions to contact the same Telegram handle to get access to the MaaS:  Figure 21. Sign up instruction on February 6. Notably, this handle was also mentioned as a VIP customer in Operation Magnus, a joint law enforcement effort led by the Dutch National Police to disrupt Redline and META information stealers in October 2024. It is possible a different threat actor is using the same handle. However, based on campaign artifacts, infrastructure, and malware delivery, Proofpoint assesses with moderate confidence, the TrustConnect actor was also likely a Redline customer.   Figure 22. Screenshot of some VIP users from Operation Magnus disruption video.  Conclusion  The emergence of TrustConnect MaaS demonstrates a few major themes:  Disruptions to MaaS operations like Redline, Lumma Stealer, and Rhadamanthys, have created new opportunities for malware creators to fill gaps in the cybercrime market. While these disruptions are effective and impose cost on adversaries, emerging malware shows threat actors will always be looking for new ways to compromise victims.   The RMM abuse ecosystem is thriving. Although TrustConnect only masqueraded as a legitimate RMM, the lures, attack chains, and follow-on payloads (which include RMMs) show overlap with techniques and delivery methods that are frequently observed in RMM campaigns and used by multiple threat actors.   Based on website artifacts and functionality, both TrustConnect and DocConnect websites and agents are likely coded with the assistance of AI Agents, but the new version is significantly more advanced. It shows how threat actors quickly can gain momentum by the help of AI, just like the rest of the society.  Proofpoint would like to thank our colleagues at ConnectWise ScreenConnect for collaborating on taking down abused instances.   Emerging Threats rules  2067351 - ET MALWARE TrustConnect RAT CnC Domain in DNS Lookup (trustconnectsoftware .com)  2067352 - ET MALWARE Observed TrustConnect RAT Domain (trustconnectsoftware .com in TLS SNI)  2067682 - ET MALWARE TrustConnect RAT CnC Activity (Files Browse)  2067683 - ET MALWARE TrustConnect RAT CnC Activity (GET Agent Commands)  2067684 - ET MALWARE TrustConnect RAT CnC Activity (POST Command Results)  2067685 - ET MALWARE TrustConnect RAT CnC Activity (Agent Heartbeat)  2067686 - ET MALWARE TrustConnect RAT CnC Activity (Heartbeat Response)  2067687 - ET MALWARE TrustConnect RAT CnC Activity (WebSocket Upgrade Request)  2067688 - ET MALWARE TrustConnect RAT CnC Activity (Agent Register)  2067689 - ET MALWARE TrustConnect RAT CnC Activity (Agent Update)  2067690 - ET MALWARE TrustConnect RAT CnC Activity (Files Pull)  2067801 - ET MALWARE TrustConnect RAT CnC Domain in DNS Lookup (networkservice .cyou)  2067802 - ET MALWARE Observed TrustConnect RAT Domain (networkservice .cyou in TLS SNI)  2067803 - ET MALWARE TrustConnect RAT CnC Activity (Agent Registration)  2067804 - ET MALWARE TrustConnect RAT CnC Activity (Failed Registration)  2067805 - ET MALWARE TrustConnect RAT CnC Activity (Files Pending)  2067806 - ET MALWARE TrustConnect RAT CnC Activity (GET Commands)  Example indicators of compromise  Indicator   Description  First Seen  trustconnectsoftware[.]com  C2 Domain  12 January 2026  178[.]128[.]69[.]245  C2 IP  12 January 2026  adobe[.]caladzy[.]com  Payload Staging Domain  31 January 2026  ametax[.]net  Payload Staging Domain  31 January 2026  worldwide-www19[.]pages[.]dev  Payload Staging Domain  31 January 2026  vurul[.]click  Payload Staging Domain  31 January 2026  cee6895f7df01da489c10bf5b83770ceede79ed4e1c8c4f8ea9787a4d035c79b  TrustConnectAgent.exe  SHA256  2 February 2026  statementstview[.]online  Payload Staging Domain  10 February 2026  elev8souvenirs[.]com  Payload Staging Domain  26 January  cf85a4816715b8fa6c1eb5b50d1c70cfef116522742f6f1c77cb8689166b9f40  MsTeams.exe  SHA256  26 January  162c0d3e671ddf4f7f3ae5681da5272111eab6588bc53843cc604fc386634594  DocConnect Testing Payload  17 February 2026  networkservice[.]cyou  DocConnect C2  17 February 2026  hxxps[://]memphiswawu[.]com/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest  ScreenConnect Payload URL  10 February 2026  hxxps[://]aerobickarlaurbanovas[.]top/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest=  ScreenConnect Payload URL  10 February 2026  hxxps[://]stewise[.]top/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest  ScreenConnect Payload URL  10 February 2026  hxxps[://]smallmartdirectintense[.]com/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest=  ScreenConnect Payload URL  10 February 2026  hxxp[://]192[.]159[.]99[.]83/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest  ScreenConnect Payload URL  10 February 2026  hxxp[://]192[.]227[.]211[.]41:8040/Bin/ScreenConnect[.]ClientSetup[.]msi?e=Access&y=Guest  ScreenConnect Payload URL  10 February 2026   

Key findings  TA584 is one of the most prominent cybercriminal threat actors tracked by Proofpoint threat researchers.  In 2025, the actor demonstrated multiple attack chain changes including expanded global targeting; ClickFix social engineering; and delivering new malware, Tsundere Bot.   TA584’s activity is unique in the cybercrime landscape and shows how static detections alone are not reliable for constantly innovating threat actors.   Overview  Proofpoint tracks multiple sophisticated cybercriminal threat actors, and one of the most frequently active with high volume campaigns is TA584. TA584 is a prominent initial access broker (IAB) that targets organizations globally. In the second half of 2025, TA584 demonstrated multiple attack chain changes including adopting ClickFix social engineering, expanded targeting to more consistently target specific geographies and languages, and recently delivering a new malware called Tsundere Bot. TA584 overlaps with a group tracked as Storm-0900.   The actor’s operational tempo increased throughout 2025, with the number of monthly campaigns tripling from March to December 2025.  TA584   Background  Tracked by Proofpoint since November 2020, TA584 has demonstrated a variety of tactics, techniques, and procedures (TTPs). Delivery methods included macro-enabled Excel documents, URLs with aggressive filtering, use of various traffic distribution services (TDS), and geo-fenced landing pages.    While TA584 has been tracked for several years, its earlier campaigns followed relatively predictable patterns compared to the variety of techniques observed in 2025. One of the most notable shifts in TA584’s activity during 2025 is how quickly campaigns are launched, modified, and retired. The actor has been active for several years, but earlier activity tended to follow longer-lived patterns, with infrastructure, lures, and delivery mechanisms reused over extended periods of time. In contrast, 2025 activity is characterized by high campaign churn and short operational lifespans.   Figure 1. Operational tempo increased throughout 2025.  In 2025, TA584 conducted campaigns in rapid succession, often overlapping in time while using distinct lure themes, branding, and landing pages. In many cases, individual campaigns remained active for only a short time (hours to days) before being replaced or significantly modified. Instead of refining a single successful attack chain, TA584 favors continuous iteration, rapidly cycling through various tactics, techniques, and procedures (TTPs), even when prior campaigns remained effective.  The consistency of this pattern throughout 2025 shows how a steady stream of brief, thematically distinct campaigns originating from the same actor provides insight into how modern financially-motivated threat actors adapt to defensive pressure.  Data scope  Proofpoint’s analysis of TA584 activity is based on email as an initial access vector. Although TA584 has been monitored periodically since 2020, the findings presented here primarily focus on activity observed throughout 2025, when visibility of campaign volume, operational tempo, and variability increased significantly. The analysis follows activity from initial message delivery through malware execution. This perspective lets us see how TA584 adapts social engineering techniques, distribution infrastructure, and payload delivery over time, while also identifying execution behaviors that remain consistent despite other changes.  The scope of this analysis is intentionally focused on the pre-compromise and early execution stages of TA584 attack chains. Areas covered include email lure construction, social engineering themes, brand impersonation, localization strategies, landing page design, delivery infrastructure, and malware execution.   Campaigns were identified and clustered by correlating multiple attributes including delivery characteristics, shared or structurally similar infrastructure, recurring execution patterns, geofencing and IP filtering, landing page design, malware and malware configuration, and overlapping lure characteristics. Attribution to TA584 is based on a combination of historical tracking, continuity across campaigns, and recurring patterns observed over multiple years of activity.   Overall, the methodology used in this report reflects the challenges of tracking modern, high-velocity, email-centric threat actors. TA584’s 2025 activity shows how quick campaign turnover and deliberate variability can make static indicators less effective.   Campaign details  Social engineering  TA584 sends emails impersonating various organizations. Impersonated entities include job-related firms (such as Michael Page, Addeco) or business services (BBB, Companies House), as well as brands like PayPal, OSHA, Medicare, OneDrive, or YourCostSolutions.   The most frequently observed vertical impersonated is healthcare, followed by government entities. Proofpoint has seen this actor impersonate hospitals, care facilities, and multiple various government agencies in multiple countries.   Figure 2. TA584 impersonations.  TA584 demonstrates unique social engineering content using a very wide range of themes and techniques used to get people to engage with malicious content. The emails and associated landing pages always match, with well-designed and believable lures.  Brand impersonation further reinforces this approach. TA584 regularly incorporates well-known brands into email content, but brand usage is typically short-lived, with individual brands appearing briefly before being replaced in subsequent campaigns. In several cases, brand selection appears aligned with geographic targeting, with localized or regionally relevant brands used to increase credibility among specific recipients. Importantly, this variability does not appear to be random. Despite frequent changes, lures consistently maintain a sense of urgency or implied legitimacy, often encouraging recipients to view a document, review a transaction, or resolve an outstanding issue. The underlying social engineering objective remains the same, even if the surface-level details change.  This actor’s behavior is notable. Because TA584 regularly changes their lures, it reduces the effectiveness of content-based detection and increases the likelihood that at least some variants will evade filtering. For defenders, this shows how campaigns should be assessed holistically, correlating sender behavior, delivery infrastructure, and downstream execution rather than relying solely on static content indicators.  Some themes observed in 2025 include debt collection and payment processing, invitations to events or programs, tax obligations, medical test results, healthcare benefits, parking tickets, recruiting emails, and business complaints.    One campaign in December used a unique social engineering technique: including a photo of an alleged package delivery that contained the name of the recipient in the email lure.  Figure 3. Purported photo of physical mail.   In the emails, TA584 included a photo of supposed physical mail that displayed the targets’ name and address, customized to each recipient. This likely furthered the believability of the lure. Proofpoint rarely observes this technique, however we have seen it used by TA2725 in recent months.  Attack chain  TA584 uses multiple delivery methods via email. In 2025, the actor most often sent emails from compromised individual senders. These accounts were typically paired with several display names per campaign that matched the lure, and a single wave could involve hundreds of different compromised senders across many unrelated, legitimate, and often aged domains.  TA584 also occasionally sends through thirdparty Email Service Providers (ESPs) such as SendGrid and Amazon Simple Email Service (SES). This likely involves stolen credentials to create or takeover ESP accounts and then authenticate the compromised domain for sending. In practice, that usually requires DNS access to add provider-specific DNS records.  Because the emails come from authenticated, aged senders and vary heavily in subject lines and URLs, it can be difficult to reliably track and cluster these campaigns using email characteristics alone.  The emails usually contain unique links for each target that performs geofencing and IP filtering. If these checks were passed, the recipient is redirected to a landing page aligning with the lure in the email. Between March 2021 and July 2025, the landing page featured a countdown, the target's name (from a query in the URL), and a CAPTCHA. The timer, which was always placed in the top right corner, added to the sense of urgency a recipient would have, feeling like there was limited time to reply to seemingly important emails. Solving the CAPTCHA revealed a download button for a zipped JavaScript or shortcut (.lnk) file.   In early campaigns, TA584 also delivered macro-enabled Excel documents (tracked as EtterSilent) directly after the filtering checks that, if macros were enabled, would lead to malware installation.  Figure 4. March 2021 campaign, emails containing URLs that redirect to the download of a zipped macro-enabled Excel sheet that, when enabled, downloaded Ursnif.  Figure 5. Lure impersonating a recruiting firm targeting North American organizations, containing a URL leading to a landing page featuring a countdown, matching the email lure, March 2025.   From late July 2025, the actor switched to using the ClickFix technique. The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their own computer. First observed in 2024, the ClickFix technique is now used by many different threat actors that customize the landing pages based on lure theme and objective.   Currently, messages contain unique URLs with a link leading to a customized landing page with a "Slide" CAPTCHA. If the CAPTCHA is resolved, a ClickFix page will be displayed which guides users to follow instructions which, if completed, run a PowerShell command which in turn runs another remote intermediate PowerShell script containing obfuscated code that will execute the malware payload. The initial script from the ClickFix command can only be retrieved if the same IP address has accessed the landing page. The landing page also contains a call-back function to check if the payload has been accessed and redirects the browser to a benign site, for example docusign[.]com, when this has been done.  Figure 6. BBB complaint lure with URL, November 2025.   Figure 7. CAPTCHA and ClickFix landing pages, November 2025.   Redirect behavior and intermediate delivery techniques are a notable aspect of TA584’s landing page infrastructure. All campaigns use redirect chains or intermediary resources to obscure the final payload location, adding additional layers between the initial email and malware delivery. The individual URLs are not consistently reused, and the actor changes URLs and redirects with each campaign, often using third-party criminal services in the redirect chain. The actor often uses a set of compromised domains per campaign, with a path in the URL identifying the campaign (such as domain.tld/bbb/[unique query]) either directly in the email, or in the redirect chain if a third-party service has been used in the campaign. However, from late 2025, the actor preferred to instead use Amazon AWS S3 URLs, either directly in the email or in the redirect chain, also most often paired with a unique query per target. In 2025, Proofpoint also observed Blogspot URLs, and other various URLs used in the email lure. While in previous years, the actor commonly used Cookie Reloaded (Prometheus TDS) URLs for filtering payloads, we observed TA584 occasionally switch to Keitaro TDS, but the actor most frequently used 404 TDS as the primary filter in 2025. This variability reinforces the actor’s preference for adaptable infrastructure, causing detection to become more challenging.   404 TDS is a traffic distribution system (TDS) used by cybercriminal actors since at least 2021 and has been observed used by multiple ecrime actors, particularly those that demonstrate more sophisticated capabilities. 404 TDS was named due to the mechanism it used in initial campaigns to redirect users to the payload sites. Specifically, the TDS would respond with a "404 Not Found" code and then use a meta refresh method to automatically refresh the current web page to direct the user to the URL contained in the meta refresh element, which is the next site in the attack chain. 404 TDS does not appear to perform any filtering or blocking. In most cases the TDS simply redirects the user to next URL. 404 TDS links are time limited, typically to one day.   After any potential third-party filtering and the initial redirect, the browser is redirected to a long hostname (often related to the lure) hosted on an actor-controlled domain, where additional IP-based filtering is performed. Only if the target passes this final IP filtering step are they redirected to the final landing page, hosted under a campaign-specific path on the same host.  The domain itself is usually used for only one or two campaigns, and new domains are typically registered and deployed at least once per week. Although new domains are rotated frequently, the IP address hosting these final steps often remains static for long periods. For example, 94[.]159[.]113[.]37 (AS216234 Komskov Vadim Aleksandrovich) has been used since April 2025.  Because of the layered redirects and filtering, full redirect chains and final landing pages are rarely captured by public sandboxes or URL scanning services.  Targeting details  Campaigns typically target hundreds of organizations with message volumes ranging from a few thousand to nearly 200,000 messages per campaign.   Historically, this actor largely focuses targeting on organizations in North America, the UK, and Ireland, but at the end of July 2025, the actor expanded targeting to regularly include Germany. (Analyst note: Proofpoint previously observed a small number of campaigns targeting Germany in 2023, but in 2025 the actor consistently targeted that country at a significantly higher volume). TA584 focused its targeting efforts on European users for much of the summer, before returning to mostly targeting North America by fall 2025. Proofpoint has also observed limited targeting of Australia since at least spring 2025.   The actor appears to be opportunistic and doesn’t target specific verticals. The actor typically conducts a few campaigns per week, but we have observed breaks between campaigns. The most frequently targeted geography is North America.    Figure 8. Targeted countries by campaign, 2025.  TA584’s 2025 campaigns show consistent shifts in geographic targeting, with individual operations often focused on specific regions. While earlier activity associated with the actor had a less specific focus on geographic targeting, campaigns observed in 2025 frequently included deliberate regional targeting, with less opportunistic activity. TA584 focused its targeting efforts on European users for much of the summer, before returning to mostly targeting North America by fall 2025. Proofpoint has also observed limited targeting of Australia since at least spring 2025.   Targeted regions often change between campaigns, with geographic focus rotating over relatively short timeframes. In several cases, campaigns in a single week targeted different regions while using distinct branding, language, and lure themes relevant to selected targets.   Figure 9. UK targeted email lure 24 September 2025.  Figure 10. German targeted email lure 25 September 2025.  Figure 11. U.S. targeted email lure 19 September 2025.  This rotational targeting allows TA584 to keep high operational tempo while reducing repeated exposure within any single region.   Malware details  The current payload delivered is XWorm with the configuration “P0WER”, which it has used since at least mid-2024. However, at the end of November and through December 2025, TA584 also distributed a newly observed malware called Tsundere Bot which we will describe below.   Previously, the actor was observed distributing the following payloads for initial access: Ursnif (2020 – 2022), LDR4 (2022 – 2023), WarmCookie (2024), Xeno RAT (2024), and Cobalt Strike (2024). TA584 also used DCRAT in one campaign in September 2025, which was a significant outlier. The actor did not use this payload again.   XWorm is a remote access trojan (RAT) observed since 2022 that also includes some ransomware functionality. It is available for sale on criminal forums and used by many different threat actors of various levels of sophistication.   Tsundere bot  While Tsundere Bot was previously distributed by other threat actors in Proofpoint campaign data as early as August 2025, TA584 used Tsundere Bot for the first time at the end of November 2025. Throughout December, Proofpoint observed this payload in multiple additional campaigns, and it now appears to be a favored payload alongside XWorm. Tsundere Bot is a new malware with backdoor and loader capabilities. Further investigation identified the panels, which identified themselves as “Tsundere Netto” and “Tsundere Reborn”, from where the name Tsundere Bot was taken. It is a malware-as-a-service (MaaS). It is used by multiple different threat actors, according to third-party reporting from Kaspersky, including being dropped by RMMs downstream of web injects, and delivered via fake video game installers.   Figure 12. Tsundere Bot panel screenshot.   The bot needs Node.js to be installed on the system, which is handled by installers available to be built from the command and control (C2) panel in the form of MSI installers or PowerShell scripts. Tsundere Bot has the following capabilities:  Uses a form of EtherHiding to connect to the Ethereum blockchain via multiple RPC providers in order to retrieve its C2 and config via a Web3 smart contract and wallet defined by the installer, and uses a consensus mechanism to select the most commonly returned C2 URL from multiple providers. The malware also includes a hardcoded C2 fallback in the installer script.  Uses WebSockets to communicate with the C2.  Checks system locale and exits if the system uses CIS country languages (Russian, Ukrainian, Belarusian, Kazakh, etc.)  Collects system information such as CPU/GPU info, username and hostname, Windows version, volume serial numbers, etc. and creates a unique victim ID with this info.  Maintains connection health to C2 with a “ping/pong” heartbeat.  Can execute arbitrary JavaScript code sent from the C2  The C2 panel, which allows public account creation, contains functions such as:  Bot control panel which can be filtered by IP, country code, username and hostname  User settings where a license key for the MaaS can be applied  Build system where installers in the form of MSI or PowerShell can be generated  Autotasks management where custom Node.js scripts can be configured to run automatically on first or every bot connection.  A market where bots can be sold and purchased.  Socks Proxy, where bots can be configured to be used as SOCKS5 proxies.  Proofpoint has observed this malware delivered via a variety of attack chains based on the distinct threat actor using it, including multiple campaigns leveraging the ClickFix social engineering technique. Proofpoint has identified multiple pairs of contracts/wallets that resolves to different active C2 servers. Early versions of the installer and bot code contain comments in both Russian and English in different parts of the code.  In general, the malware can be used for information gathering, data exfiltration, lateral movement, and to install additional payloads. Given that Proofpoint has observed this malware used by TA584, researchers assess with high confidence Tsundere Bot malware infections could lead to ransomware.  The first observed TA584 Tsundere Bot campaign occurred on 28 November 2025 and impersonated the Health and Safety Executive (HSE). Other Tsundere Bot campaigns observed in December include impersonating document review tools, construction companies, and mobile providers.   Figure 13. HSE lure.   In this email, which is a typical lure style for the threat actor, TA584 is asking for recipients to provide requested information by clicking unique URLs that will redirect to a landing page with a CAPTCHA, if IP filtering and geofencing checks are passed.  Figure 14. HSE themed CAPTCHA.  If the CAPTCHA is resolved, a ClickFix page will be displayed which guides users to follow instructions which, if completed, runs a PowerShell command.   Figure 15. ClickFix steps.  This command, in turn, runs a remote intermediate PowerShell script that is likely generated from the Tsundere Bot malware panel. The remote script installs Node.js and its dependencies directly from nodejs[.]org, then decrypts two AES-encrypted embedded Node.js files: one loader script, which subsequently loads the second script, the Tsundere Bot itself.  Figure 16. TA584 PowerShell script.   Tsundere Bot retrieves its C2 address from the Ethereum blockchain using a variant of the EtherHiding technique, or a hardcoded C2 fallback, profiles the computer, sends this profiling information to the C2 (193[.]17[.]183[.]126:3001), and then waits for additional Node[.]js-based payloads.   Notably, while the PowerShell installer script contains English, the Node.js scripts are commented in Russian and include logic to abort execution if the malware detects that it is running on a system located in a CIS country.  While the contract can be updated to point to a new C2, the contract used in this infection chain has had the same C2 configured since its first transaction on 6 August 2025.   XWorm “P0WER”  Since XWorm is a well-known malware, we won’t go into details here but include summary of what the “P0WER” configuration means, and how TA584 uses it in their attack chain. Just as with Tsundere Bot, the “P0WER” variant of this malware is likely a complete product that is sold as a MaaS. The name “P0WER” that Proofpoint is using for this configuration is taken from the AES Key used in this specific version. And just as with other malware distributed by TA584, this configuration has also been seen from other unrelated clusters, which also use the same execution method as TA584.  Just as with the Tsundere Bot chain, the infection starts with PowerShell running a remote PowerShell script. Due to the similarity in the execution of this variant from other clusters, it’s likely that this script is built with a malware builder from a MaaS. While the obfuscation of the installation script has changed since the variant first was observed, and additional obfuscation of the binaries, the functionality remains the same.  The script begins by disabling AMSI scanning via a reflection trick that forces an initialization failure (amsiInitFailed), ensuring the rest of the code runs unmonitored. It suppresses errors to stay quiet and reconstructs two hidden Base64 blobs using string replacements. The first blob is a custom .NET loader, which is reflectively loaded into memory; the second is the XWorm malware executable.  Figure 17. XWorm P0WER PowerShell script used by TA584 in April 2025.  To execute the malware, the script invokes a method called BIG.BOOM. This method performs process hollowing, a technique where the loader starts a legitimate, signed Microsoft utility, RegSvcs[.]exe, in a suspended state, empties its memory, and replaces it with the XWorm payload.  Figure 18. Xworm P0WER PowerShell script with XOR obfuscation used by TA584 in December 2025.  Figure 19. Same as Figure 18 script with as much obfuscation removed as possible, while still showing the functionality as used by the actor.  This makes the detonation effectively file-less, as the malware resides entirely in RAM and masks its activity under the identity of a trusted system process. Finally, the script wipes the clipboard to remove traces of the initial ClickFix command.  Once active in memory, the XWorm client communicates with its C2 server to pull down secondary modules, including a persistence plugin built with SharpHide. This tool manipulates the Windows Registry by inserting null-byte characters (\x00) into the key names. Because many standard Windows APIs and management tools (like Regedit.exe) treat the null byte as a string terminator, the entry becomes effectively invisible to basic enumeration, hiding the malicious "Run" key from casual inspection.  This hidden key establishes an execution chain that triggers every system boot:  The key launches mshta which executes a VBScript one-liner that instantiates the WScript.Shell COM object. This object is used to execute a PowerShell process with the WindowStyle set to 0 (hidden), preventing any console window from appearing to the user.   The spawned PowerShell process decodes a Base64-encoded string to run another remote PowerShell script, which normally contains the same installation script as the one initially executed. However, by fetching the payload dynamically from an external IP on each boot, the attacker ensures the infection is modular. This allows for C2 infrastructure migration or the delivery of additional malware without needing to modify the local persistence entry, maintaining a persistent, "effectively file-less" foothold that is difficult to disrupt through standard file-system cleanup.  Attribution  Proofpoint assesses with high confidence this actor is an initial access broker with infections that can lead to ransomware. TA584 is a sophisticated cybercriminal threat actor that has maintained operational consistency since at least 2020. Based on the malware used and artifacts in the attack chains, it is likely this actor is plugged in to the Russian cybercriminal ecosystem and underground markets.  Defensive recommendations  Restrict users from running PowerShell unless necessary for their job function.  Use application control policies (like AppLocker or Windows Defender Application Control) to prevent the execution of tools like node.exe from non-standard, user-writable locations such as “C:\Users\*\AppData\Local\”.  Create detection rules for powershell[.]exe or cmd[.]exe spawning a node[.]exe process, especially when node[.]exe is located in a user's AppData or other non-standard locations.  Block or monitor Ethereum endpoints. The malware relies on a hardcoded list of public Ethereum RPC providers to retrieve its C2 server address. Blocking (or, monitoring) outbound traffic to these specific URLs at the network firewall or web proxy can prevent the malware from receiving its instructions.  Monitor and inspect WebSocket traffic. The malware uses WebSockets (ws:// or wss://) for C2 communication. Implement network monitoring to detect and inspect WebSocket connections to unknown or uncategorized domains.  Consider disabling Windows+R via Group Policy for users who do not need it for their job function.   Organizations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can be integrated into an existing user training program.  Conclusion  The cybercriminal threat landscape has experienced dramatic shifts in behaviors, targeting, and malware use over the last year, with many priority threat actors disappearing from email threat data in 2025. TA584, however, bucks this trend and has demonstrated consistent patterns of behavior and targeting since 2020, with recent shifts that demonstrate the actor is attempting to infect a broader range of targets. Proofpoint assesses it’s likely TA584 will increase targeting in Europe in 2025. It is also possible the threat actor will continue experimenting with different payloads, like Tsundere Bot or other remote access payloads newly available for sale on criminal markets.   Organizations should be aware of techniques used by TA584 and implement preventative defensive measures including restricting users from running PowerShell unless required for job functions and blocking known TA584 hosts.  Example Emerging Threats rules  2865239 – Win32/xworm V2 CnC Command - RD- Inbound   2865240 – Win32/xworm V3 CnC Command - sendPlugin   2865241 – Win32/xworm V3 CnC Command - Informations Outbound  2865163 – Win32/xworm v3 CnC Command - PCShutdown Inbound  2865200 – Win32/xworm v3 CnC Command - savePlugin Inbound  2033355 – ET INFO Windows Powershell User-Agent Usage  Example indicators of compromise   Indicator  Description  First Seen  94[.]159[.]113[.]37   TA584 Host | AS216234 Komskov Vadim Aleksandrovich  April 2025  85[.]236[.]25[.]119  Tsundere Bot C2  9 December 2025  80[.]64[.]19[.]148  XWorm C2  10 November 2025  85[.]208[.]84[.]208  XWorm C2  9 September 2025  178[.]16[.]52[.]242  XWorm C2  27 October 2025  94[.]159[.]113[.]64  XWorm C2  28 March 2025  hxxp://94[.]159[.]113[.]37/ssd[.}png  ClickFix Payload URL  September 2025  bbedc389af45853493c95011d9857f47241a36f7f159305b097089866502ac99  SHA256 Remote PowerShell Script Leading to XWorm  December 2025  441c49b6338ba25519fc2cf1f5cb31ba51b0ab919c463671ab5c7f34c5ce2d30  SHA256 XWorm SharpHide Payload  December 2025 

Key findings  Proofpoint is tracking multiple threat clusters - both state-aligned and financially-motivated - that are using various phishing tools to trick users into giving access to M365 accounts via OAuth device code authorization.   Successful compromise leads to account takeover, data exfiltration, and more.   Threat actors are using the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 user accounts by approving access for various applications.   Overview  Social engineering is a tactic used by threat actors to trick a user into taking an action, for example adding an application on their system, or divulging confidential information. Techniques like ClickFix highlight how threat actors use security-themed issues to trick users into taking an action, leveraging legitimate tools and services to gain unauthorized access. Device code phishing is another way threat actors are abusing enterprise resources for account takeovers.   Proofpoint Threat Research has observed multiple threat clusters using device code phishing to trick users into granting a threat actor access to their Microsoft 365 account. In general, an attacker will socially engineer someone into logging into an application with legitimate credentials. The service generates a token that is then obtained by the threat actor. This gives them control over the M365 account.   Proofpoint has previously observed targeted malicious and limited red team activity leveraging device code phishing. But by September 2025, we observed widespread campaigns using these attack flows, which was highly unusual.  In recently observed activity, campaigns begin with an initial message with a URL embedded behind a button, as hyperlinked text, or within a QR code. When a user visits the URL, it initiates an attack sequence leveraging the legitimate Microsoft device authorization process. Once initiated, the user is presented with a device code.  It is either presented directly on the landing page or received in a secondary email from the threat actor. The lures typically claim that the device code is an OTP and direct the user to input the code at Microsoft’s verification URL. Once the user inputs the code, the original token is validated, giving the threat actor access to the targeted M365 account.   In observed campaigns, some messages directly claim to be token re-authorization notifications, while others use different lures to trick the user into clicking a URL, which leads to an attack chain that ends with application authorization.    While this is not necessarily a novel technique, it is notable to see it used increasingly by multiple threat clusters including a tracked cybercriminal threat actor, TA2723. Proofpoint threat researchers have identified a malicious application for sale on hacking forums, which could be used for this type of campaign. Additionally, red team tools are available – such as Squarephish and SquarephishV2– that can be used for this type of attack. These tools help threat actors mitigate the short-lived nature of device codes, enabling larger campaigns than were previously possible.  The tools  SquarePhish2 Tool  SquarePhish is a phishing tool that enables threat actors to target the OAuth Device Grant Authorization flow in combination with QR codes to compromise Microsoft accounts. It was originally published in 2022 by Dell SecureWorks.  In 2024, an updated version – SquarePhish2 – was published on GitHub by an independent researcher. The attack chain is effective because it mimics the legitimate process that a user would follow to configure TOTP multifactor authentication. The attack begins with a phishing email containing a QR code that directs users to a website hosted on an attacker-controlled SquarePhish2 server. Upon scanning the QR code, the user is redirected to Microsoft’s legitimate authentication page, while the server initiates the OAuth Device Authorization Grant flow using a preconfigured client ID.   A second email is then sent to the user from a Microsoft tenant, containing the device code, prompting them to complete the authentication process. SquarePhish2 can also automatically redirect users to the verification page, without needing to prompt for a second email. Once the user enters the code and authenticates, the tool polls the Microsoft endpoint for access. While SquarePhish2 offers advanced capabilities, its user-friendly configuration and automation features mean that it does not require deep technical expertise to operate, making it accessible to a broader range of threat actors. The ultimate objective is unauthorized access to sensitive Microsoft account data, enabling further exploitation such as account takeover, lateral movement, data exfiltration, or persistence within targeted environments.  Graphish tool Threat actors have increasingly adopted tools like the Graphish phishing kit to target Microsoft accounts with efficiency. The tool was shared in criminal hacking forums, where members are vetted, and made available for free. This tool has a multitude of capabilities, including facilitating the creation of highly convincing phishing pages by leveraging Azure App Registrations and reverse proxy setups for adversary-in-the-middle (AiTM) attacks, hosted on attacker-controlled infrastructure. A typical AiTM attack begins with the user receiving a phishing message containing a link to a malicious webpage design to mimic a legitimate login page. The fake domain is connected to a reverse proxy server, which relays traffic between the user and the actual service. When the user enters their credentials, they are instantly intercepted by the attacker. If the user successfully completes an MFA challenge (like entering a one-time code), this enables a complete session hijacking.   The attack requires the actor to own a domain name and register an SSL certificate, to enhance the credibility of the phishing site. By registering an application in Azure and extracting the client ID, the attacker can initiate OAuth-based phishing attempts that prompt users to grant access to their Microsoft accounts. For targeting enterprise environments, the tool includes guidance on bypassing organizational restrictions by verifying the malicious app with Azure, which increases its success rate against accounts. Similar to Squarephish, the tool is designed to be user-friendly and does not require advanced technical expertise, lowering the barrier for entry and enabling even low-skilled threat actors to conduct sophisticated phishing campaigns. The ultimate objective is unauthorized access to sensitive personal or organizational data, which can be exploited for credential theft, account takeover, and further compromise.  Campaigns  “Salary Bonus + Employer Benefits Reports 25”  Proofpoint tracks multiple campaigns leveraging OAuth device code phishing. For example, on 8 December, researchers identified a campaign that used a shared document reminder alert to trick users into clicking a Google Share URL hyperlinked as text, to access a fictitious document called “Salary Bonus + Employer Benefit Reports 25”. Email messages were sent from attacker-controlled addresses and claimed to be the file.  Figure 1: Example of phishing message purporting to be “Salary Bonus + Employer Benefits Reports 25”. Once clicked, the URL embedded in the email leads the user to an attacker-controlled website with a domain that is localized according to browsing IP and shows the targeted company branding. The website prompts the user to input their email address. Once done, the user is presented with a pop-up to “complete secure authentication” that includes a code and directions to input that code on the legitimate Microsoft device authorization page - hxxps://microsoft.com/devicelogin. This pop-up is purporting to be for MFA-token secure authentication. However, inputting the provided code into the Microsoft-provided OAuth page provides the threat actor access to the user’s Microsoft 365 account. Figure 2: Redirection to adding authorized device.  TA2723   TA2723 is a financially-motivated, high-volume credential phishing threat actor that is notable for its campaigns spoofing Microsoft OneDrive, Linkedin and DocuSign. Beginning October 2025, Proofpoint Threat Research observed TA2723 conducting OAuth device code phishing.  In one campaign from 9 to 10 October, the email messages purported to be “[organization name] OCTOBER_SALARY_AMENDED RefID:6962_yslFRVQnQ”. The email message body appeared as if a document had been shared with the recipient and was customized to show the recipient’s name and the name of the shared file, consistent with the subject line. The message contained a virtoshare.com URL embedded as a “button” to Open the file.   Figure 3: Example TA2723 email message.  When clicked, the recipient is redirected to a device code authorization page where they are prompted to input their email address and click a button to generate the one-time passcode (OTP).   Figure 4: URL redirect from email message to OTP generation site When clicked, the URL behind this button - which then shows as “Access Document” - is updated to redirect the user to the legitimate device authorization page from Microsoft, where they will have authorized access to the attacker-controlled application.   Figure 5: OTP and updated 'Access Document' button URL redirect.  Proofpoint Threat Research suspects that SquarePhish2 could have been used in this TA2723 campaign from 6 to 8 October, and the Graphish kit could have been used in a second wave of this campaign from 9 to 10 October. The assessment is due to the timing and evolution of the campaigns, TTP changes, and that the Graphish kit had been recently published on the vetted forum in the prior weeks. A successful attack would enable the threat actor to have access to the user’s M365 account, which could lead to account takeover, data exfiltration, lateral movement, and other follow-on activity.   State-aligned threat actors using device code phishing  Since January 2025, Proofpoint Threat Research has tracked multiple state-aligned threat actors abusing OAuth device code authorization for account takeover, which aligns with a wider trend of state-aligned threat actors increasingly adopting password-less phishing techniques. This technique has been most widely used by Russia-aligned threat actors, as noted in prior public reporting by Volexity covering the initial adoption of this technique. We have also observed suspected China-aligned activity and other unattributed espionage campaigns using this attack vector.   State-aligned threat actors often conduct patient rapport building via benign outreach prior to a device code phishing attempt, with some campaigns showing evidence of multi-channel targeting via both email and other communication channels. One particularly notable threat actor we have observed conducting device code phishing since at least September 2025 is a suspected Russia-aligned group we are tracking as UNK_AcademicFlare.   UNK_AcademicFlare activity  Since September 2025, Proofpoint has observed UNK_AcademicFlare using compromised email addresses belonging to multiple government and military organizations to target entities within government, think tank, higher education, and transportation sectors in the U.S. and Europe. Typically, these compromised email addresses are used to conduct benign outreach and rapport building related to the targets’ area of expertise to ultimately arrange a fictitious meeting or interview. The threat actor then claims to share a document with questions or topics for the target to review. To do so, they provide a link to a Cloudflare Worker URL that spoofs a OneDrive account associated with the compromised sender’s organization, which leads to a device code phishing workflow.  Figure 6: UNK_AcademicFlare benign conversation starter.  Figure 7: UNK_AcademicFlare email linking to Cloudflare worker URL.  In the above example, UNK_AcademicFlare sent a benign conversation starter email to an individual working for a U.S. university using a compromised Zambian government email address. The threat actor later provided a link to a Cloudflare Worker domain spoofing a Zambian government OneDrive account: onedrive[.]gov-zm[.]workers[.]dev.  Figure 8: UNK_AcademicFlare Cloudflare worker device code landing page.  This link redirects to a landing page stating that the sender has shared a document and instructs the user to copy the provided code and click 'Next' to gain access. The presented code is a unique device code that is dynamically generated for the target and clicking 'Next' redirects the user to the Microsoft device code login URL  hxxps://login.microsoftonline[.]com/common/oauth2/deviceauth.  Proofpoint assesses that UNK_AcademicFlare is likely a Russia-aligned threat actor based on the targeting of Russia-focused specialists at multiple think tanks, as well as government and energy sector organizations in Ukraine. This assessment is further supported by the actor’s repeated use of Russia and Ukraine-themed lure content and reliance on device code phishing techniques.    Recommendations  Block device code flow where possible  The strongest mitigation is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. Conditional Access policies can first be deployed in a report only mode, or the ‘Policy impact’ viewed over historic sign in log records, to determine the impact for an environment.   If blocking device code flow completely is not feasible, Conditional Access can be used to create an allow-list approach based on accepted use cases. For example, only enabling device code authentication for approved users, operating systems, or IP ranges such as using ‘Named locations’.  Require compliant or joined devices  If organizations use device registration or Intune, Conditional access policies requiring that sign ins originate from a compliant or registered device will protect users from device code phishing. This should be deployed as a defense in depth strategy, as there will likely be exclusions from this requirement, when compared with a dedicated device code flow policy.   Enhance user awareness regarding device code phishing attacks   Traditional phishing awareness often emphasizes checking URLs for legitimacy. This approach does not effectively address device code phishing, where users are prompted to enter a device code on the trusted Microsoft portal hxxps://microsoft.com/devicelogin. User training should include guidance on not entering device codes received from untrusted sources.   Conclusion  From the use of malicious OAuth applications for persistent access to the abuse of legitimate Microsoft authentication flows with device codes, threat actors’ tactics to achieve account takeover are evolving with quick adoption across the threat landscape. These campaigns rely heavily on social engineering, most often using lures with embedded URLs or QR codes to trick users into thinking they are securing their accounts. Proofpoint tracks multiple threat clusters that are using this device code authentication technique and recommends that organizations strengthen OAuth controls and enhance user awareness and education about these evolving threats. Proofpoint assesses that the abuse of OAuth authentication flows will continue to grow with the adoption of FIDO compliant MFA controls.  Indicators of compromise  Campaign Indicators  Indicator  Type  Description  First Seen  hxxps://sharefile.progressivesharepoint.top/  URL  Phishing landing page  20-Oct-2025  hxxps://progressiveweba.z13.web.core.windows.net  URL  Redirector  20-Oct-2025    hxxps://agimplfundmgt.z13.web.core.windows.net  URL  Redirector  20-Oct-2025  hxxps://blackrockfundmgt.z13.web.core.windows.net  URL  Redirector  20-Oct-2025  robert.pena@FirstTrustAdvisorsLP.onmicrosoft.com  Email address  Sender email address  20-Oct-2025  hxxps://onlinedocuments-[OrganizationName].vxhwuulcnfzlfmh.live/application/a[PII_Linkable_hex]9  URL  Device code generation landing page  14-Oct-2025  hxxps://onlinedocuments-[OrganisationName].vxhwuulcnfzlfmh.live/token/request?id=a[PII_Linkable_hex]9  URL  OTP generation   14-Oct-2025  xgjtvyptrjlsosv.live  Domain  OTP generation  9-Oct-2025  196.251.80.184  IP  OTP generation  9-Oct-2025  vaultally.com  Domain  Sender email domain  14-Oct-2025  docifytoday.com  Domain  Sender email domain  14-Oct-2025  filetix.com  Domain  Sender email domain  14-Oct-2025  nebulafiles.com  Domain  Sender email domain  14-Oct-2025  novodocument.com  Domain  Sender email domain  14-Oct-2025  spacesdocs.com  Domain   Sender email domain  14-Oct-2025  hxxps://www.vaultaliy.com/a[PII_Linkable_hex]9  URL  Link in email message  14-Oct-2025  hxxps://www.virtoshare.com/99[PII_Linkable]e9  URL  Link in email message  9-Oct-2025  hxxps://onlinedocuments-[OrganisationName].xgjtvyptrjlsosv.live/application/99[PII_Linkable]e9  URL  Device code generation landing page  9-Oct-2025  hxxps://onlinedocuments-[OrganisationName].xgjtvyptrjlsosv.live/token/request?id=99[PII_Linkable]e9  URL  OTP generation  9-Oct-2025  no-reply.doc333@ksmus.virtoshare.com  Email address  Sender email address  9-Oct-2025  acxioswan.com  Domain  Sender email domain  9-Oct-2025  acxishare.com  Domain  Sender email domain  9-Oct-2025  collabodex.com  Domain  Sender email domain  9-Oct-2025  infoldium.com  Domain  Sender email domain  9-Oct-2025  hxxps://www.renewauth.com/3a[PII_Linkable]59  URL  Link in email message  6-Oct-2025  hxxps://www.myfilepass.com/69[PII_Linkable]ed  URL  Link in email message  6-Oct-2025  hxxps://login.microsoftonline.com/common/oauth2/deviceauth[Abused]  URL  Device code prompt  6-Oct-2025  renewauth.com  Domain  Sender email domain  6-Oct-2025  myfilepass.com  Domain  Sender email domain  6-Oct-2025  confidentfiles.com  Domain  Sender email domain  6-Oct-2025  magnavite.com  Domain  Sender email domain  6-Oct-2025  97d7e46b-1bff-4f24-b262-8b0b3914d88a.us5.azurecomm.net  URL  Device code message sender  6-Oct-2025  bluecubecapital.com  Domain  Sender email address domain  29-Sept-2025  allspringglobalinvestmentsllc.onmicrosoft.com  Domain    Sender email address domain  29-Sept-2025  aresmanagementllc.onmicrosoft.com  Domain  Sender email address domain  29-Sept-2025  citadeladvisorsllc.onmicrosoft.com  Domain  Sender email address domain  29-Sept-2025  cpuhp.onmicrosoft.com  Domain  Sender email address domain  29-Sept-2025  millenniummanagementllc.onmicrosoft.com  Domain  Sender email address domain  29-Sept-2025  hxxps://clientlogin.blitzcapital.net/  URL  Device code prompt  29-Sept-2025  hxxps://onedrive[.]gov-zm[.]workers[.]dev  URL  Redirector  5-Nov- 2025  hxxps://portal.msprogresssharefile.cloud/  URL  Landing Page  2-Dec-2025  hxxps://sharingfilesystems.z13.web.core.windows.net  URL  Redirector  2-Dec-2025  hxxps://myapplicationinterfaces.s3.eu-north-1.amazonaws.com/index.html  URL  Redirector  2-Dec-2025  hxxps://corphostedfileservices.s3.eu-north-1.amazonaws.com/auth.html  URL  Redirector  2-Dec-2025    References https://aadinternals.com/post/phishing/#new-phishing-technique-device-code-authentication   https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/   https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks   https://github.com/nromsdahl/squarephish2   https://www.praetorian.com/blog/introducing-github-device-code-phishing/   https://www.calypt.com/blog/index.php/a-phishing-technique-for-compromising-office-365-azure-ad-accounts/  https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html  https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-device-code  

What happened  VenomRAT is a commodity remote access trojan (RAT) used by multiple cybercriminal threat actors. Around since 2020 but first observed in Proofpoint data in 2022, VenomRAT was used most frequently by the hotel and hospitality targeting threat actor TA558. The malware is based on the open-source malware Quasar RAT. VenomRAT is essentially a clone of Quasar RAT with some extra components bolted on from other sources.  VenomRAT can be used for information gathering, exfiltration, lateral movement, and to download follow-on payloads. Some VenomRAT variants contain ransomware functionality.   On 13 November 2025, U.S. and international law enforcement announced the disruption of VenomRAT infrastructure and the arrest of the malware’s creator as part of ongoing Operation Endgame efforts. Both the malware advertising and distribution domain (remotesystem[.]in) and the licensing domain (venomlicense[.]com) were taken down as part of the operation. The main VenomRAT suspect was arrested in Greece. Figure 1. Screenshot of seized distribution domain.   Campaign details  Proofpoint frequently observes VenomRAT in email campaign data, with its prominence increasing among both unattributed threat actors and tracked TAs from mid-2024 through summer 2025.   Figure 2. VenomRAT campaigns observed over time.   The most prominent actor distributing VenomRAT is TA558. Tracked by Proofpoint since 2018, TA558’s targeting focus is mainly on Portuguese and Spanish speakers, typically located in the Latin America region, with additional targeting observed in Western Europe and North America. While the actor favors VenomRAT, TA558 also distributes other commodity malware including njRAT, Remcos RAT, and recently XWorm and PDQ Connect.   TA558 activity accounts for 58% of the amount of VenomRAT observed in Proofpoint email campaign data since 2022.     Figure 3. Distribution of VenomRAT by threat actor.   TA558 VenomRAT campaigns typically include 1,000 messages or less with lures in Portuguese, Spanish, and occasionally English. In recent campaigns, messages contained URLs leading to a JavaScript file. If executed, the file spawned PowerShell to download and run VenomRAT.  Figure 4. TA558 lure impersonating a complaints website, August 2025.   The number of unattributed threat clusters using VenomRAT increased in 2024, but another prominent threat actor occasionally included the malware in its arsenal: TA2541.  This actor impersonates aviation firms to distribute malware to firms globally, most frequently in North America and Europe. Campaigns typically include less than 1,000 messages and follow a similar attack chain to TA558, with URLs leading to JavaScript files that, if executed, download and run malware.  Figure 5. TA2541 lure impersonating an aviation charter company, April 2025.  Impact  The disruption to VenomRAT will cause threat actors using the malware to pivot to new payloads. Proofpoint has not observed VenomRAT in campaign data since September 2025, and TA558 has already begun favoring other malware including Remcos RAT and XWorm, with lower volumes of activity since October.   With every law enforcement action, especially those associated with Operation Endgame, Proofpoint observes notable behavior shifts among actors that use email as a first stage malware delivery method. Disruptions often have psychological impacts alongside financial and technological ones. In this case, in addition to pivoting to other payloads, it is possible the threat actors who used VenomRAT may become more wary and mistrustful of malware providers or even concerned about their own activities being monitored by law enforcement. An arrest will also prevent the malware author from developing and selling new tools in the future.   Operation Endgame is a widespread effort conducted by global law enforcement and private sector partners, including Proofpoint, to disrupt malware and botnet infrastructure and identify the alleged individuals associated with the activity. In May 2024, the first Operation Endgame disruption effort targeted multiple malware families including IcedID, Bumblebee, SystemBC, Pikabot, SmokeLoader, and more, and Europol called it the “largest ever operation against botnets, which play a major role in the deployment of ransomware.” The second major Operation Endgame action occurred in May 2025 and targeted additional malware families and their creators, including DanaBot, WarmCookie, Trickbot, and Hijack Loader. The major malware-as-a-service Lumma Stealer has also been targeted by law enforcement.   Operation Endgame disruptions have significantly affected the overall email threat landscape, specifically disrupting activity attributed to known initial access broker payloads (IABs) and supporting malware families delivered via email-based campaigns. For example, in February 2023, 17% of email malware campaigns in Proofpoint data were associated with malware targeted by Operation Endgame, while that number had dropped to 1% by September 2025.  Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever it is possible and appropriate to do so, and as is the case with Operation Endgame, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware threats. Proofpoint was proud to assist in the law enforcement investigations into VenomRAT activity. 

Key takeaways  Rhadamanthys is a prominent malware observed since 2022, used by multiple cybercriminal threat actors.  The malware has been observed delivered via email, web injects, and malvertising campaigns.   It is a modular information stealer with multiple pricing plans, and the creators sell it alongside Elysium Proxy Bot and a Crypt Service.   International law enforcement disrupted Rhadamanthys and affiliates’ infrastructure as part of ongoing Operation Endgame efforts.  Overview  Rhadamanthys malware has evolved significantly over time, reflecting ongoing advancements in cybercriminal techniques. First observed in 2022, Rhadamanthys emerged as a sophisticated information stealer, primarily targeting sensitive user data such as login credentials, financial information, and system details. It quickly gained popularity on underground forums, where its capabilities and ease of customization attracted various cybercriminals.  Throughout its development, Rhadamanthys updates include new features, improving its evasion tactics and adaptability. Updates often allow it to avoid detection by security and detection controls more effectively, often through techniques involving obfuscation and anti-analysis. The malware authors introduced multi-stage payloads, which enabled the malware to bypass security layers by spreading across stages in discrete steps. Additionally, it became more modular, allowing threat actors to tailor capabilities to specific attacks or targets.  The operators sell access to Rhadamanthys for between $300 to $500 a month, with options for a higher price point for customized uses. Notably, some cybercriminal forums banned the sale of Rhadamanthys because it allowed the targeting of Russian and Commonwealth of Independent States countries.   Proofpoint observes Rhadamanthys delivered via email campaigns conducted by multiple threat actors. Techniques for payload delivery include leveraging the ClickFix social engineering technique, pairing URLs and aggressive filtering with instructions that advise people to copy, paste, and run PowerShell scripts to infect themselves with malware. Threat actors including TA585, TA2541, TA547, TA571, TA866, and numerous unattributed threat clusters have used Rhadamanthys in campaigns.   Proofpoint observed more Rhadamanthys campaigns so far in 2025 than previous years, in part due to more threat actors leveraging compromised websites to deliver malware, including Rhadamanthys. (Analyst note: it is possible there was additional low-volume activity observed in email threat data that was not campaigned by threat researchers.)  Figure 1. Timeline of Rhadamanthys campaigns.  Operation Endgame  On 13 November 2025, law enforcement disrupted Rhadamanthys’s infrastructure – specifically taking down multiple servers associated with the management and operation of the malware – as well as infrastructure associated with affiliates using the malware. This disruption was part of Operation Endgame, a collaboration between global law enforcement and private sector partners. Additional services like Elysium Proxy Bot were also affected. Notably, law enforcement also posted a video on the operation’s main website that suggested that the threat actor behind Rhadamanthys was not only facilitating information stealer operations but also stealing sensitive data from Rhadamanthys affiliates. In addition to the infrastructure disruption, it’s likely that this operation will also negatively affect the criminals’ reputation, leading affiliates to mistrust them.  Operation Endgame is a widespread effort conducted by global law enforcement and private sector partners, including Proofpoint, to disrupt malware and botnet infrastructure and identify the alleged individuals associated with the activity. In May 2024, the first Operation Endgame disruption effort targeted multiple malware families including IcedID, Bumblebee, SystemBC, Pikabot, SmokeLoader, and more, and Europol called it the “largest ever operation against botnets, which play a major role in the deployment of ransomware.” The second major Operation Endgame action occurred in May 2025 and targeted additional malware families and their creators, including DanaBot, WarmCookie, Trickbot, and Hijack Loader. The major malware-as-a-service Lumma Stealer has also been targeted by law enforcement.   Operation Endgame disruptions have significantly affected the overall email threat landscape, specifically disrupting activity attributed to known initial access broker (IAB) payloads and supporting malware families delivered via email-based campaigns. For example, in March 2023, 17% of email-based malware campaigns in Proofpoint data were associated with malware targeted by Operation Endgame, while that number had dropped to 1% by September 2025.  History  When Rhadamanthys first emerged in 2022, it was a commercially marketed information-stealer sold via underground forums by the alias “kingcrete2022”. It swiftly evolved from a simple malware to a modular Malware-as-a-Service (MaaS) offering as developers added plugins and staged loader architecture to make analysis and detection harder. Early development ascended into a cadence of rapid releases.   By 2024, the malware was shipped with a notable update that added AI-driven OCR capabilities to automatically identify and extract cryptocurrency seed phrases from images. This version included new evasion and encryption upgrades. The operator also offered new conveniences for customers that reflected popular trends in the threat landscape, one of which was MSI installer execution to assist in bypassing security detections.  In late 2024 through 2025, researchers noted an increase in Rhadamanthys campaigns which leveraged the malware’s modularity to tailor to threat actors with different objectives and levels of sophistication. In 2025, the developers pushed a new 0.9.X series that hardened network and packing obfuscation, expanded device and browser fingerprinting, reintroduced PNG steganography for hiding payloads, and adopted marketing changes. These changes included tiered pricing updates, enhanced features, and rebranding. The rebranding was reflected in a modernized site emphasizing a more professional MaaS business model, rapid feature growth, more useful distribution and monetization techniques, and an ecosystem that makes Rhadamanthys a favored malware of choice.  The takedown and disruption of many prominent loaders and top tier malware by Operation Endgame primed the market for Rhadamanthys to rise. Evidence suggests the malware is maintained and improved by capable developers. New releases have correlated to current and coveted resources and landscape trends, delivered in a way that makes it easy to utilize for customers.   Figure 2. Priority malware in campaign data and the impact of Operation Endgame.  Affiliations  As a MaaS, different affiliates may license the malware, attach custom plugins, and run campaigns independently. It is advertised on multiple forums, meaning it is not exclusive to a group of trusted affiliates but is instead available to a larger market. It is notable the creators developed the malware to be used by threat actors with varying expertise. As a result, Rhadamanthys has been observed in campaigns as simple as compressed executables attached to emails, and more sophisticated campaigns using distribution techniques like Google Ads, ClickFix, compromised websites, and priority threat actors’ more targeted campaigns.  Threat actors  Proofpoint first began tracking Rhadamanthys in December 2022 when it was distributed in a campaign attributed to priority cybercriminal threat actor TA571 with post exploitation activities attributed to TA866. TA571 has used both exclusive and more freely available malware, but TA866 has historically been observed using more exclusive and distinct malware. The actors’ use of Rhadamanthys immediately designated it as a priority malware to tracked.   Proofpoint subsequently observed TA2541, a capable actor classified on a lower tier who favors off-the-shelf RATs, use Rhadamanthys in February 2022. TA547, a priority threat actor who has used sophisticated banking malware and loaders, leveraged Rhadamanthys throughout 2024. TA585, a newly designated actor suspected of operating their entire attack chain through malware delivery, utilized Rhadamanthys frequently in 2025. In addition to the designated threat actors tracked by Proofpoint, the malware has been used in a large number of unattributed activity clusters in Proofpoint data, including the threat actor tracked by third-parties as “Aggah”, and by other threat actors tracked externally in distributing malware via other mediums like malvertising or SEO poisoning.   Actors across the crimeware spectrum from low-level actors to sophisticated operators using Rhadamanthys consistently over time demonstrates the apparent success of the malware as a product, the malware’s evolution and evasion efforts, and the successful MaaS strategy employed by its operators.  Malware  Threat actors may distribute Rhadamanthys as the sole malware payload, a companion malware delivered with others, or as a follow-on payload. In Proofpoint data, Rhadamanthys is frequently used in campaigns distributed by loaders. For example, we’ve seen the following drop Rhadamanthys as a follow-on payload:  SystemBC  DarkGate  GuLoader  SmartLoader  Resident Backdoor  DoubleLoader  DOILoader / Hijack Loader  Latrodectus  CastleLoader  Amadey  Proofpoint researchers have also observed Rhadamanthys delivered in campaigns as a companion to other malware, including: Remcos  zgRAT  Screenshotter / AHK Bot   BitRAT  XWorm  Lumma  XLoader  In these campaigns, Rhadamanthys is either delivered at the same time as other payloads, or is distributed to a limited target set within a broader campaign that drops multiple payloads to different recipients.   Recent attack chains  Rhadamanthys is currently distributed by multiple threat actors using many different attack chains to deliver malware. The following are a small sample of some of the most interesting campaigns Proofpoint researchers observed in recent months.   Compromised websites  Multiple threat clusters use compromised websites to distribute Rhadamanthys. In email data, we observe these messages because they contain links to compromised websites. Although neither the sender nor the site owner may intend harm, the websites have been compromised with a malicious injection.   In a campaign observed in October 2025, the injection prompted the website to load a malicious script which was hosted on actor-operated infrastructure, which, in turn loaded a counterfeit Cloudflare turnstile. Upon validation the browser switched to full screen and display a fake security update lure.  Figure 3. Cloudflare verification.  Figure 4. Fake update ClickFix instructions.  This attack chain used a technique called "Clickfix" which instructs the user to copy and paste a malicious command in the run box. In this way, the attacker is essentially tricking the user to infect themselves with malware. Many web inject campaigns use this technique. In this case, if the command was run, it would lead to the installation of Rhadamanthys.  URLs  Rhadamanthys payload delivery via URLs in emails is also common. For example, Proofpoint identified a campaign in October impersonating a logistics company. Messages contained URLs leading to a website instructing the recipient to sign a form and click “submit”. Then, the user would be redirected to a ClickFix landing page.   Figure 5. Impersonated company landing page with a fake confirmation.  Figure 6. ClickFix instructions.  If the target completed the ClickFix steps as instructed, a command was initiated to download a tar archive and run CastleLoader. CastleLoader was observed loading DOILoader and Rhadamanthys. DOILoader was observed loading zgRAT.   This campaign aligns with an increase in threat actors targeting the surface transportation industry to deliver malware or remote monitoring and management (RMM) tools.   PDFs  Another interesting campaign in August and September impersonated YouTube and targeted organizations in the entertainment and media industries. The messages contained a PDF with a link to a fake "Youtube DMCA" themed website built with Lovable App and used the ClickFix technique.   Figure 7. Fake YouTube “copyright appeal” website created by threat actors.  The app instructed recipients to enter their YouTube URL, retrieved real-time metadata for any submitted YouTube channel, and claimed that an appeal is needed. If the instructions were followed and the user copied and pasted the PowerShell script as directed, it executed an HTA script. The HTA enabled VBA macros via registry changes and built an Excel workbook via COM in-memory, opening it silently without user interaction. The workbook contained an AutoOpen macro, which the HTA constructed from split Base64 strings. This macro downloaded a .bin file containing shellcode and executed it via classic shellcode injection using VirtualAlloc + RtlMoveMemory + CreateThread into the Excel process to run Rhadamanthys in memory. While the macro included logic for both 32- and 64-bit Office, it only downloaded and ran 64-bit shellcode, so it crashed on 32-bit Excel.  The payload chain from HTA to shellcode execution was likely built with the commercial toolkit MacroPack Pro which is sold to red teams and "ethical hackers".  Impact  In general, disruptions to cybercrime threat actors and their malware have ripple effects across the ecosystem. Threat actors who rely on Rhadamanthys will have to find a new malware for distribution and spend time and money retooling their attack chains. It is possible that threat actors may pivot to newer malware such as Amatera Stealer, Monster V2, or CastleRAT. But while there may be other options tooling-wise, disruptions also sow distrust among the criminal ecosystem, and in some cases, lead to more restrictive policies and tighter controls about who can buy malware from certain brokers.   Proofpoint will continue to monitor where Rhadamanthys threat actors go next and continue defending against cybercriminal threats.   Conclusion  As law enforcement disruptions continue to alter threat actors’ behavior, it’s important to be aware of emerging trends and behaviors from prominent cybercriminal threat actors, such as the use of remote monitoring and management software (RMMs), increase in use of information stealers, and new social engineering techniques that target people not technology. By understanding the landscape, organizations can implement defenses against emerging trends and anticipate what decisions threat actors will make to stay ahead of them.  Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever it is possible and appropriate to do so, and as is the case with Operation Endgame, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware threats. Proofpoint was proud to assist in the law enforcement investigations into Rhadamanthys activity.  Through its unique vantage point, Proofpoint is able to identify the largest and most consequential malware distribution campaigns, providing the authorities with much-needed insight into the biggest threats to society, affecting the greatest number of people around the world.  Proofpoint Threat Research would like to thank Pim Trouerbach for his collaboration on investigations into Rhadamanthys and related malware.  Emerging Threats signatures  2864521  Rhadamanthys CnC Domain in DNS Lookup  2864523  Observed Rhadamanthys CnC Domain in TLS SNI  2864294  Observed Malicious SSL Cert (Rhadamanthys)  2862244  Observed Malicious SSL Cert (Rhadamanthys)  2862245  Observed Malicious SSL Cert (Rhadamanthys)  2054665  Win32/Rhadamanthys CnC Activity (GET)  2854802  Suspected Rhadamanthys Related SSL Cert  2043202  Rhadamanthys Stealer - Payload Download Request  2853001  Rhadamanthys Stealer - Payload Response  2853002  Rhadamanthys Stealer - Data Exfil    Example indicators of compromise  Indicator  Description  First Seen  13f0bf908679bea560806fd3c14ef581b3cadbab2ff07a6adf04d97995924707  shielders.msi   SHA256  25 August 2025  b0c9d619256fdf220fbb39945fac5a040b5e836f1eae0459b4fcbf2b451420a7  DpiChrysler.exe  SHA256  25 August 2025  hxxps://84[.]200[.]80[.]8/gateway/53c06hop.fp0g1  Rhadamanthys C2  25 August 2025  security[.]flacergurad[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flaegrudad[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flaezguerad[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flaezguered[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flavregurads[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flheregurend[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flqaergwaard[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]flsaregursd[.]com  Actor-Controlled Intermediate Domain  25 August 2025  security[.]gueradflwre[.]com  Actor-Controlled Intermediate Domain  25 August 2025  theguardshield[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flheregurend[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flsaregursd[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flaezguerad[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flaezguered[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flcreagurade[.]com  Actor-Controlled Intermediate Domain  25 August 2025  theguardshield[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flnaresgurard[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flaxergaurds[.]com  Actor-Controlled Intermediate Domain  25 August 2025  cloudwardena[.]com  Actor-Controlled Intermediate Domain  25 August 2025  flenieregurd[.]com  Actor-Controlled Intermediate Domain  25 August 2025  Budparbanjarnegara[.]com  ClickFix Payload Domain  25 August 2025  hxxps://google[.]strike-submit[.]com/DMCA_Notice.hta  Payload URL  30 August 2025  hxxps://google[.]strike-submit[.]com/DMCA_Notice[.]hta  ClickFix Payload URL  30 August 2025  hxxps://google[.]strike-submit[.]com/agreeses[.]bin  ClickFix Payload URL  30 August 2025  bc2508708feb0ccc652494f8e28620bd871a8b6e1d26c7cdd61ab070f2594bbc  ClickFix Payload SHA256  30 August 2025  ccdd8a6dc97eeba07e586f059eae7944dd767519f2c3b2233ff90d3dc4e8e3f0  ClickFix Payload SHA256  30 August 2025  hxxps://85[.]192[.]61[.]140/gateway/h2u7sp2d[.]ab87a  Rhadamanthys C2  30 August 2025  hxxps://policy[.]video  Optional Initial Redirecror in PDFs  30 August 2025  hxxps://support-review[.]org/  Optional Initial Redirecror in PDFs  30 August 2025  hxxps://appeal[.]strike-submit[.]com    ClickFix Landing Example  30 August 2025  support-review[.]org  Actor-Controlled Domain  30 August 2025  trust-review[.]org  Actor-Controlled Domain  30 August 2025  compliance-review[.]org  Actor-Controlled Domain  30 August 2025  channel-review[.]org  Actor-Controlled Domain  30 August 2025  application-review[.]org  Actor-Controlled Domain  30 August 2025  strike-submit[.]com  Actor-Controlled Domain  30 August 2025  submit-appeal[.]com  Actor-Controlled Domain  30 August 2025  policy[.]video  Actor-Controlled Domain  30 August 2025  tdsworkout[.]com  Example Web Inject  20 October 2025  103[.]136[.]68[.]61  Example Web Inject  20 October 2025  cashorix[.]xyz  Web Inject Domain  20 October 2025  xpoalswwkjddsljsy[.]com  Filtered Landing Page  20 October 2025  galaxyswapper[.]pro  Filtered Landing Page  20 October 2025  193[.]24[.]211[.]233  Filtered Landing Page  20 October 2025  hxxp://141[.]0x62[.]80[.]175/kick[.]dat  ClickFix Payload (HTA)  20 October 2025  141[.]98[.]80[.]175  ClickFix Payload (HTA)  20 October 2025  ff14b28408121ebe4a5d0c2f14b9dc99e987e89b56392dc214481197d4815456  ClickFix Payload (HTA) SHA256  20 October 2025  http://xoiiasdpsdoasdpojas[.]com/  ClickFix Payload (PS1)  20 October 2025  xoiiasdpsdoasdpojas[.]com  ClickFix HTA Payload (PS1)  20 October 2025  141[.]98[.]80[.]175  ClickFix HTA Payload (PS1)  20 October 2025  c9026ffc02f11204ac1eb1183376a5cee74f7897d948bdcd59c06f31de2671fa  ClickFix HTA Payload (PS1)  SHA256  20 October 2025  193[.]221[.]200[.]93  Rhadamanthys C2  20 October 2025 

Proofpoint would like to thank Josh Miller for his initial research on UNK_SmudgedSerpent and contribution to this report.  Key findings  Between June and August 2025, Proofpoint began tracking a previously unidentified threat actor dubbed UNK_SmudgedSerpent targeting academics and foreign policy experts.  UNK_SmudgedSerpent leveraged domestic political lures, including societal change in Iran and investigation into the militarization of the IRGC.  UNK_SmudgedSerpent used benign conversation starters, health-themed infrastructure, OnlyOffice file hosting spoofs, and Remote Management & Monitoring (RMM) tools.  Throughout the investigation, UNK_SmudgedSerpent demonstrated tactics resembling several Iranian actors: TA455 (C5 Agent, Smoke Sandstorm), TA453 (Charming Kitten, Mint Sandstorm), and TA450 (MuddyWater, Mango Sandstorm).  Overlapping TTPs prevent high confidence attribution, but several hypotheses could explain the nature of the relationship between UNK_SmudgedSerpent and other Iranian groups.  Overview   In June, Proofpoint Threat Research began investigating a benign email discussing economic uncertainty and domestic political unrest in Iran. While coinciding with the escalations in the Iran-Israel conflict, there was no indication that the observed activity was directly correlated with Israel’s attacks on Iranian nuclear facilities or Iran’s actions in response.  Initial analysis of the activity found tactics, techniques, and procedures (TTP) overlaps with multiple Iranian aligned groups, including TA455 (C5 Agent, Smoke Sandstorm), TA453 (Mint Sandstorm, Charming Kitten), and TA450 (MuddyWater, Mango Sandstorm). Given a lack of high confidence links to any one established threat group, we designated the activity as a temporary cluster called UNK_SmudgedSerpent.    Figure 1. UNK_SmudgedSerpent infection chain with known actor overlaps.  The infection chain began with a benign conversation, followed by an email exchange and a credential harvesting attempt. After this initial credential harvesting attempt, UNK_SmudgedSerpent continued to conduct phishing activity within the same email thread with a specific target and subsequently delivered a URL that hosted an archive file with an MSI that loaded RMM payloads.  Iranian connections  Initial TA453 leads  UNK_SmudgedSerpent’s first identified campaign within Proofpoint data spoofed a member of the Brookings Institute reaching out to over 20 members of a United States-based think tank in mid-June 2025. Targeting specific subject matter experts in Iran-related policy areas is often a characteristic of TA453 activity, particularly using a benign conversation starter. However, approaching a significant number of individuals at a single organization diverges from Proofpoint Threat Research’s observations of typical TA453 techniques.  In another deviation from typical TA453 activity, members of the targeted organization focused across almost all areas of expertise including national defense, advanced technology, economic security, and global health, along with region-specific experts. TA453 primarily focuses on Middle Eastern policy topics, such as Iranian nuclear negotiations or Iran’s foreign relations. Regardless of each recipient’s expertise, UNK_SmudgedSerpent leveraged the same collaboration lure about impending Iranian societal reform.  The attackers’ approach impersonated Suzanne Maloney – the vice president and director of the Foreign Policy program at the Brookings Institution and an expert on Iran – using a Gmail address and misspelled version of her name, “Suzzane Maloney.”  Figure 2. UNK_SmudgedSerpent initial approach.  Following a response, the Suzzane Maloney persona was more cautious than Proofpoint has observed in past interactions with TA453. The attacker insisted on verifying the identity of the target and authenticity of the email address before proceeding with any collaboration attempts.  Figure 3. UNK_SmudgedSerpent follow-up email.  As the engagement continued, the persona sent an appointed time for a meeting, using Israel time as a point of reference though the target was based in the US. At the delivery stage, the actor began to deviate from TA453’s typical TTPs and sent a link appearing to be an OnlyOffice URL belonging to "Suzzane Maloney” (again spelled incorrectly) with documents relevant to the upcoming meeting.  Figure 4. UNK_SmudgedSerpent URL delivery.  Transition to TA455  The URL was only masquerading as an OnlyOffice link in the email but instead hyperlinked to a health-themed attacker domain thebesthomehealth[.]com, which redirected to a second health-themed attacker domain mosaichealthsolutions[.]com that displayed a Microsoft 365 login page. The URL hosted a customized credential harvesting page with the user’s information pre-loaded.     Figure 5. Customized Microsoft credential harvesting page.  Delivery variation  Another version of this infection chain can be found on VirusTotal, where both domains were similarly used in a Microsoft-related redirection chain. hxxps://thebesthomehealth[.]com/[redacted15characterstring] masqueraded as a Microsoft Teams login before redirecting to the  mosaichealthsolutions[.]com domain.   Figure 6. Microsoft Teams meeting spoof (VirusTotal).  However, the next stages following clicking the “Join Now” button are unclear at the time of writing.  TA455 continued  In Proofpoint’s investigation, after the target communicated suspicions about the credential harvesting page, UNK_SmudgedSerpent removed the password requirement on the initial thebesthomehealth[.]com URL. The link then proceeded to a spoofed OnlyOffice login page.  Figure 7. UNK_SmudgedSerpent OnlyOffice login spoof.  Clicking on “Continue” or login loads another page also hosted on thebesthomehealth[.]com, which continues to resemble OnlyOffice and hosted two PDFs, an Excel document, and a ZIP archive.  Figure 8. Files hosted on thebesthomehealth[.]com.  UNK_SmudgedSerpent’s reference to OnlyOffice URLs and health-themed domains is reminiscent of TA455 activity. TA455 began registering health-related domains at least since October 2024 following a consistent stream of domains with aerospace interest, with OnlyOffice becoming popular to host files more recently in June 2025, as shown by the timeline below.  Figure 9. TA455 Domain Registration / First Seen Timeline (May 2024 – July 2025).  UNK_SmudgedSerpent domains began appearing in April 2025, several weeks before the first campaign was observed in June.  Completing the chain with TA450  Upon execution, UNK_SmudgedSerpent’s ZIP archive loaded an MSI file, which launched the PDQConnect Remote Monitoring & Management (RMM) software. The rest of the documents appeared to be decoys.  During our research, Threat Research observed UNK_SmudgedSerpent engaging in suspected hands-on-keyboard activity where the attackers leveraged PDQConnect to install additional RMM software, ISL Online.  Figure 10. ISL Online RMM pop-up.  The reason for the attackers' sequential deployment of two distinct RMM tools remains unclear. It is possible UNK_SmudgedSerpent may have deployed RMM software as a throwaway option after the credential harvesting attempt didn’t succeed, and the threat actor became suspicious of Proofpoint’s investigation. However, neither hypothesis can be confirmed at the time of writing.  While the use of RMMs is a generic technique abusing common legitimate tools, it is rare to see them associated with state-sponsored actors and have been documented in use by only one Iranian actor, in TA450 campaigns over the last several years.  Follow-on activity  Before the email exchange discussed ended on 26 June, Proofpoint identified an additional Gmail account on 23 June spoofing Dr. Maloney (with her name spelled correctly) – suzannemaloney68@gmail[.]com – targeting a US-based academic that appeared to be Israeli. In this lure, UNK_SmudgedSerpent asked for assistance investigating the IRGC.  Figure 11. Second UNK_SmudgedSerpent phishing email.  A different persona, one spoofing Patrick Clawson – a Director at the Washington Institute – used the exact same content one week later to target the same academic using patrickclawson51@gmail[.]com.  In early August 2025, UNK_SmudgedSerpent surfaced again, this time soliciting information and collaboration on Iran’s efforts in Latin America. The phishing email originated from another spoof of Patrick Clawson, this time using an Outlook email address: patrick.clawson51@outlook[.]com. However, the email in the signature did not match and included both potentially legitimate emails and patrickclawson51@gmail[.]com, which was the previously used spoofed email.  Figure 12. UNK_SmudgedSerpent Patrick Clawson Spoof #2.  The timeline below shows the campaigns and cadence of UNK_SmudgedSerpent activity, which appears to be topical and sporadic. After the initial approach that targeted over 20 individuals, Proofpoint data showed the actor focused only on solitary targets in further campaigns.  Figure 13. UNK_SmudgedSerpent phishing activity timeline.  Since early August, no further activity has been observed from this actor.  Infrastructure  Investigating suspected UNK_SmudgedSerpent infrastructure, such as healthcrescent[.]com, surfaced additional activity that further complicates UNK_SmudgedSerpent’s relationship and overlaps with TA455.  healthcrescent[.]com shares server configuration similarities with a set of domains, including  ebixcareers[.]com, that displays a fake Teams portal. The career-themed domain and Teams spoof are both reminiscent of previous TA455 activity.  Figure 14. Fake Teams portal landing page.  Related URLs resembled previously seen activity from TA453, using “meeting” themes.  hxxps://interview.ebixcareers[.]com/teams/join-online-room-homv-patm-elro/ fetched a payload from the following OnlyOffice URL:  hxxps://docspace-mpv1y2.onlyoffice[.]com/rooms/share?key=ZXVSTEhNKzM3NHBIeHg3R3M4cnBRcDFDUnk0b[…]0_Ijg4YzkzZTRhLWNmYzktNGJkMy1iYzYyLWY2NWY0OTczNTBlZCI   Figure 15. Files Hosted on OnlyOffice URL.  Files hosted on this page in mid-September included benign recruitment-related PDFs for Boeing, a traditional aspect of TA455’s operations involving both aerospace and career-themed interests.  Figure 16. Benign PDFs.  Hiring Portal.zip contained two DLLs and an executable; the legitimate EXE sideloads userenv.dlland through another legitimate EXE, sideloads xmllite.exe. userenv.dll is a TA455 custom backdoor termed MiniJunk in public reporting, a version of previously reported malware called MiniBike. While the infrastructure likely aligns with UNK_SmudgedSerpent, it remains unclear why it is simultaneously hosting TA455 custom malware.  The final file hosted on the OnlyOffice URL was Interview time.msi, a loader responsible for installing the RMM tool PDQConnect, seen deployed in both UNK_SmudgedSerpent and TA450 activity, though not previously seen associated with TA455.  The exploration of infrastructure and operations connected to UNK_SmudgedSerpent activity further blurs the lines of attribution and the nature of the relationship to TA455.  Attribution  Proofpoint Threat Research is currently tracking this activity separately as a new threat actor – UNK_SmudgedSerpent – and clustered distinctly from TA453, TA455, and TA450. While there are several overlaps with established threat actors in various stages of the infection chain, which are shown below, they remain tenuous in some cases without high confidence links.  TTP  UNK_SmudgedSerpent  TA453  TA455  TA450  Sender emails  Freemail (Outlook, Gmail)  Freemail (Outlook, Gmail, ProtonMail, Yahoo)  Attacker-owned domains  Compromised corporate accounts  Initial approach  Benign conversation  Benign conversation  Malicious recruitment applications  Malicious event invitations  Targeting  Policy experts, thinktanks  Policy experts, thinktanks  Aerospace and defense, transportation/logistics, technology  Government, telecommunications, transportation  Delivery  OnlyOffice spoof, Teams spoof  Teams spoof, Scalingo, OneDrive  OnlyOffice  Mega.nz, FliQR  Objective  Credential theft, malware delivery  Credential theft, malware delivery  Malware delivery  Malware delivery  Domain themes  Health and recruitment, organization spoofs  Organization, meeting, Google, Microsoft, and technology spoofs  Health, aerospace, and recruitment  Technology, other  Infrastructure  Cloudflare, Namecheap  Hetzner, OVH, RouterHosting, Namecheap  Cloudflare, Namecheap  NordVPN, Cloudflare Namecheap  Malware  RMM (PDQConnect)  PowerShell backdoors (occasional)  Custom backdoors (MiniJunk, MINIBIKE, MINIBUS)  RMMs, custom PowerShell and .NET backdoors (Phoenix)    Given the dynamic nature of the Iranian ecosystem and its heavy use of contracting companies, there are often instances where groups, activity, malware, and infrastructure intersect. We hypothesize there are several possibilities for the group’s convergence of TTPs with varying degrees of likelihood, which include:  Centralized procurement: a shared resource that registers and distributes infrastructure or a shared malware developer.  Personnel mobility: one group dissolves, and another absorbs team members, or groups merge based on new requirements or shared remits.  Interpersonal relationships: individual members of the same team have TTP preferences, and operators share their preferred techniques with one another.  Parallel contractor deployment: the parent/sponsoring agency tasks more than one contracting company to a particular threat group or campaign.  Institutional collaboration: cross-agency exchanges between IRGC and MOIS at an organizational level due to the groups’ affiliations with differing agencies.  Conclusion  UNK_SmudgedSerpent’s first observed campaign was in June 2025, after which the group was seen a few times targeting policy experts in the US using lures about internal political developments in Iran. The subsequent investigation revealed multiple overlaps in TTPs with TA453, TA450, and TA455. However, the abundance of links prevents high confidence attribution to any one of these groups.  While UNK_SmudgedSerpent has not been observed in email campaigns since August 2025, related activity likely remains ongoing. The appearance of a new actor with borrowed techniques suggests there may be personnel mobility or exchange between teams, but with a consistent remit; however, there is no confirmed attribution for UNK_SmudgedSerpent at the time of writing. The TTPs and infrastructure are an extension of previously observed behavior from Iranian threat groups, and the targeting of Iran foreign policy experts continues to reflect the Iranian government’s intelligence collection priorities.  ET rules  2054935 - ET INFO PDQ Remote Management HTTP Header Observed (x-pdq-key-ids)  2054936 - ET INFO PDQ Remote Management User-Agent Observed (PDQ rover)  2054937 - ET INFO PDQ Remote Management Agent HTTP Activity  2054938 - ET INFO PDQ Remote Management Agent Checkin  2062767 - ET INFO Observed DNS Query to Online Document Sharing Service (onlyoffice .com)  2062768 - ET INFO Observed Online Document Sharing Service Domain (onlyoffice .com in TLS SNI)  2065399 - ET PHISHING Observed UNK_SmudgedSerpent Style URI  2065427 - ET MALWARE Observed DNS Query to TA455 Domain (msnapp .help)  2065434 - ET MALWARE Observed DNS Query to TA455 Domain (accountroyal .com)  2065439 - ET MALWARE Observed DNS Query to TA455 Domain (palaerospace .careers)  2065444 - ET MALWARE Observed DNS Query to TA455 Domain (msnapp .live)  2065448 - ET MALWARE Observed DNS Query to TA455 Domain (healthiestmama .com)  2065449 - ET MALWARE Observed DNS Query to TA455 Domain (mojavemassageandwellness .com)  2065450 - ET MALWARE Observed DNS Query to TA455 Domain (alwayslivehealthy .com)  2065451 - ET MALWARE Observed DNS Query to TA455 Domain (rhealthylivingsolutions .com)  2065452 - ET MALWARE Observed DNS Query to TA455 Domain (rheinmetallcareer .org)  2065453 - ET MALWARE Observed DNS Query to TA455 Domain (chakracleansetherapy .com)  2065454 - ET MALWARE Observed DNS Query to TA455 Domain (clearmindhealthandwellness .com)  2065455 - ET MALWARE Observed DNS Query to TA455 Domain (joinboeing .com)  2065456 - ET MALWARE Observed DNS Query to TA455 Domain (healthcarefluent .com)  2065459 - ET MALWARE Observed DNS Query to TA455 Domain (rheinmetallcareer .com)  2065464 - ET MALWARE Observed DNS Query to TA455 Domain (zytonhealth .com)  2065470 - ET MALWARE Observed DNS Query to TA455 Domain (sulumorbusinessservices .com)  2065475 - ET MALWARE Observed DNS Query to TA455 Domain (airbushiring .com)  2065481 - ET MALWARE Observed DNS Query to TA455 Domain (healthinfusiontherapy .com)  2065484 - ET MALWARE Observed DNS Query to TA455 Domain (bodywellnessbycynthia .com)  2065486 - ET MALWARE Observed DNS Query to TA455 Domain (careers-portal .org)  2065487 - ET MALWARE Observed TA455 Domain (msnapp .help in TLS SNI)  2065488 - ET MALWARE Observed TA455 Domain (accountroyal .com in TLS SNI)  2065489 - ET MALWARE Observed TA455 Domain (palaerospace .careers in TLS SNI)  2065490 - ET MALWARE Observed TA455 Domain (msnapp .live in TLS SNI)  2065491 - ET MALWARE Observed TA455 Domain (healthiestmama .com in TLS SNI)  2065493 - ET MALWARE Observed TA455 Domain (mojavemassageandwellness .com in TLS SNI)  2065495 - ET MALWARE Observed TA455 Domain (alwayslivehealthy .com in TLS SNI)  2065498 - ET MALWARE Observed TA455 Domain (rhealthylivingsolutions .com in TLS SNI)  2065501 - ET MALWARE Observed TA455 Domain (rheinmetallcareer .org in TLS SNI)  2065502 - ET MALWARE Observed TA455 Domain (chakracleansetherapy .com in TLS SNI)  2065503 - ET MALWARE Observed TA455 Domain (clearmindhealthandwellness .com in TLS SNI)  2065504 - ET MALWARE Observed TA455 Domain (joinboeing .com in TLS SNI)  2065505 - ET MALWARE Observed TA455 Domain (healthcarefluent .com in TLS SNI)  2065506 - ET MALWARE Observed TA455 Domain (rheinmetallcareer .com in TLS SNI)  2065507 - ET MALWARE Observed TA455 Domain (zytonhealth .com in TLS SNI)  2065508 - ET MALWARE Observed TA455 Domain (sulumorbusinessservices .com in TLS SNI)  2065509 - ET MALWARE Observed TA455 Domain (airbushiring .com in TLS SNI)  2065510 - ET MALWARE Observed TA455 Domain (healthinfusiontherapy .com in TLS SNI)  2065511 - ET MALWARE Observed TA455 Domain (bodywellnessbycynthia .com in TLS SNI)  2065512 - ET MALWARE Observed TA455 Domain (careers-portal .org in TLS SNI)  2065513 - ET PHISHING Observed DNS Query to UNK_SmudgedSerpent Domain (mosaichealthsolutions .com)  2065514 - ET PHISHING Observed DNS Query to UNK_SmudgedSerpent Domain (ebixcareers .com)  2065515 - ET PHISHING Observed DNS Query to UNK_SmudgedSerpent Domain (healthcrescent .com)  2065516 - ET PHISHING Observed DNS Query to UNK_SmudgedSerpent Domain (thebesthomehealth .com)  2065517 - ET PHISHING Observed UNK_SmudgedSerpent Domain (mosaichealthsolutions .com in TLS SNI)  2065518 - ET PHISHING Observed UNK_SmudgedSerpent Domain (ebixcareers .com in TLS SNI)  2065519 - ET PHISHING Observed UNK_SmudgedSerpent Domain (healthcrescent .com in TLS SNI)  2065520 - ET PHISHING Observed UNK_SmudgedSerpent Domain (thebesthomehealth .com in TLS SNI)    Indicators  UNK_SmudgedSerpent  Indicator  Type  Description  First Seen  suzzanemaloney@gmail[.]com  Email address  Phishing  June 2025  suzannemaloney68@gmail[.]com  Email address  Phishing  June 2025  patrickclawson51@gmail[.]com  Email address  Phishing  June 2025  patrick.clawson51@outlook[.]com  Email address  Phishing  August 2025  hxxps://suzzanemaloney2506090953.onlyoffice[.]com/s.-k6vjflsdagdsfgh  URL  Delivery  June 2025  thebesthomehealth[.]com  Domain  Delivery  April 2025  mosaichealthsolutions[.]com  Domain  Delivery  April 2025  healthcrescent[.]com  Domain  Delivery  May 2025  ebixcareers[.]com  Domain  Delivery  July 2025  6eb7df21d6f1e3546c252a112504eefbb19205167db89038f2861118bbc8871c  SHA256  Benign PDF  September 2025  0bdb64fc1d5533f7b3fffaf821e89f286ad2d7400a914f21abdcbb7bb8a39e63  SHA256  Benign PDF  September 2025  cac018dccdf6ce4bef19ab71e3e737724aed104bc824332a5213c878b065ff50  SHA256  EXE  September 2025  7b5fb8202bff90398ab007579713f66430778249e43b46f35df6c3ded628f129  SHA256  DLL  September 2025  129a40e38ef075c7d33d8517b268eb023093c765a32e406b58f39fab6cc6a040  SHA256  DLL  September 2025  85858880ee7659cc1152b6a126bc20b9b4fb1b46dddea5af2d65d48d58cd0589  SHA256  MSI  September 2025  0fcdaa2f4db94e0589617830d3d80430627815ef0e4b0c7b7ff5c1ebb82a4136  SHA256  Benign PDF  September 2025  1e9c31ce0eba2100d416f5bc3b97dafe2da0d3d9aee96de59ec774365fe3fe89  SHA256  ZIP  September 2025    TA455  Indicator  Type  Description  First Seen  emiratesgroup-careers[.]com  Domain  Related infrastructure  May 2024  flydubai-careers[.]com  Domain  Related infrastructure  May 2024  airbusgroup-careers[.]com  Domain  Related infrastructure  May 2024  gocareers[.]org  Domain  Related infrastructure Related infrastructure  June 2024  rheinmetallcareers[.]com  Domain  Related infrastructure  June 2024  careers2find[.]com  Domain  Related infrastructure  June 2024  opportunities2get[.]com  Domain  Related infrastructure  June 2024  emiratescareers[.]org  Domain  Related infrastructure  July 2024  droneflywell[.]com  Domain  Related infrastructure  July 2024  usa-careers[.]com  Domain  Related infrastructure  August 2024  careers-hub[.]org  Domain  Related infrastructure  September 2024  global-careers[.]com  Domain  Related infrastructure  September 2024  ehealthpsuluth[.]com  Domain  Related infrastructure  September 2024  worldcareers[.]org  Domain  Related infrastructure  September 2024  uavnodes[.]com  Domain  Related infrastructure  September 2024  careersworld[.]org  Domain  Related infrastructure  September 2024  thecareershub[.]org  Domain  Related infrastructure  September 2024  germanywork[.]org  Domain  Related infrastructure  September 2024  easymarketing101[.]com  Domain  Related infrastructure  September 2024  collaboromarketing[.]com  Domain  Related infrastructure  September 2024  virgomarketingsolutions[.]com  Domain  Related infrastructure  September 2024  marketinglw[.]com  Domain  Related infrastructure  September 2024  anteromarketing[.]com  Domain  Related infrastructure  September 2024  airbusaerodefence[.]nl  Domain  Related infrastructure  November 2024  dronetechasia[.]org  Domain  Related infrastructure  November 2024  asiandefenses[.]com  Domain  Related infrastructure  November 2024  msnclouds[.]com  Domain  Related infrastructure  November 2024  kibanacore[.]com  Domain  Related infrastructure  November 2024  boeingspace[.]com  Domain  Related infrastructure  November 2024  airbusaerodefence[.]com  Domain  Related infrastructure  December 2024  jadehealthcenter[.]com  Domain  Related infrastructure  December 2024  clearmindhealthandwellness[.]com  Domain  Related infrastructure  January 2025  accountroyal[.]com  Domain  Related infrastructure  January 2025  msnapp[.]help  Domain  Related infrastructure  January 2025  msnapp[.]live  Domain  Related infrastructure  January 2025  zytonhealth[.]com  Domain  Related infrastructure  February 2025  alwayslivehealthy[.]com  Domain  Related infrastructure  February 2025  healthiestmama[.]com  Domain  Related infrastructure  February 2025  healthcarefluent[.]com  Domain  Related infrastructure  February 2025  healthinfusiontherapy[.]com  Domain  Related infrastructure  February 2025  mojavemassageandwellness[.]com  Domain  Related infrastructure  February 2025  chakracleansetherapy[.]com  Domain  Related infrastructure  February 2025  bodywellnessbycynthia[.]com  Domain  Related infrastructure  February 2025  palaerospace[.]careers  Domain  Related infrastructure  February 2025  rhealthylivingsolutions[.]com  Domain  Related infrastructure  April 2025  sulumorbusinessservices[.]com  Domain  Related infrastructure  April 2025  airbushiring[.]com  Domain  Related infrastructure  April 2025  joinboeing[.]com  Domain  Related infrastructure  May 2025  rheinmetallcareer[.]org  Domain  Related infrastructure  May 2025  rheinmetallcareer[.]onlyoffice[.]com  Domain  Related infrastructure  May 2025  rheinmetallcareer[.]com  Domain  Related infrastructure  May 2025  careers-portal[.]org  Domain  Related infrastructure  May 2025  boeinginformation[.]onlyoffice[.]com  Domain  Related infrastructure  May 2025  airbus-careers[.]onlyoffice[.]com  Domain  Related infrastructure  June 2025  airbus-survay[.]onlyoffice[.]com  Domain  Related infrastructure  July 2025  malebachhew2506090936.onlyoffice[.]com  Domain  Related infrastructure  July 2025  randcorp.onlyoffice[.]com  Domain  Related infrastructure  July 2025 

Key findings  Cybercriminals are compromising trucking and freight companies in elaborate attack chains to steal cargo freight.  Cargo theft is a multi-million-dollar criminal enterprise, and digital transformation has led to an increase in cyber-enabled theft.    Threat actors compromise these companies and use their access to bid on cargo shipments, to then steal and sell them.  The threat actors typically deliver remote monitoring and management (RMM) tools, aligning with the broader trend of cybercriminals adopting these as a first-stage payload across the threat landscape.  Overview  Proofpoint is tracking a cluster of cybercriminal activity that targets trucking and logistics companies and infects them with RMM tooling for financial gain. Based on our ongoing investigations paired with open-source information, Proofpoint assesses with high confidence that the threat actors are working with organized crime groups to compromise entities in the surface transportation industry — in particular trucking carriers and freight brokers — to hijack cargo freight, leading to the theft of physical goods. The stolen cargo most likely is sold online or shipped overseas. Such crimes can create massive disruptions to supply chains and cost companies millions, with criminals stealing everything from energy drinks to electronics.   In the observed campaigns, threat actors aim to infiltrate companies and use their fraudulent access to bid on real shipments of goods to ultimately steal them. The observed campaigns described in this report are similar to activity Proofpoint researchers previously detailed in September 2024. However, we cannot assess with high confidence whether historic and current campaigns are conducted by the same or multiple groups; thus, Proofpoint is not attributing the activity to a tracked threat actor.   Old crimes, new tools: the digital transformation of cargo theft   According to the National Insurance Crime Bureau, cargo theft leads to $34 billion in losses annually. Cargo theft can refer to many different types of activities leading to the theft of commercial shipments while cargo is in transit. Much of this activity is conducted by organized criminal groups, according to U.S. law enforcement, and Congress has introduced legislation to combat organized retail theft as it has skyrocketed since the COVID-19 pandemic. (Cargo theft conducted by organized crime has been a problem for decades – from “Old West Train Robbers” to 1960s mobsters to our modern cyber-enabled heists.) Proofpoint previously published details on a similar type of cybercrime targeting cargo that impersonates various companies to steal medical and electronic equipment.  While the campaigns that Proofpoint discusses in this report relate to North American cargo theft, it’s a global problem. According to Munich RE, global cargo theft hotspots include Brazil, Mexico, India, the U.S., Germany, Chile, and South Africa, while the most targeted commodities are food and beverage products.   Cyber-enabled theft is one of the most common forms of cargo theft and relies on social engineering and a knowledge of how the trucking and transportation industries work. According to IMC Logistics, opportunities for cyber-enabled theft are partly responsible for the dramatic increase in cargo theft in recent years: “…the digitization of domestic and international supply chains has created new vulnerabilities and thus opportunities for [Organized Theft Groups] to exploit gaps using sophisticated and ever-evolving cyber capabilities. These groups can steal freight remotely by exploiting the technology that has been embedded into supply chains to move cargo more efficiently.”  The attack chain in the observed campaigns leading to cargo theft attempts, which will be described in subsequent sections, is as follows: the threat actor will compromise a broker load board account (a marketplace companies use to facilitate booking loads for trucks), post a fake load, and kick off the attack chain when a carrier responds.   Figure 1. Attack flow.  Campaign details  The threat cluster engaged in suspected cargo theft has been active since at least June 2025, though evidence suggests the group’s campaigns began as early as January. The actor has delivered a range of RMM tools (or in some cases remote access software), including ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able and LogMeIn Resolve. These RMMs/RAS are often used in tandem; for example, PDQ Connect has been observed downloading and installing both ScreenConnect and SimpleHelp. Once initial access is established, the threat actor conducts system and network reconnaissance and deploys credential harvesting tools such as WebBrowserPassView. This activity indicates a broader effort to compromise accounts and deepen access within targeted environments.   Researchers have identified related network infrastructure and similar tactics, techniques, and procedures (TTPs) in campaigns delivering NetSupport and ScreenConnect going back to January 2025, suggesting a longer operational timeline. Separately, from 2024 through March 2025, Proofpoint also tracked a threat actor targeting ground transportation organizations distributing DanaBot, NetSupport, Lumma Stealer, and StealC, which we previously reported on. It is possible these clusters of activity are all related; however, we cannot attribute this with high confidence. All appear to have knowledge about the software, services, and policies around how the cargo supply chain operates. Regardless of the ultimate payload, stealers and RMMs serve the same purpose: remotely access the target to steal information. However, using RMM tools can enable threat actors to fly further under the radar. Threat actors can create and distribute attacker-owned remote monitoring tools, and because they are often used as legitimate pieces of software, end users might be less suspicious of installing RMMs than other remote access trojans. Additionally, such tooling may evade anti-virus or network detections because the installers are often signed, legitimate payloads distributed maliciously. Cargo theft actors using RMMs aligns with an overall shift in the cybercrime landscape where threat actors increasingly are adopting RMMs as a first stage payload.   In just the last two months, Proofpoint has observed nearly two dozen campaigns, with volumes ranging from less than 10 to over 1,000 messages per campaign.   Figure 2. Most frequently observed first-stage payloads targeting surface transportation since August 2025.  The threat cluster has employed three tactics to deliver RMM tools:   Compromising load boards. The actor posts fraudulent freight listings using compromised accounts on load boards and then sends emails containing malicious URLs to carriers who inquire about the loads. This tactic exploits the trust and urgency inherent in freight negotiations (see Figure 3).  Email thread hijacking. Using compromised email accounts, the threat actors inject malicious content and URLs into existing conversations (see Figure 4).  Direct targeting via email campaigns. The cluster has launched direct email campaigns against larger entities, including asset-based carriers, freight brokerage firms, and integrated supply chain providers. Gaining access to these entities may allow the actors to identify high-value freight loads or uncover other opportunities to further their objectives—such as posting fraudulent loads on load boards (see Figure 5).  Figure 3. Email sent to a carrier responding to a fraudulent load posted on a load board.  Figure 4. Threat actor using a compromised email account and inserting a malicious link into an ongoing conversation.  Figure 5. Direct email sent to hundreds of organizations in the ground transportation industry.  Typically, emails contain URLs that lead to an executable (.exe) or an MSI (.msi) file.  When clicked, these files install an RMM tool, granting the threat actor full control of the compromised machine. In some cases, the threat actor will create domains and landing pages that impersonate legitimate brands or generic transportation terms to further the believability of the social engineering.  Based on campaigns observed by Proofpoint, the threat actor does not appear to attack specific companies, and targets range from small, family-owned businesses to large transport firms as described above. The threat actor appears to be opportunistic about the carriers that it targets and will likely attempt to compromise any carrier who responds to the fake load posting. Once a threat actor has compromised a carrier, they probably will use their knowledge of the industry and any insider information derived from other compromises to identify and bid on loads that are likely to be profitable if stolen.   While investigating the objectives of this threat cluster, Proofpoint researchers found multiple public discussions on social media websites that aligned precisely with the phishing and account takeover activity we had observed by this actor. One public Reddit post shared an experience in which the attacker compromised the company via RMM delivery, deleted existing bookings and blocked dispatcher notifications, added their own device to the dispatcher’s phone extension, booked loads under the compromised carrier’s name, and coordinated the transport. According to the post, the initial compromise was a “nextgen.Carrierbrokeragreement type of link” which notably aligns with a payload URL from this cluster that Proofpoint researchers observed active in July, likely distributing ScreenConnect: hxxp://nextgen1[.]net/carrier.broker.agreement[.]html.   Best practices  Organizations operating in the surface transportation industry or other industries at risk of cargo theft may benefit from reviewing the National Motor Freight Traffic Association Cargo Crime Reduction Framework.   To defend against RMM abuse, Proofpoint recommends the following:  Restrict the download and installation of any RMM tooling that is not approved and confirmed by an organization’s information technology administrators.    Have network detections in place – including using the Emerging Threats ruleset – and use endpoint protection. This can alert on any network activity to RMM servers.    Do not download and install executable files (.exe or .msi) delivered via email from external senders.   Train users to identify the activity and report suspicious activity to their security teams. This training can easily be integrated into an existing user training program.    Conclusion  According to NICB, cargo theft losses increased 27 percent in 2024, and losses are expected to increase another 22 percent in 2025. Cargo theft is a profitable criminal enterprise, and based on Proofpoint data, cybercriminals are increasingly targeting surface transportation entities to steal real, physical goods. Proofpoint has observed nearly two dozen campaigns since August 2025 targeting such entities to deliver RMMs. Public discussion and reporting on cyber-enabled cargo theft suggests the problem is widespread, impacting organizations nationwide, and only increasing in scope and spread. Based on the growth of this activity in email threat data between 2024 and 2025, Proofpoint assesses this threat will continue to increase. Organizations should be aware of the cyber-enabled tactics and payloads used by cargo theft criminals, and implement cybersecurity measures to prevent successful exploitation.     Proofpoint would like to thank our colleagues at ConnectWise ScreenConnect, Red Canary, and the DFIR Report for collaborating on information sharing related to this activity.    Example Emerging Threats signatures  2837962 – ScreenConnect - Establish Connection Attempt   2050021 – Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain  2054938 – PDQ Remote Management Agent Checkin   2065069 – Observed RMM Domain in DNS Lookup (n-able .com)  2065076 – Observed RMM Domain in DNS Lookup (remote .management)  2049863 – simplehelp Remote Access Software Activity  2047669 – fleetdeck Remote Management Software Domain in DNS Lookup (fleetdeck .io)  2061989 – Observed DNS Query to RMM Domain (gotoresolve .com)  Select IOCs  Indicator  Description  First Seen  carrier-packets[.]net    Payload Staging Domain  October 2025    claimeprogressive[.]com  Payload Staging Domain  October 2025  confirmation-rate[.]com  Payload Staging Domain  October 2025  wjwrateconfirmation[.]com  Payload Staging Domain  October 2025  rateconfirm[.]net  Payload Staging Domain  October 2025  ilove-pdf[.]net  Payload Staging Domain  October 2025  vehicle-release[.]com  Payload Staging Domain  October 2025  carrierpack[.]net  Payload Staging Domain  October 2025  car-hauling[.]com  Payload Staging Domain  October 2025  carrier-packets[.]com  Payload Staging Domain  October 2025  i-lovepdf[.]net  Payload Staging Domain  September 2025  fleetcarrier[.]net  Payload Staging Domain  September 2025  scarrierpack[.]com  Payload Staging Domain  September 2025  carrieragreements[.]com   Payload Staging Domain  September 2025  brokeragepacket[.]com  Payload Staging Domain  September 2025  brokerpackets[.]com  Payload Staging Domain  September 2025  centraldispach[.]net  Payload Staging Domain  September 2025  carriersetup[.]net  Payload Staging Domain  September 2025  brokercarriersetup[.]com  Payload Staging Domain  September 2025  carrierpacket[.]online  Payload Staging Domain  September 2025  billpay-info[.]com  Payload Staging Domain  August 2025  nextgen223[.]com  Payload Staging Domain  August 2025  fleetgo0[.]com  Payload Staging Domain  July 2025  nextgen1[.]net  Payload Staging Domain  July 2025  nextgen01[.]net  Payload Staging Domain  June 2025  ratecnf[.]com  Payload Staging Domain  June 2025  ratecnf[.]net  Payload Staging Domain  June 2025  dwssa[.]top  ScreenConnect C2  June 2025  ggdt35[.]anondns[.]net  ScreenConnect C2  August 2025  qtq2haw[.]anondns[.]net  ScreenConnect C2  September 2025  officews101[.]com  ScreenConnect C2  September 2025  instance-hirb01-relay[.]screenconnect[.]com  ScreenConnect C2  September 2025  185[.]80[.]234[.]36  SimpleHelp C2  August 2025  147[.]45[.]218[.]66  SimpleHelp C2  September 2025  70983c62244c235d766cc9ac1641e3fb631744bc68307734631af8d766f25acf  LogMeIn SHA256 Hash  October 2025  4e6f65d47a4d7a7a03125322e3cddeeb3165dd872daf55cd078ee2204336789c  N-able SHA256 Hash  October 2025  cf0cee4a57aaf725341d760883d5dfb71bb83d1b3a283b54161403099b8676ec  ScreenConnect SHA256 Hash  October 2025  913375a20d7250f36af1c8e1322d1541c9582aa81b9e23ecad700fb280ef0d8c  Fleetdeck SHA256 Hash  September 2025  8a00b3b3fd3a8f6b3ec213ae2ae4efd41dd5738b992560010ab0367fee72cd2a  SimpleHelp SHA256 Hash  September 2025  559618e2ffbd3b8b849a6ad0d73a5630f87033976c7adccbd80c41c0b2312765  PDQ Connect SHA256 Hash  September 2025 

Key findings Proofpoint created a new open-source tool for creating threat detection rules based on unique characteristics in PDFs called “PDF Object Hashing”.  This technique can help with identifying related documents and enable attribution when threat actors rely on PDFs for malware or credential phishing payloads.  Proofpoint uses this tool internally to help track multiple threat actors.  The tool is now available on GitHub.   Overview  The PDF format is widely used by threat actors to kickstart malicious activity. In email campaigns, Proofpoint researchers observe PDFs distributed in many ways. For example, threat actors often distribute PDFs that contain URLs leading to malware or credential phishing; PDFs with QR codes leading to malicious web pages; or PDFs with fake banking details or invoices to enable business email compromise (BEC) activity.   Figure 1. Example PDF lures used by threat actors impersonating various brands.  Due to the complex nature of the PDF format and the many ways threat actors use it to their advantage, detecting malicious PDF files can range from straightforward to nearly impossible. Proofpoint researchers have identified notable campaigns leveraging PDFs and have created a new tool called PDF Object Hashing designed to track and detect the unique characteristics of PDFs used by threat actors. The tool supports attribution by identifying PDFs that are likely associated with specific threat actors, even when attack chains or delivery methods change.   PDF Object Hashing  The PDF format is complex, which can cause issues when creating new detection signatures. One challenge detection engineers face with the PDF format is that, for compatibility reasons, the PDF specification permits multiple ways to represent a PDF that appears identical when viewed. This gives threat actors a multitude of options to introduce random variations in their malicious PDFs, making it difficult for threat detection engineers to write pattern-matching signatures that address all variations. Examples of the options for variation include the following:   Six different valid whitespace characters  Cross reference tables (think table of contents) can be stored in plaintext or compressed and stored in a separate format  Parameter values for an object can be embedded in that object, or referenced in another object  Additionally, some objects are present in the document as clear text and others are compressed in “stream objects.” A stream object is a compressed object within the PDF that the PDF viewer can still access. This means a domain that a security practitioner is trying to alert on might not be visible unless you are inspecting these compressed streams. While most detection engineers recognize that elements like URIs or lure images can change frequently, the PDF format includes numerous additional format-specific hurdles that must be considered when analyzing a file.   A specific challenge in defending against PDF threats occurs when the file is encrypted. When a PDF file is encrypted, the overall structure of the document remains visible, but the details or parameters of the individual objects are obscured. The following screenshot demonstrates how objects such as URI strings are hidden when the PDF is encrypted but are visible when not encrypted.   Figures 2 and 3. Example of both a standard (obj 5) and encrypted URI object (obj 10).  Proofpoint researchers created unique PDF Object Hashing detections to combat challenges presented with the PDF format. Instead of relying on more fragile or temporary detections such as file hashes, URLs, lure images, and metadata values, we are able to focus on the structure of the document. While more robust detections exist using techniques like dhash to compare image similarity, PDF Object Hashing applies to the overall structure of the document, allowing us to ignore specific lure images. By examining the type of objects and the order in which they appear - while ignoring their specific parameters and details - we can create a “skeleton” or “template” representing the PDF document’s overall structure. These object types are then used to create a unique "fingerprint" of the PDF by hashing their values. Doing so allows us to search across a wide range of PDF files to detect and identify other files which potentially match the “fingerprint”. The process starts by parsing the document, following the locations of all the objects that are in use and then parsing out a “type” for each object. Below are just some of the types we extract:   Pages  Catalog  XObject/Image  Annots/Link  Page  Metadata/XML  Producer  Font/Type1  We then concatenate the objects in order and hash that value creating what we’ve called the PDF Object Hash. This works similar to how imphash works in PE files. We can then cluster on these hashes to help identify variations and image lure updates that may have taken place with a particular document. This is useful for identifying documents where an image lure was updated, or a URI was changed, but the overall document is still similar, which could indicate a builder or process unique to a threat group.   Figure 4. Overlap with PDF Object Hash (green) and then the below PDFs (yellow).  Figure 5. Two distinct lures which all contain the same types of objects.  PDF Object Hashing can be a reliable way of generating signals which can be used with other detection logic to help create more robust rules and to cluster PDF files into groups for more focused analysis. Proofpoint researchers have used the tool internally to identify documents and related activity with high confidence, improving attribution in many cases.   Campaign examples  To illustrate how PDF Object Hashing can help with threat hunting and analysis, we can look at two interesting threat actors.   The threat cluster known as UAC-0050 targets Ukraine and frequently distributes encrypted PDFs delivering malware. In their campaigns, messages contain PDF files with URLs leading to NetSupport RAT. The URL typically downloads a compressed JavaScript file which, if executed, installs the NetSupport RAT payload.   Figure 6. Example PDF impersonating OneDrive. (SHA256: ee03ad7c8f1e25ad157ab3cd9b0d6109b30867572e7e13298a3ce2072ae13e5).   Because these malicious PDF files are encrypted, many cybersecurity tools and other PDF parsing systems are unable to extract the embedded content, including the URI, the lure image, and parameters associated with the content of the document. Regardless of encryption, PDFs retain an internal document structure (e.g., a hierarchy of objects and attributes) that can be parsed to reveal how those objects are organized and related within the file. Using PDF Object Hashing, Proofpoint developed a unique signature for these PDFs without needing to decrypt or analyze specific contents of their internal objects. This approach allowed for the rapid identification of other potentially related PDF documents that potentially share the same structure, while also allowing us to condemn and prevent payload delivery.   Another actor currently employing PDFs and tracked using PDF Object Hashing is UNK_ArmyDrive. Tracked by Proofpoint since May 2025, this actor is believed to operate out of India and has a history of using PDFs as part of their attack chain. While Proofpoint has traditional detection coverage of this group, we also have augmented that coverage with PDF Object Hashing. Doing so provides additional signals from the static characteristics in their documents that we can use to find samples that may otherwise be missed if the group were to pivot away from existing lures.  Figure 7. Example UNK_ArmyDrive PDFs impersonating the Bangladesh Ministry of Defense (08367ec03ede1d69aa51de1e55caf3a75e6568aa76790c39b39a00d1b71c9084).  The open source project for PDF Object Hashing can be found in the Proofpoint Emerging Threats public GitHub: https://github.com/EmergingThreats/pdf_object_hashing 

Key takeaways        OAuth applications can be used to gain persistent access within compromised environments.  OAuth applications maintain their authorized access even if user credentials are reset, or multifactor authentication is enforced.  Such attacks can be fully automated as shown in a PoC and a dedicated tool created by Proofpoint researchers.  Threat actors are already actively exploiting those vulnerabilities.  Introduction  Cloud account takeover (ATO) attacks have become a significant concern in recent years, with cybercriminals and state-sponsored actors increasingly adopting malicious OAuth applications as a means to gain persistent access within compromised environments. These attacks allow malicious actors to hijack user accounts, conduct reconnaissance, exfiltrate data, and launch further malicious activities.  The security implications are particularly concerning. Once an attacker gains access to a cloud account they can create and authorize internal (second party) applications with custom-defined scopes and permissions. This capability enables persistent access to critical resources such as mailboxes and files, effectively circumventing traditional security measures like password changes.  To better understand and demonstrate this attack vector, Proofpoint researchers have developed a tool that automates the creation of malicious internal applications within a compromised cloud environment. This blog post provides an in-depth technical analysis of that tool and its implications for enterprise security. Additionally, we will examine a real-world incident detected through our telemetry, offering concrete evidence of how threat actors are actively exploiting such vulnerabilities in the wild.  OAuth application types: second-party vs. third-party  In the context of cloud environments, particularly Microsoft Entra ID, it's crucial to understand the distinction between second-party and third-party applications.  Second-party applications. These are applications registered directly within an organization's tenant. Also known as internal applications, they are generally created and managed by the organization's administrators or users with appropriate privileges. Second-party applications inherit a level of implicit trust within the environment, as they originate from within the organization's own directory.  Third-party applications. These applications are registered in external tenants and request access to resources in other organizations' tenants. Common examples include widely-used services like Zoom or DocuSign. Third-party applications typically undergo additional scrutiny through administrative consent workflows and organizational security policies before being granted access.  This distinction is particularly relevant from a security perspective, as threat actors often prefer creating second-party applications during post-exploitation phases. These internal applications can be more difficult to detect and may bypass security controls designed primarily for external application monitoring.  Attack flow  Initial access vector Cybercriminals often leverage a combination of techniques to gain initial access to cloud user accounts. One common tactic is the use of reverse proxy toolkits accompanied by individualized phishing lures that enable the theft of credentials and session cookies (more information can be found in our recent blog about FIDO downgrade attack).  Once the attackers have stolen a user's login credentials, they can establish unauthorized access to the targeted accounts, setting the stage for the next phases of the attack.  Establishing persistence through OAuth applications Following successful initial access, attackers often pivot to creation and deployment of malicious OAuth applications. This process typically involves:  Leveraging the compromised account's privileges to register new internal applications.  Configuring specific permissions and API scopes for maximum impact.  Authorizing these applications to access critical organizational resources.  The strategic value of this approach lies in its persistence mechanism: even if the compromised user's credentials are reset or multifactor authentication is enforced, the malicious OAuth applications maintain their authorized access. This creates a resilient backdoor that can remain undetected within the environment indefinitely, unless specifically identified and remediated.  Technical implementation: automating OAuth-based persistence  Proofpoint researchers have developed an automated toolkit which demonstrates methods by which threat actors establish persistent access through malicious OAuth applications. The PoC implements several key capabilities that mirror real-world attack scenarios.  Core functionality  Automated OAuth application registration and configuration  Customizable permission scope selection Persistent access mechanism independent of user credentials Configurable application naming conventions Operational workflow Starting from an initially compromised account, the tool streamlines the post-exploitation process through automated application creation. While this demonstration uses randomized application names, real-world threat actors typically employ deceptive naming strategies that mimic legitimate business applications to avoid detection.  Figure 1: Future Account Super-Secret Access tool, Version 1:  Welcome screen.  During the automated deployment process, an application is registered with pre-configured permission scopes that align with the attacker's objectives. A critical aspect of this implementation is the ownership attribution: the compromised user account becomes the registered owner of the newly created application, effectively establishing it as a legitimate internal resource within the organization's environment.  This ownership model provides several tactical advantages: The application appears as an internally developed resource and the authentication requests originate from within the organization's tenant. The application inherits trust relationships associated with internal resources and standard third-party application security controls may not detect or flag this activity.  Figure 2: Application creation process. In the example the app name is 'justSOMEniceAPP'.  Figure 3: Application scopes selected: Mail.Read and offline_access.  Upon successful application registration, the tool automatically establishes two critical authentication components.  Application secret generation  The tool first creates a cryptographic client secret for the application. This serves as the application's own authentication credential, required for confidential client authentication flows. This is essential for server-side applications requesting tokens.  Token harvest   The automation then proceeds to collect multiple OAuth token types, each serving distinct purposes in maintaining persistent access: an access token, a refresh token, and an ID token.  Figure 4: Tokens collected.  To validate the effectiveness of this persistence mechanism, this tool includes a practical demonstration of access retention.   Credential reset test - User's password is changed to simulate standard incident response. This action would typically terminate unauthorized access obtained through stolen credentials.  Figure 5: Demonstration of user password change.  Access verification - Despite the password change, the malicious application maintains full access. Some OAuth tokens and application secret continue to function, and all previously authorized permissions remain active.  Figure 6: New tokens generated after the password change.  Following the password reset, this tool demonstrates the sustained effectiveness of the malicious application's access through several key activities.  Email access demonstration - Successfully retrieves user mailbox contents and maintains continuous access to incoming and historical emails. The app now operates independently of user credential changes.  The scope of unauthorized access extends well beyond email, encompassing any resources specified in the application's configured permissions, which may include, for example:   SharePoint documents and collaborative content OneDrive stored files Teams messages and channel data Calendar information Organizational contacts Other Microsoft 365 resources Figure 7: User emails accessed even after password change.  The malicious application's footprint can be observed within the Microsoft Entra ID administrative interface, specifically:  Location and Navigation Path: Entra ID Portal → App Registrations   Application appears as a standard internal registration  Application configuration details under the application's management interface, several key components are visible:  Application configuration:   Basic application metadata Authentication settings API permissions and granted scopes Client secrets - Located under 'Certificates & Secrets' section:  Displays the active secret credentials. This is a critical component enabling persistent programmatic access. Expiration dates and secret status This visibility in standard administrative interfaces underscores the importance of regular application auditing and monitoring, as malicious applications may blend in with legitimate business applications unless specifically scrutinized.  Figure 8: Location of application secrets in Microsoft Azure. The malicious application's ability to maintain unauthorized access is directly tied to the absence of two critical factors.  Access termination conditions   Manual deletion of the application registration and explicit revocation of granted permissions.  Expiration of the client secret credentials.  In this demonstration, the application's client secret is configured with a two-year validity period, providing the attacker with:   Extended persistent access without requiring credential renewal Long-term capability to access protected resources Significant window of opportunity for data exfiltration Prolonged dwell time within the environment This extended persistence window presents substantial risks, potential for long-term undetected access, continued data exposure even after initial compromise discovery, challenges in identifying historical unauthorized access, and the need for proactive application lifecycle management.  Without active discovery and remediation efforts, the application remains a viable attack vector until either administrative action is taken, or the client secret naturally expires.  Real-world attack analysis  Our telemetry revealed a real-world account takeover (ATO) incident that persisted for four days. The initial compromise was detected through a successful login attempt using the user agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Iron Safari/537.36'. Based on our threat intelligence, this user agent signature is most likely associated with Adversary-in-the-Middle (AiTM) phishing attacks, specifically the Tycoon phishing kit.  The threat actor, operating through US-based VPN proxies, executed several malicious actions:  Created malicious mailbox rules Registered an internal application named 'test' Added application secrets with Mail.Read and offline_access permissions, enabling persistent access to the victim's mailbox even after password changes After approximately 4 days the user's password was changed, following which we observed failed login attempts from a Nigerian residential IP address, suggesting the threat actor's possible origin. However, the application remained active. This case study serves as a concrete example of the attack patterns discussed in our blog, demonstrating that these threats are not merely theoretical - but active, exploited risks in the current threat landscape.  Remediation and recommendations Upon discovery of a suspected malicious application in the environment, immediate remediation steps are critical.  Priority actions  Client secret revocation - Immediately invalidate all client secrets. Remove all existing certificates. This immediately terminates the application's ability to request new tokens.  User token revocation - Immediately revoke all existing user tokens.  Application removal - Delete the entire application registration and revoke all previously granted permissions. Remove all associated service principals.  Implement continuous monitoring - By continuously monitoring your line-of-business apps and applying automatic remediation, you may prevent attackers from establishing persistent access to valuable resources. This can also help to stop them from launching more attacks.   Empower your users - Your users are a vital part of your defense. Conduct regular trainings to educate them on how to:   Recognize malicious apps and tenants that seem credible.  Treat unexpected consent requests as suspicious.  Promptly report unusual application authorizations.  

Key findings  TA585 is a sophisticated cybercriminal threat actor recently named by Proofpoint. It operates its entire attack chain from infrastructure to email delivery to malware installation.  The actor demonstrates innovation in a constantly changing cybercrime threat landscape, with unique web injection campaigns and complicated filtering.   TA585 frequently delivers MonsterV2, a malware with numerous capabilities sold on cybercriminal forums. It is not sold by TA585, and has multiple cybercriminal customers.  MonsterV2 has capabilities of a remote access trojan (RAT), loader, and stealer. It avoids infecting computers in Commonwealth of Independent States (CIS) countries.  Overview   As the cybercrime landscape continues to innovate, new threat actors and capabilities are emerging. One new cybercriminal threat actor, TA585, operates with a high level of sophistication and delivers a variety of malware including the recently released MonsterV2.   MonsterV2 is advertised as a remote access trojan (RAT), stealer, and loader. It is expensive compared to its peer malware families, and used by only a small number of actors, including TA585. Proofpoint researchers first observed it sold on hacking forms in February 2025.  TA585 is notable because it appears to own its entire attack chain with multiple delivery techniques. Instead of leveraging other threat actors – like paying for distribution, buying access from initial access brokers, or using a third-party traffic delivery system – TA585 manages its own infrastructure, delivery, and malware installation. The evolution of cybercrime and its supporting ecosystem has made the threat landscape comparable to the modern job market and the “gig economy.” However, TA585 bucks that trend and owns and manages nearly all of its business model, except the final malware which is sourced from a MaaS (Malware as a Service) such as Lumma Stealer, Rhadamanthys or MonsterV2. This report details both the newly named TA585 as well as the MonsterV2 malware, which is used by multiple actors. While TA585 is one customer of MonsterV2, it is not the malware author, and multiple threat actors use it in campaigns.  Campaign details  Government impersonation  Proofpoint first observed MonsterV2 in a late February 2025 campaign leveraging U.S. Internal Revenue Service (IRS) themed lures. Messages contained URLs linking to a PDF which would open in the browser. The PDF linked to a webpage that was using the ClickFix technique, a technique named by Proofpoint in June 2024, which lures visitors to manually run a malicious command in the Windows Run-box or PowerShell terminal.   SBA themed PDF.   IRS Themed ClickFix Landing leading to MonsterV2, observed on 26 February 2025.   ClickFix themed landing leading to MonsterV2.   If the user copied and pasted the PowerShell script as instructed, it executed a second PowerShell script ultimately leading to MonsterV2.  Proofpoint observed two more U.S. government-themed MonsterV2 campaigns in March 2025, one impersonating the IRS and a second impersonating the Small Business Administration. Both campaigns included less than 200 messages and mostly targeted finance and accounting firms. None of the campaigns are attributed to a tracked threat actor.   TA585 campaigns  In April 2025, Proofpoint researchers investigated an interesting vector: unique web injects and activity we named “CoreSecThree” based on domain names and infrastructure. The actor registers and maintains its own domain names and uses Cloudflare hosting infrastructure. Initial campaigns delivered Lumma Stealer, but the actor began using MonsterV2 in early May 2025.  TA585 activity is typically distributed via compromised websites. Proofpoint detects the threat by sandboxing URLs from business email messages that lead to legitimate websites that have been compromised to serve malware to selected visitors.  Although neither the sender nor the site owner may intend harm, the websites have been compromised with a malicious JavaScript injection. This injection causes the website to load a malicious script which, in campaigns so far this year, is used to create an overlay of the compromised website to present a fake CAPTCHA (ClickFix) instructing users to verify they are human. Unlike some other web inject campaigns that rely on third-party traffic distribution systems, TA585 does its own filtering and checks to ensure a real person is receiving the payload.  Example TA585 JavaScript inject.   ClickFix overlay on compromised website.  This attack chain is able to react on the “Win+R” activity from the user with an actual “reaction” from the website upon completing it. Once the user clicks the “Verify you are human” they are prompted to complete the “Win+R” action:                “Verification” page owned by the threat actor.  Following the instructions will initiate a PowerShell command that downloads and executes malware. Meanwhile, the page starts beaconing repetitively to the lure server which will reply with: “Access denied” until the PowerShell script finishes downloading and running, and the malware is checking in to the payload server from the same IP address that is loading the web page. The user is then redirected to the actual website (with /?verified=true,).  Traffic on the compromised site; the user is redirected once their IP is confirmed.  Proofpoint has observed the above JavaScript inject and infrastructure (intlspring[.]com) delivering two different malware payloads: MonsterV2 and Rhadamanthys.   GitHub themed campaigns  While the majority of the TA585 malware payloads are distributed via web injects, Proofpoint has also observed it delivered via emails such as notifications from GitHub caused by the threat actor tagging GitHub users in fake security notices that contain URLs leading to actor-controlled websites. Third-party researchers have observed TA585 activity delivered via malvertising.  In August 2025, Proofpoint identified a unique TA585 attack chain leveraging GitHub notifications to deliver Rhadamanthys. We first spotted this post by ANY.RUN about ClickFix delivering Rhadamanthys and began investigating.   We identified GitHub notification emails that kicked off the attack chain. The emails were likely generated by the threat actor creating an issue in an actor-controlled repository with a fake security warning and then tagging legitimate accounts who receive notifications that they have been tagged, with the text from the issue.   GitHub notification email generated by the threat actor.  The notifications contained shortened URLs that led to an actor-controlled website. Like TA585’s typical web inject campaigns, the website performed filtering functions, and if those checks were passed, the visitor will be redirected to a website that presents a fake GitHub-branded CAPTCHA instructing users to verify they are human.  GitHub themed web page, using the typical CoreSecThree filtering and beaconing techniques.  Following the instructions initiated a command that downloaded and executed Rhadamanthys.   MonsterV2 malware details  MonsterV2 is advertised as a RAT, stealer, and loader. It is full-featured and has many capabilities that allow it to perform varying functions during a breach. Proofpoint has observed MonsterV2 acting either primarily as a stealer or as a loader, dropping malware such as StealC Version 2. While Proofpoint observes TA585 using MonsterV2, it is also used by other cybercriminal threat actors.   MonsterV2 has the following capabilities:  Able to enumerate and exfiltrate sensitive information such as browser and login data, credit card and crypto wallet information, login data, and tokens for services such as Steam, Telegram, and Discord, files and documents, as well as other data typical of infostealers   View the infected systems’ desktop and record the webcam  Clipper capabilities (essentially replacing cryptocurrency addresses in the infected systems’ clipboard with threat actor-provided addresses)  HVNC (Hidden Virtual Network Computing) – Allows the threat actor to establish a remote desktop-like connection to the infected system, giving graphical user interface access without alerting the user of the infected system  Receive and execute a wide variety of commands from its C2  Download and execute additional payloads  Avoids infecting CIS countries: Russia, Belarus, Ukraine, Kazakhstan, Uzbekistan, Turkmenistan, Kyrgyzstan, Armenia, Tajikistan, Moldova, Latvia, Lithuania, and Estonia  MonsterV2 has been advertised on criminal hacking forums, as seen in the following post excerpt:  MonsterV2 advertisement.  Here is an excerpt of the translation (from Russian, using Google Translate) of the original advertisement of MonsterV2:  Languages used in development: C++ for the client (build), Go and TypeScript for the server logic and panel  The build has built-in RAII wrappers over handles and pointers throughout to prevent memory leaks and UB  Wherever threads are used, the thread-safety concept is observed  Self-written obfuscator and source code generator through direct modification of AST  Build has no dependencies on various additionally installed runtimes and runs even on clean systems  Automatic privilege escalation and modern approaches to evade detection  Before release, the code is run through sanitizers, linters and autotests. Coverage close to 100%  Functionality testing of features is carried out on real machines under conditions as close as possible to «field» ones.  A professional approach to creating an architecture that ensures high scalability and performance  Current modules list: File Manager, Process Manager, Resident Loader, Webcam Recorder, Remote Desktop (HVNC), Remote CMD/PowerShell (read the description of each module below; the number of modules will increase as the project is updated)  To communicate with the C2 server, a raw TCP connection is used with a small add-on on top in the form of an exchange of encryption keys with two-way authentication (analogous to SSL/TLS)  If the connection is lost, the bot will try to restore the connection (reconnect)  The panel is written in a convenient and minimalistic style, so that users do not get distracted, but at the same time maintain good UX  The panel supports Russian and English localizations  Real-time UI updates  One-click installation and intuitive settings  The malware is sold in tiered options, with pricing for one week, two week, or month-long use. The “Standard” version costs $800 USD per month, while the “Enterprise” version that includes a stealer, loader, HVNC, and HCDP (Chrome developer tools) costs $2,000 per month. To compare that with another common stealer, Rhadamanthys is advertised for $199 per month.  Proofpoint has observed that MonsterV2 is actively being maintained and updated, even with minor and “cosmetic” updates. For example, Proofpoint identified the following string in earlier versions of the malware (with a misspelling of the word “terminate”):      Misspelled “terminate” string.  This was fixed in later versions of the malware:  Fixed string spelling.  Behavior  Analyst Note: Prior to execution, MonsterV2 may be decrypted and loaded via another malware called SonicCrypt. This crypter will be detailed later in this report.  Once executed on the target system, MonsterV2 executes the following actions:  Initialization  It first decrypts and resolves several Windows API functions it requires. Each library and function name string is decrypted using a unique ChaCha20 key, which complicates reverse engineering and static analysis. The ChaCha20 functionality is discussed later in this report.  Next, MonsterV2 attempts to elevate its privileges on the system by requesting many permissions, such as the following (this list is not exhaustive). These permissions also hint at the malware’s functionality:  SeDebugPrivilege - Processes that obtain this privilege are potentially able to read and modify the memory of other processes, elevate privileges and bypass security controls, among other things. This is a common privilege that malware may request  SeTakeOwnershipPrivilege – Processes with this privilege can modify object permissions and effectively bypass restrictions, commonly leveraged in privilege escalation scenarios  SeIncreaseBasePriorityPrivilege - Allows changing the base priority of a process, influencing its CPU scheduling  SeIncreaseWorkingSetPrivilege - Permits raising a process’s working set, allocating more physical memory for its operations, and improving performance  SeSecurityPrivilege - Required to view/edit the security event log  SeShutdownPrivilege - Lets processes shut down the system  Additionally, MonsterV2 will optionally create a mutex on the infected system, in the format “Mutant-<unique_id_64_characters>”. Here are a few examples:  Mutant-5B7C3E6F9D8A1F42BCDE0347FA8C9E12D13A4597628F6BD57C4E81A9670D3F5A  Mutant-A8F1D32C497EB560C9A21D87F34EB70591D2C864EAF53BD7906C12F8D4E39BAF  Mutant-93D8FE2065BCA71BEF2486AD7FA0C935ECC27104ABF9E6531875F22CB40D9E8F  This mutex creation and format is a good indicator for threat hunting.  Configuration decryption  MonsterV2 then decrypts its config, which is stored as an encrypted blob in the binary. The config is decrypted using ChaCha20, and then decompressed using an embedded ZLib decompression library. The malware seems to make use of the LibSodium (https://doc[.]libsodium[.]org/) library for encryption/decryption.  Below are some examples of a decrypted MonsterV2 configuration:  MonsterV2 config examples.  In a later sample we analyzed, MonsterV2 supported multiple C2s also in the form of domains instead of just IP addresses:  MonsterV2 config example, with four C2 domains.  The configuration consists of the following values:  Value  Description  anti_dbg  If set to “True”, the malware attempts to detect and evade debuggers in use. In the samples we analyzed, we did not witness this value being anything other than “False”  anti_sandbox  If set to “True”, the malware attempts to detect sandboxes and execute some rudimentary anti-sandbox techniques. In the samples we analyzed, we did not witness this value being anything other than “False”  aurotun (misspelling of “autorun”)  If set to “True”, the malware attempts to establish persistence  build_name  The build name of the malware, which could be used to cluster campaigns and potentially threat actors  disable_mutex  If set to “True”, the malware does not create a mutex on the host  ip / port  The C2 IP and Port. The IP field can consist of multiple IP addresses or domains  priviledge_escalation (another misspelling)  If set to “True”, the malware attempts to elevate its privileges  kx_pk / seal_pk / sign_pk  Keys or key material likely related to encryption, authentication, and integrity of communication between the C2 server and malware client. See also section “Gather System Information” later.  As mentioned, the config is decrypted using ChaCha20. The overall process looks as follows:  The malware reads the first 32 bytes prior to its config (the header) and this is used as key material to generate the ChaCha20 decryption key. This key material is combined with hardcoded “master key” data embedded in the malware which is used to derive the ChaCha20 decryption key and nonce. ChaCha20 is initialized to decrypt the config. ChaCha20 can be identified in memory via the constant “expand 32-byte k”, and the resulting ChaCha20 key, counter, and nonce can be seen in memory after the constant: In this image, we can see the ChaCha20 initialization constant (1), and Key (2), and counter + Nonce (3). 4.  The encrypted config blob is decrypted using the derived ChaCha20 key and nonce. The resulting decrypted config blob is ZLib-compressed (78 9C is a typical ZLib header): Decrypted config blob in memory 5.  The compressed config blob is then decompressed in memory, resulting in the config: Cleartext config in memory.  Here is a Python script that decrypts a MonsterV2 config using a provided key and nonce:  Gather system information  After MonsterV2 decrypts its config, it attempts to reach out to its C2 server. It will continue to attempt this connection until there is a successful connection to the C2 or the malware process terminates. After connecting to its C2, it sends the following information:  Value  Description  version  The version of the MonsterV2 malware    build_name  The build name of the malware, from the config    pk  Likely a public key or key material used for secure communication between the malware client and the C2    ad  Possibly used as integrity protection for data being sent to the C2, to ensure data is not manipulated prior to or during transit to and from the C2  geo  The geolocation of the infected system, for example “BR” for Brazil  sign  Possibly used along with the “ad” to support authentication and data integrity.  compression  Possibly used to inform the C2 of the data compression methods supported by the infected system  os  The operating system version  uuid  A unique ID assigned to the infected system, which is the same as the Mutex value we discussed previously  os_name  The operating system of the infected system    user_name  The username of the infected system  computer_name  The computer name of the infected system  ip  The external IP address of the infected system  This data is stored in stack memory as a structure and then later base-64 encoded and sent to the C2 server.   The struct containing the initial data sent to the C2.  Command & control  Prior to connecting to the C2, the malware reaches out to api[.]ipify[.]org to get the infected system’s IP/location and likely as an internet connection test. If this is successful, the malware sends an initial connect request to its C2. Following this, the malware sends the previously gathered infected system’s information to the C2 (see Gather System Information section).  Responses from the C2 may be intentionally bloated and can be several megabytes. The C2 responses can contain command and control instructions to issue commands to the client, or can consist of another payload (more on this later). Based on code analysis, C2 commands seem to be processed in the following manner:  C2 response is received via a raw socket, using the WSARecv Windows API function. The received data is Base64-decoded, decrypted using the ChaCha20 algorithm, and ZLib-decompressed (similar to the config decryption that we outlined previously). The data is formatted and processed into a JSON-like structure. This structure differs depending on the command the C2 controller sends, but here is a generalized example of the structure:     The “flags” member may contain various flags or other data related to the command. The “data” member may contain payload data that supports the command. For example, for the C2 commands related to file operations, this payload may contain a list of file paths.   4.  The processed commands and data are dispatched to a command handler function. The malware’s command handler function supports a large number of commands from the C2 server. These commands include, but are not limited to, the following:  Terminate the malware’s process and clean up (delete its files and mutex, etc.)  Execute infostealer functionality and exfiltrate data to the C2  Execute an arbitrary command line command (cmd[.]exe, PowerShell commands)  Terminate, suspend, and resume target processes. This potentially could be used for evading endpoint defenses  Establish an HVNC connection to the infected system’s system  Take screenshots of the infected system’s desktop  Start a keylogger  Enumerate, manipulate, copy, and exfiltrate files  Shut down or crash (BSOD) the infected system  Download and execute another payload  Delivery and loading of additional payloads   Proofpoint witnessed in multiple occasions MonsterV2 loading the StealC V2 infostealer as well as the Remcos remote access trojan (RAT). This activity was not correlated with TA585, however. Notably with StealC, the MonsterV2 payloads were configured to use the same C2 server as the dropped StealC payload.   SonicCrypt crypter details  Proofpoint has observed that MonsterV2 is often packed using SonicCrypt, a crypter written in C++ advertised on forum[.]exploit[.]in:  SonicCrypt advertisement.  Here is the translation of the above (provided by Google Translate):  Modern technological crypt with many functions, prompt cleaning and professional support. I present to you a new level of crypts for any budget. Crypt provides a wide range of functions to choose from:  Written in modern C++ with a custom source code mutator that allows you to clean signatures in the blink of an eye  Support for adding your file to startup  Support for adding your file to Windows Defender exceptions  If your file requires administrator rights to work, the crypt supports the ability to bypass UAC  Runs both native and .NET files  Both bit depths are supported: 32 and 64-bit  Competent support will help you decide on the choice of configuration for your unique traffic source  The crypt does not cut the percentage of the knockout and does not interfere with the operation of the encrypted file  Usually the crypt process takes no more than 30 minutes, but in exceptional cases it can reach 12 hours  Supported crypt customizations: icon, manifest, Assembly Info, inflation (pump)  Rates:  Public $ 50 - Standard file crypt. Stab is designed for 5-7 clients, without a warranty period. Possible functionality: icon, manifest, Assembly Info, bloat (pump), UAC Bypass  Private $100 - Private crypt file. The stab is designed for a maximum of 3 people; the warranty period for the stab, when you can ask for a recrypt, is 4 days. All the advantages of the Public tariff + autorun + Windows Defender exceptions  Unique $150 - Unique crypt file. The stab is designed for a maximum of 1 person, the warranty period for the stab is 6 days. All the advantages of Private, but each client receives a unique stab  Malware analysis  SonicCrypt-packed executables are intentionally bloated and therefore contain a lot of junk code, making it difficult to statically analyze. Across SonicCrypt samples, this code is inconsistent and is likely generated to evade static detection:  An example of junk code in SonicCrypt-protected binaries.  The general flow of the malware can be seen in the following code examples:  Runs initial evasion and environment checks (more on this in a moment).  Creates the file where the decrypted payload will be written. The file is named in a similar theme, such as “WinHealth[.]exe” or “WindowsSecurity[.]exe”.  The payload is decrypted and written to this file.  In the samples we analyzed, the payload is executed using the task scheduler.  Here are two code examples demonstrating this behavior.  Example 1:  Example 2:  Anti-analysis checks  Before decrypting and loading its payload, SonicCrypt runs through several checks, including:  Checking amount of RAM  Checks the infected systems’ BIOS manufacturer (in some cases “GenuineIntel” or “AuthenticAMD”)  Some samples check the BIOS version as well   Depending on configuration, SonicCrypt may attempt to add the dropped Exe file as a Defender exclusion.  A code example of SonicCrypt gathering BIOS data.  After these checks are passed, the crypter decrypts the payload, writes it to a file on disk, and executes the payload executable via the TaskScheduler COM object (CLSID: CLSID_TaskScheduler). The process behavior tree will look as follows:    Example MonsterV2 process tree.   Conclusion  TA585 is a unique threat actor with advanced capabilities for targeting and delivery. As the cybercrime threat landscape is constantly changing, TA585 has adopted effective strategies for filtering, delivery, and malware installation. One of its favored payloads is MonsterV2, a malware that may be filling gaps in the criminal ecosystem following high profile law enforcement disruptions of other malware like Lumma Stealer. Proofpoint anticipates we will continue to see new malware families emerge, many of which contain a variety of capabilities baked into one malware.  Proofpoint recommends training users to recognize the ClickFix technique and to prevent non-administrative users from executing PowerShell.   Emerging Threats rule  2061200 – MonsterV2 Stealer CnC Checkin  Indicators of compromise  Indicators  Description  First Seen  SHA256: ccac0311b3e3674282d87db9fb8a151c7b11405662159a46dda71039f2200a67  C2: 139.180.160[.]173  Port: 7712  MonsterV2 SHA256 file hash, C2, and Port  2025-02-22  SHA256: 666944b19c707afaa05453909d395f979a267b28ff43d90d143cd36f6b74b53e  C2: 155.138.150[.]12  Port: 7712  MonsterV2 SHA256 file hash, C2, and Port  2025-03-08  SHA256: 7cd1fd7f526d4f85771e3b44f5be064b24fbb1e304148bbac72f95114a13d8c5  C2: 83.217.208[.]77:  Port: 7712  MonsterV2 SHA256 file hash, C2, and Port  2025-05-12  SHA256: 0e83e8bfa61400e2b544190400152a54d3544bf31cfec9dda21954a79cf581e9  C2: 83.217.208[.]77  Port: 7712  MonsterV2 SHA256 file hash, C2, and Port  2025-05-19  SHA256: d221bf1318b8c768a6d824e79c9e87b488c1ae632b33848b638e6b2d4c76182b  C2: 91.200.14[.]69  Port: 7712  MonsterV2 SHA256 file hash, C2, and Port  2025-05-26  SHA256: 69e9c41b5ef6c33b5caff67ffd3ad0ddd01a799f7cde2b182df3326417dfb78e  C2: 212.102.255[.]102  Port: 7712  MonsterV2 SHA256 file hash, C2, and Port  2025-06-02  SHA256: 6237f91240abdbe610a8201c9d55a565aabd2419ecbeb3cd4fe387982369f4ae  C2: 84.200.154[.]105  Port: 7712  MonsterV2 SHA256 file hash, C2, and Port  2025 – 06 - 09  SHA256: b36aac2ea25afd2010d987de524f9fc096bd3e1b723d615a2d85d20c52d2a711  C2: 144.172.117[.]158  Port: 7712  MonsterV2 SHA256 file hash, C2, and Port  2025-06-16  SHA256: 912ef177e319b5010a709a1c7143f854e5d1220d176bc130c5564f5efe8145ed  C2: 109.120.137[.]128:  Port: 7712  MonsterV2 SHA256 file hash, C2, and Port  2025-06-23  SHA256: ba72e8024c90aeffbd56cdf2ab9033a323b63c83bd5df19268978cded466214e  C2: 84.200.17[.]240  Port: 7712  MonsterV2 SHA256 file hash, C2, and Port  2025-06-30  SHA256: e7bcd70f0ee4a093461cfb964955200b409dfffd3494b692d54618d277cb309e  C2: 84.200.77[.]213  Port: 7712  MonsterV2 SHA256 file hash, C2, and Port  2025-07-15  SHA256: 399d3e0771b939065c980a5e680eec6912929b64179bf4c36cefb81d77a652da  C2: 79.133.51[.]100  Port: 7712  MonsterV2 SHA256 file hash, C2, and Port  2025-09-01  98f647eada829bad4d30594496953ddc788c06044f949514e43c3532a83f79e2  TA585 Evasion   2025-04-14 

What happened  Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China economic-themed lures. In this activity, the group masqueraded as the current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party (CCP), as well as the US-China Business Council, to target a range of individuals and organizations predominantly focused on U.S.-China relations, trade, and economic policy.   The TA415 phishing campaigns delivered an infection chain that attempts to establish a Visual Studio (VS Code) Remote Tunnel, enabling the threat actor to gain persistent remote access without the use of conventional malware. Recent TA415 phishing operations have consistently used legitimate services for command and control (C2), including Google Sheets, Google Calendar, and VS Code Remote Tunnels. This is likely a concerted effort from TA415 to blend in with existing legitimate traffic to these trusted services.   This TA415 activity occurs amid ongoing negotiations and uncertainty surrounding the future of U.S.-China economic and trade relations. Proofpoint Threat Research assesses that a primary objective of these campaigns is likely the collection of intelligence on the trajectory of U.S.-China economic ties. This activity aligns with recent reporting by the Wall Street Journal.  TA415 is a Chinese state-sponsored threat actor indicted by the U.S. government in 2020 and overlaps with threat activity tracked by third parties as APT41, Brass Typhoon, and Wicked Panda.   Malware delivery  Following multiple phishing campaigns resulting in the delivery of the Voldemort backdoor in August 2024, Proofpoint observed TA415 shift tactics, techniques and procedures (TTPs) and adopt the use of VS Code Remote Tunnels. Throughout September 2024, the group used a highly similar infection chain previously used to deliver Voldemort to instead deliver VS Code Remote Tunnels via an obfuscated Python loader we track as WhirlCoil. This activity targeted organizations in the aerospace, chemicals, insurance, and manufacturing sectors and overlaps with activity publicly reported by Cyble in early October 2024.   Beginning in July 2025, Proofpoint Threat Research observed TA415 conduct a series of campaigns targeting U.S. think tank, government, and academic organizations. This predominantly focused on individuals specialized in international trade, economic policy, and U.S.-China relations. This included emails spoofing the U.S.-China Business Council in July 2025, in which the group invited targets to a purported closed-door briefing on US-Taiwan and U.S.-China Affairs.   TA415 phishing email spoofing US-China Business Council.  Multiple subsequent TA415 campaigns in July and August 2025 posed as John Moolenaar, a U.S. representative and current Chair of the Select Committee on Strategic Competition between the United States and the Chinese Communist Party. Proofpoint regularly observes state-aligned threat actors spoofing prominent individuals in this manner to exploit the trust and credibility tied to their public profiles, often using open-source information to make these impersonations more convincing. These phishing emails purported to request input from the target on draft legislation aimed at establishing a comprehensive sanctions framework against China allegedly being drafted by the Select Committee.  The phishing emails typically contained links to password-protected archives hosted on public cloud sharing services such as Zoho WorkDrive, Dropbox, and OpenDrive. Based on our analysis of upstream sender IP addresses within the Received headers, we identified that the group also consistently used the Cloudflare WARP VPN service to send phishing emails.   Infection chain  TA415 VS Code Remote Tunnel infection chain.  The downloaded archive is password protected and contains a Microsoft Shortcut (LNK) file alongside other files that are stored within a hidden subfolder named _MACOS_. The function of the LNK file is to execute a batch script named logon.bat contained within the hidden folder and display a corrupt PDF hosted on OpenDrive to the user as a decoy document.  Content of example archive delivered by TA415. Example of logon.bat script used by TA415.  The batch script executes the WhirlCoil Python loader (update.py) via pythonw.exe, which is bundled within an embedded Python package also located in the _MACOS_ folder of the archive. Earlier variations of this infection chain instead downloaded the WhirlCoil Python loader from a Paste site, such as Pastebin, and the Python package directly from the official Python website.  Excerpt of obfuscated WhirlCoil Python loader.  The WhirlCoil loader is a Python script obfuscated by repeated use of variable and function names like IIIllIIIIlIlIIlIII. The script first downloads the VSCode Command Line Interface (CLI) zip from legitimate Microsoft sources and extracts the zip to %LOCALAPPDATA%\Microsoft\VSCode. It then checks whether the user is an admin using the Python function call ctypes.windll.shell32.IsUserAnAdmin(). A scheduled task, typically named GoogleUpdate,  GoogleUpdated, or MicrosoftHealthcareMonitorNode, is created for persistence which runs the WhirlCoil  Python script every two hours. If the user has administrative privileges, the task runs as SYSTEM with the highest level of access.  The WhirlCoil script then runs the command code.exe tunnel user login --provider github --name <COMPUTERNAME>; to establish a VS Code remote tunnel authenticated via GitHub. It writes a string containing the returned verification code to a file named output.txt. Following this, the script collects system information (including Windows version, locale, computer name, username, and domain) and the contents of a range of user directories.   This information is sent via POST request to a free request logging service (such as requestrepo[.]com). In most recently observed variations, the URL is appended with <timestamp>_<base64(COMPUTERNAME)> while the body of the request is a base64-encoded blob containing the exfiltrated system information alongside the VS Code Remote Tunnel verification code. With this code, the threat actor is then able to authenticate the VS Code Remote Tunnel and remotely access the file system and execute arbitrary commands via the built-in Visual Studio terminal on the targeted host.  Attribution  According to U.S. government indictments, TA415 operates as a private contractor located in Chengdu, China, and has operated under the company name Chengdu 404 Network Technology. Chengdu 404 has historically engaged in business relationships with other private contractors active within China’s cyberespionage eco-system, including i-Soon, and indicted members of the group reportedly claimed to have links to China’s civilian foreign intelligence service, the Ministry of State Security (MSS). Proofpoint attributes the activity detailed in this report, and historical activity using the custom Voldemort backdoor, to TA415 with high confidence based on multiple independent overlaps with known TA415 infrastructure, the TTPs used, and consistent targeting patterns aligned with Chinese state interests.  Why it matters   Within the phishing threat landscape, shifts in established targeting patterns by state-aligned threat actors often raise interesting analytical questions. While the precise drivers behind these changes are frequently opaque, they are suggestive of evolving tasking requirements and shifting priorities shaped by broader geopolitical developments. In this case, many of the targeted entities are consistent with known Chinese intelligence collection priorities. However, the timing of TA415’s pivot toward these targets is particularly noteworthy given the ongoing complex evolution of economic and foreign policy relations between China and the United States.  Indicators of compromise  Indicator  Type  Context  First Seen  uschina@zohomail[.]com  Email  Malware Delivery  July 2025  johnmoolenaar[.]mail[.]house[.]gov@zohomail[.]com  Email  Malware Delivery  August 2025  john[.]moolenaar[.]maii[.]house[.]gov@outlook[.]com  Email  Malware Delivery  August 2025    https://www.dropbox[.]com/scl/fi/d1gceow3lpvg2rlb45zl4/USCBC_Meeting_Info_20250811.rar?rlkey=hg5kja70lgn6n2lozb2cjr1l5&st=2gj6un0k&dl=1  URL  Malware Delivery  July 2025  https://od[.]lk/d/OTRfMTA3OTczMjQwXw/USCBC_20250811_Meeting_Info.7z  URL  Malware Delivery  July 2025  https://workdrive.zoho[.]com/file/pelj30e40fd96a6084862bef88daf476dac8d  URL  Malware Delivery  August 2025  https://workdrive.zoho[.]com/file/f8h84a6732545e79d4afdb5e6d6bcaa343416  URL  Malware Delivery  August 2025  https://pastebin[.]com/raw/WcFQApJH  URL  Malware Delivery  July 2025  29cfd63b70d59761570b75a1cc4a029312f03472e7f1314c806c4fb747404385  SHA256  USCBC_Meeting_Info_20250811.rar  July 2025  660ba8a7a3ec3be6e9ef0b60a2a1d98904e425d718687ced962e0d639b961799  SHA256    Draft_Legislative_Proposal.zip  August 2025    b33ccbbf868b8f9089d827ce0275e992efe740c8afd36d49d5008ede35920a2e  SHA256    US_Strategic_Competition_Sanctions_Act_Draft.zip  August 2025  32bf3fac0ca92f74c2dd0148c29e4c4261788fb082fbaec49f9e7cd1fda96f56  SHA256  USCBC_Meeting_Info_20250811.lnk  July 2025  ae5977f999293ae1ce45781decc5f886dd7153ce75674c8595a94a20b9c802a8  SHA256  Legislative_Proposal_Comprehensive_Sanctions_Framework_Targeting_the_PRC.lnk  August 2025  d12ce03c016dc999a5a1bbbdf9908b6cfa582ee5015f953a502ec2b90d581225  SHA256    US_Strategic_Competition_Sanctions_Act_Draft.lnk  August 2025  10739e1f1cf3ff69dbec5153797a1f723f65d371950007ce9f1e540ebdc974ed  SHA256  logon.bat  July 2025  674962c512757f6b3de044bfecbc257d8d70cf994c62c0a5e1f4cb1a69db8900  SHA256    logon.bat  August 2025  8d55747442ecab6dec3d258f204b44f476440d6bb30ad2a9d3e556e5a9616b03  SHA256  update.py  August 2025  4b2a250b604ca879793d1503be87f7a51b0bde2aca9642e0df5bb519d816cd2c  SHA256    update.py  July 2025  d81155fa8c6bd6bd5357954e2e8cae91b9e029e9b1e23899b882c4ea0fffad06  SHA256  update.py  August 2025  http://requestrepo[.]com/r/2yxp98b3/  URL  C2  July 2025  https://1bjoijsh.requestrepo[.]com/  URL  C2  August 2025  https://6mpbp0t3.requestrepo[.]com/  URL  C2  August 2025  ET rules ET MALWARE TA415 CnC Host Profile Exfiltration (POST) -  2064403  ET HUNTING GitHub Authentication via client_id in HTTP POST - 2064186  ET INFO Observed DNS Query to VSCode Hosting Domain (vscode .download .prss .microsoft .com) - 2064184  ET INFO Observed VSCode Hosting Domain (vscode .download .prss .microsoft .com in TLS SNI) - 2064185     

Key findings  Proofpoint researchers observed an increase in opportunistic cybercriminals using malware based on Stealerium, an open-source malware that is available “for educational purposes.”  Multiple other stealers share significant code overlap with Stealerium, such as Phantom Stealer. Throughout this blog post, we’ll use the name Stealerium to refer to infostealers that share significant overlap with the original Stealerium.  Threat actors are increasingly pivoting to information stealers, as targeting identity becomes a priority for cybercriminals.   Overview   Threat actors are increasingly turning to information stealers in malware delivery, and Proofpoint threat researchers have observed an increase in the variety of commodity information stealers regularly used by cybercriminal threat actors. While many threat actors prefer malware-as-a-service offerings like Lumma Stealer or Amatera Stealer, some actors prefer to use malware that can be purchased one time, or openly available on platforms like GitHub. Stealerium is a good example of this. In 2022, it emerged as a freely available open-source malware on GitHub, and is still available to download “for educational purposes only.” While open-source malware can be helpful for detection engineers and threat hunters to understand the patterns of behavior for which they can develop threat detection signatures, it also provides a different kind of education to malicious actors. These actors may adopt, modify, and possibly improve the open-source code, resulting in a proliferation of variants of the malware that are not so easy to detect or defend against.   Screenshot of Stealerium’s GitHub page.  Although the malware has existed for a while, Proofpoint researchers recently observed an uptick in campaigns delivering Stealerium-based malware. A campaign linked to the cybercriminal actor TA2715 in May 2025 led to renewed analysis of Stealerium, which had not been widely campaigned in Proofpoint email threat data since early 2023. TA2536, another low sophistication cybercrime actor, also used Stealerium in late May 2025. Both of these actors recently favored Snake Keylogger (also known as VIP Recovery), so the use of Stealerium was notable. Proofpoint researchers identified additional campaigns through August 2025 that employed a variety of persuasive lures and delivery mechanisms. While most campaigns are not attributed to tracked threat actors, the initial TA2715 activity marked the first observed use of Stealerium in Proofpoint threat data in over a year.   Campaign details  Delivery methods and lures  Message volumes range from a couple hundred to tens of thousands of messages per campaign. Stealerium campaigns included emails with a variety of file types for delivery, including compressed executables, JavaScript, VBScript, ISO, IMG, and ACE archive files. The observed emails impersonated many different organizations, including charitable foundations, banks, courts, and document services which are common themes in e-crime lures. Subject lines typically conveyed urgency or financial relevance, including “Payment Due”, “Court Summons”, and “Donation Invoice.”  For example, on 5 May 2025, Proofpoint identified a TA2715 campaign impersonating a Canadian charitable organization with a “request for quote” lure. Messages contained a compressed executable attachment that, when executed, downloaded and installed Stealerium.  TA2715 campaign impersonating a charitable organization.  Researchers have also observed multiple campaigns leveraging travel, hospitality, and even wedding themed lures. For example, on 23 June 2025, Proofpoint identified a booking request theme with compressed executables that delivered Stealerium. This campaign targeted organizations in the hospitality sector, as well as education and finance organizations.     Travel-themed lure impersonating a travel agency.  Like many commodity malware campaigns, threat actors delivering Stealerium also regularly use payment or invoice lures. In a campaign observed on 24 June 2025, threat actors used a “Xerox Scan” theme with a lure related to payments. The campaign targeted hundreds of organizations globally. These messages contained compressed JavaScript files that installed Stealerium and performed network reconnaissance to gather Wi-Fi profiles and nearby networks.   Lure posing as a scanned payment document to ultimately deliver a JavaScript payload.  And finally, like many threat actors, campaigns delivering Stealerium often use social engineering that leverages fear, frustration, or excitement to get people to engage with their messages with a sense of urgency. We’ve observed adult-themed content in some Stealerium lures, as well as the following example that tells the recipient they’re being sued. This campaign was observed on 2 July 2025, with a “court date” of 15 July 2025 to increase the urgency of the email. These messages contained IMG (disk image) files with embedded VBScripts. The VBScript downloaded the payload as a compressed executable which installed Stealerium.  Legal-themed lure with .vbs and .img attachments that lead to Stealerium.  Payload execution and reconnaissance  Upon execution, Stealerium issues a series of “netsh wlan” commands to enumerate saved Wi-Fi profiles and nearby wireless networks. Several campaigns also leveraged PowerShell to add Windows Defender exclusions and used scheduled tasks for persistence and evasion.  Example process tree:  Example process tree.  The collection of Wi-Fi profiles and broadcasted networks suggests an intent to harvest stored credentials for lateral movement or to geolocate the infected host. SSID naming patterns and security configurations support reconnaissance efforts and may enable threat actors to stage access from nearby systems.  In some variants of Stealerium-based malware, we witnessed Remote Debugging being used, as indicated by the “--remote-debugging-port" argument in chrome.exe. Remote Debugging is a browser feature intended for developers, but it has been exploited by various information stealers to bypass browser security features (such as Chrome App-Bound Encryption) and extract sensitive data such as cookies and credentials.  Malware details  Overview  Stealerium is a full-featured stealer written in .NET and has the capabilities to exfiltrate a large variety of data including browser cookies and credentials, credit card data (via web form scraping), session tokens from gaming services such as Steam, crypto wallet data, and various types of sensitive files.   As Stealerium is open source and has been in operation for a while, there are a number of great writeups on the malware and its variants, including a blog from SecurityScorecard. In this report, we’ll take a closer look at the capabilities that are particularly interesting or have otherwise not been widely documented publicly (to our knowledge). Some of the capabilities that we’ll touch on in this report are:  Stealerium-based malware has a large variety of exfiltration mediums, including some uncommon ones such as Zulip chat and GoFile  Stealerium’s usage of dynamic blocklists for anti-analysis  Stealerium’s features include support for possible “sextortion” tactics  Overlap with other malware families   Overlap with other malware families  As with nearly all open-source malware, the origins and overlap with other malware is murky at best. Stealerium is available as open source on Github, previously at the address: https://github.com/Stealerium/Stealerium. This original repository has since been removed from Github. However, it was re-uploaded here: https://github.com/witchfindertr/Stealerium.  As Stealerium is open source, there are other stealers that share code overlap, such as Phantom Stealer. Phantom Stealer is marketed as an “ethical hacking” tool for “educational purposes” and is sold on its site hxxps://phantomsoftwares[.]site/home/.   Phantom Stealer pricing model (from Phantom Stealer’s website).  It is not clear to what extent Phantom Stealer relates to Stealerium, but the two families share a very large portion of code overlap and it's likely that Phantom Stealer reused code from Stealerium. Notably, many malware samples we analyzed hint at both Phantom Stealer and Stealerium, with references to both in their code. For example, below is a list of .NET namespaces from a sample of Phantom Stealer but with a reference to “Stealerium” at the bottom:  Phantom Stealer namespaces that include Stealerium.   Other samples we analyzed contain no references to “Phantom”, only “Stealerium”, such as the following example:  Stealerium namespace references.  Stealerium and Phantom Stealer can generally be differentiated by the function responsible for uploading the exfiltrated data. Stealerium prints “*Stealerium - Report:” to the top of its summary report, and Phantom Stealer prints “*Phantom stealer” to the top of its summary report:  Sterlerium reporting function snippet.  Phantom Stealer reporting function snippet.  Proofpoint has identified other families with Stealerium code overlap which highly likely have “borrowed” code from Stealerium. One such example, as documented by Seqrite, is Warp Stealer.  As there is significant code overlap between Phantom Stealer,Stealerium, and Warp Stealer. Proofpoint groups all these variants under the label Stealerium. We will continue to group these variants together unless one significantly diverges in capabilities or code.  Capabilities  When Stealerium first executes, it does the following:  Runs some anti-analysis and anti-sandbox checks   Creates a mutex and terminates itself if the mutex cannot be created. This is a common check that malware uses to ensure it only has one instance running on the victim system at a time.  Creates a directory on the system where it temporarily stages the data it will eventually exfiltrate. This directory format varies among samples but is commonly in the format “C:\Users\<user>\AppData\Local\<random_hex_string>\<user_name>@<computer_name>_<locale>”. For example:  C:\Users\Admin\AppData\Local\c742f9b4f1ad3336673662d7213a56ca\Paul@PaulPC_en-US\     The random string is derived by gathering system data such as the victim’s username and  computer name, and MD5-hashing the data (which can be seen in the following code):    Gathering system information and creating an MD5 hash.  4.  Retrieves and verifies its configuration   5.  Proceeds to execute its stealer functions  Stealerium has the capability to extract a variety of data, seemingly trying to grab as much as it can. This data includes:  Keylogging and clipboard data  Banking/credit card data (scraped from web forms)  Browser cookies, cache, and stored credentials  Session tokens from gaming services (like Steam, Minecraft, BattleNet, and Uplay)  Email and chat data (Outlook, Signal, Discord, etc.)  System data such as installed apps, hardware info, and Windows product keys  VPN services data (NordVPN, OpenVPN, ProtonVPN, etc.)  Wi-Fi network information and passwords  Crypto wallet data  Files deemed interesting (such as various types of images, source code, databases, and documents)  A few things are notable here. First, Stealerium does not seem to discriminate when it comes to data theft. Whereas some stealers may target specific data types, focusing on browser form data or email data, for example, Stealerium has the capabilities to steal a larger variety of data types.  Second, the malware has a feature that focuses on pornography-related data. It’s able to detect adult content-related open browser tabs and takes a desktop screenshot as well as a webcam image capture. This is likely later used for “sextortion”. While this feature is not novel among cybercrime malware, it is not often observed. The following code shows how Stealerium first detects pornography-related (“NSFW”) content in open web browsers, then takes both a desktop and webcam screenshot:  Adult content themed features.  The malware queries the victim’s open browser windows to check if any of the following strings appear in the titles of open web pages. These strings are configurable by the operator of the malware:  Adult content themed search strings.   Data exfiltration  Once the previously mentioned data has been enumerated and staged, Stealerium is able to exfiltrate the data in various ways:  SMTP  SMTP seems to be the most common exfiltration method observed in Proofpoint data currently used by Stealerium-based malware. Though notably, this isn’t available in the main version on GitHub. This method uses a recipient address (an actor-controlled email address that receives the stolen data) and a sender address. The sender addresses often used are legitimate companies or people that the threat actor is spoofing. The staged data that the malware collects is compressed into an archive file, attached to an email, and sent to the recipient's address. It’s worth noting that the original Stealerium code may not have contained the SMTP exfiltration functionality, so it's a rather new feature seen in more recent Stealerium-based malware.  Discord  Stealerium can send the staged data to a Discord server, via Discord webhooks. Discord webhooks are effectively lightweight bots and are often used for logging and alerting but can be abused for data theft.  Telegram  Using the Telegram API and a Telegram API key, Stealerium can exfiltrate data to an actor-controlled Telegram account.  Gofile  Stealerium can also be configured to exfiltrate stolen data to Gofile, a cloud storage solution with a free-tier account to upload files. Below is a code excerpt from Stealerium showing the GoFile exfiltration code:   Gofile data exfiltration.  In a nutshell, this code pulls the Gofile server list from https://api.gofile.io/servers, and gets the name of a server located in the “eu” (European Union) zone. It then uploads exfiltrated data to this file server via the Gofile API. It’s worth noting that Gofile has a free tier, so this makes it a good method for abuse and staging of exfiltrated data or additional payloads:  Gofile free tier.  Zulip Chat  Perhaps the most notable exfiltration method is via Zulip, which is a chat service marketed for distributed teams. Using the Zulip API, Stealerium can exfiltrate data to an actor-controlled account. Below is a screenshot of this code:  Zulip exfiltration.  Proofpoint did not witness the use of Zulip chat service as an exfiltration method in the samples we saw in our email threat data, but it’s worth noting that this capability exists.  Malware configuration and encryption  Stealerium is highly configurable, with all configuration settings stored in a structure. An example of the configuration structure is shown below:  Stealerium config structure.  The exfiltration and C2 configurations are stored here, as well as configurations for what types of data the threat actors wish to steal. These config items also contain data theft targets such as targeted banking service names (as seen below):  Banking services example.  Some of the malware’s config and strings are encrypted using AES. Stealerium’s config contains an AES key and salt, which are used to derive a decryption key that decrypts the malware’s C2 configuration and other data. Below is an excerpt from Stealerium’s decryption routine:  Stealerium decryption function.  Anti-analysis  Stealerium has a multitude of anti-analysis and anti-sandbox tricks up its sleeve, including the following:  Delays its execution (generates a random sleep interval time) to evade automated sandboxes  Checks the target’s username and computer name of the system against a list  Checks the target IP address against a large list of blocklisted IP addresses  Checks the target GPU against a list of blocklisted GPU adapter names  Checks the target’s machine GUID against a blocklist  Contains anti-emulation capabilities (executes timing instructions and checks the delta)  Checks for blocklisted processes and services running  Checks if the malware executable started from its intended path  Ability to “self-destruct” (delete its files and terminate its processes) if any of these checks fail  None of these techniques is new or particularly advanced, but it is notable how many different techniques Stealerium can use.  One particularly interesting capability Stealerium has is that it can dynamically download new blocklists from public repositories. In at least a few samples we analyzed, the different anti-analysis blocklists were downloaded from a single GitHub repository::  Blocklists example.  These lists appear to be public blocklists maintained by a security researcher on GitHub.  Conclusion  As Stealerium is open-source and freely available and has the capabilities to exfiltrate a large amount of sensitive data via a multitude of mediums, Stealerium (and its variations) is a stealer worth keeping an eye on.  Recent campaigns observed between May and July 2025 demonstrate that Stealerium continues to be used in opportunistic operations. TA2715 was linked to renewed Stealerium use which triggered broader threat hunting and revealed additional campaigns, associated with multiple different threat clusters.  Organizations should monitor for activity involving “netsh wlan”, suspicious use of PowerShell defender exclusions, and headless Chrome execution which are consistent with post-infection behaviors. Additionally, organizations should monitor for large amounts of data leaving the network, particularly to services and URLs that are not permitted for use in the organization, or prevent outbound traffic to these services altogether.   Emerging Threats rules  2037800 - ET MALWARE Win32/Stealerium Stealer Checkin via Discord  2063893 - ET MALWARE Stealerium CnC Exfil via Discord (POST)   2047905 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET)   2864110 - ETPRO MALWARE Stealerium/Phantom Stealer Exfil via HTTP (POST)   2864111 - ETPRO MALWARE Stealerium/Phantom Stealer Exfil via TCP   2864112 - ETPRO MALWARE Stealerium/Phantom Stealer Exfil via SMTP   Example indicators of compromise  Indicator  Description  First Seen  d4a33be36cd0905651ce69586542ae9bb5763feddc9d1af98e90ff86a6914c0e   TA2715 campaign using compressed executable (SCR file)   5 May 2025  41700c8fe273e088932cc57d15ee86c281fd8d2e771f4e4bf77b0e2c387b8b23  Financial-themed lure spoofing Garanti BBVA with VBScript   10 June 2025  b640251f82684d3b454a29e962c0762a38d8ac91574ae4866fe2736f9ddd676e  Scanned payment lure with JavaScript payload   11 June 2025  a00fda931ab1a591a73d1a24c1b270aee0f31d6e415dfa9ae2d0f126326df4bb    Travel-themed lure with compressed executable     23 June 2025  e590552eea3ad225cfb6a33fd9a71f12f1861c8332a6f3a8e2050fffce93f45e  Purchase inquiry lure with compressed executable. Process tree shows use of PowerShell and Scheduled Tasks   23 June 2025  50927b350c108e730dc4098bbda4d9d8e7c7833f43ab9704f819e631b1d981e3  Legal-themed lure with VBScript and IMG   2 July 2025