6 malware families

TA800

Also known asTA800

TA800 is a large cybercrime threat actor tracked by Proofpoint since at least mid-2019. It is described as an affiliate distributor of Trickbot (also called The Trick) and BazaLoader, and has also delivered Buer Loader and Ostap. Proofpoint reports that TA800 targeted multiple industries in North America and conducted a wave of Q4 attacks against the healthcare sector using BazaLoader, which subsequently installed Ryuk ransomware. More broadly, TA800 activity is associated with delivery of banking malware and malware loaders that can enable follow-on ransomware deployment. Proofpoint assesses with high confidence that TA800 is related to reporting on BazaLoader implants used to distribute Ryuk ransomware. Known alias in the provided content: ta800.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

ARSENAL

Associated malware families

6 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BazarAdditionally, Proofpoint tracks downloaders such as Buer Loader and BazaLoader that are often used as an initial access vector for ransomware attacks.2Jun 14, 2026

Buer LoaderThese criminal threat actors compromise victim organizations with first-stage malware like The Trick, Dridex, or Buer Loader and will then sell their access to ransomware operators to deploy data theft and encryption operations.1Jun 14, 2026

OstapThis threat actor attempts to deliver and install banking malware or malware loaders including The Trick, BazaLoader, Buer Loader, and Ostap.1Jun 14, 2026

Ryuk"BazaLoader... subsequently installed a ransomware strain called Ryuk."1Mar 18, 2026

The TrickThese criminal threat actors compromise victim organizations with first-stage malware like The Trick, Dridex, or Buer Loader and will then sell their access to ransomware operators to deploy data theft and encryption operations.1Jun 14, 2026

1 additional family tracked in Mallory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

proofpointNews

Jun 14, 2021

How Initial Access Brokers Lead to Ransomware | Proofpoint US

Initial access facilitator delivering banking malware and loaders that have been used to enable ransomware deployment, including links to Ryuk distribution via BazaLoader implants.

proofpoint threat insight blogNews

Feb 16, 2021

Security Brief: Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes

Affiliate distributor delivering Trickbot ('The Trick') and BazaLoader via malspam/phishing; in Q4 linked to healthcare-focused campaigns where BazaLoader led to Ryuk ransomware deployment.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal6

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.