TA578

TA578 is a financially motivated ecrime threat actor tracked by Proofpoint since May 2020. Proofpoint has observed TA578 in email- and web-based initial access campaigns delivering multiple malware families over time, including Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, Bumblebee, DanaBot, and Latrodectus. Proofpoint reported TA578 delivering IcedID in campaigns since June 2020 and frequently conducting campaigns delivering Bumblebee malware. TA578 is strongly associated with contact-form abuse as an initial access technique. The actor typically uses website contact forms to initiate conversations with targets and has consistently used complaint- or legal-themed content, including copyright infringement or stolen-images allegations. Proofpoint observed TA578 placing malicious links in contact forms on victim sites, often spoofing copyright complaints, to redirect users to malicious file downloads. In February 2024, TA578 impersonated companies and sent copyright-infringement legal threats via contact forms; the lure URLs redirected victims to personalized landing pages and downloaded JavaScript from Google Firebase. That JavaScript invoked MSIEXEC to run an MSI from a WebDAV share, which executed a bundled DLL export to run Latrodectus. TA578 has used JavaScript files in malware execution chains and has used Google Firebase to host malicious scripts. The actor has also been linked to botnet-based operations involving SSLoad and Bumblebee malware. Proofpoint observed TA578 deliver DanaBot in December 2023, and in that campaign DanaBot dropped Latrodectus. Since mid-January 2024, Latrodectus has been almost exclusively distributed by TA578 in observed email threat campaigns. Proofpoint described TA578 and TA577 as initial access brokers associated with Latrodectus activity. TA578 previously favored IcedID and Bumblebee but has used Latrodectus as its initial access payload since December 2023.