TA866

TA866, also known as Asylum Ambuscade, is a threat actor active since at least 2020. Reporting in the provided content describes it as primarily financially motivated but also involved in cyberespionage; Insikt Group assesses it likely conducts espionage on behalf of the Russian government. The group has targeted bank customers and cryptocurrency traders across North America and Europe, and has conducted espionage against government entities in Europe, Central Asia, and other regions. Proofpoint first publicly reported Asylum Ambuscade in March 2022 after activity targeting European government staff assisting Ukrainian refugees. TA866 operations commonly begin via malspam, spearphishing, malvertising, SEO poisoning, and traffic distribution systems including 404 TDS and TAG-124/KongTuke. Observed delivery methods include thread hijacking, malicious hyperlinks, PDF and Microsoft Publisher attachments, OneDrive-hosted JavaScript, malicious Google ads, and fake browser-update style lures. In espionage-focused activity, the group has used malicious Excel attachments and Follina (CVE-2022-30190). The actor is closely associated with staged downloader and surveillance tooling including JavaScript downloaders, SunSeed, WasabiSeed, Screenshotter, AHK Bot, and NODEBOT. WasabiSeed and SunSeed establish persistence and retrieve additional MSI payloads. Screenshotter is used to capture and exfiltrate desktop screenshots, apparently to triage victims before further action. AHK Bot is a modular AutoHotKey-based malware family used for persistence, system and domain enumeration, screenshot capture, keystroke logging, browser credential theft, hVNC deployment, and deployment or removal of remote access software. NODEBOT was introduced as a Node.js equivalent to AHK Bot. TA866 has also been linked to Resident backdoor development and to WarmCookie/BadSpace activity; Talos assessed WarmCookie activity is related to prior TA866 intrusion activity and noted likely shared authorship with Resident. PS1Bot was also assessed to share technical overlaps with AHK Bot previously used by TA866. Post-compromise activity includes reconnaissance with native Windows tools such as net group, nltest, ipconfig, whoami, and systeminfo, as well as utilities such as AdFind and network scanners. Follow-on payloads observed in TA866-linked activity include Rhadamanthys, Cobalt Strike, CSharp-Streamer-RAT, Resident, AnyDesk, TeamViewer, Remote Utilities, and in some reporting Remote Utilities RAT. Proofpoint attributed post-exploitation tooling in Rhadamanthys campaigns to TA866, and Talos reported limited cases involving additional malware deployment. The group has also been reported using shared infrastructure or services, including TAG-124/KongTuke and 404 TDS, and leveraging relationships with other actors such as TA571 for spam distribution. Aliases directly mentioned in the content are TA866 and Asylum Ambuscade. Proofpoint also referred to a TA866 activity cluster as Screentime.