Financially Motivated5 malware families

TA542

Also known asMUMMY SPIDERta542

TA542, also known as Mummy Spider, is a prolific cybercrime threat actor tracked by Proofpoint as the operator and distributor of Emotet (also known as Geodo). Proofpoint reports tracking the actor since 2014, with large-scale international email campaigns affecting North America, Central America, South America, Europe, Asia, and Australia. The group is described as the gang that developed, distributes, and operates the Emotet botnet, and has been highlighted in public reporting as a Russian-aligned cybercrime group. TA542 is known for very high-volume malspam campaigns, often sending hundreds of thousands to millions of messages per campaign. Its delivery activity has commonly relied on Microsoft Word or Excel documents containing VBA or XL4 macros, malicious URLs, and compromised websites including WordPress sites. Proofpoint also observed TA542 adapting delivery methods over time, including use of XLL files, zipped LNK attachments, and other non-macro formats as macro blocking increased. The actor uses social engineering extensively, including invoice, payment, quote, purchase-order, and COVID-19-themed lures, stolen branding, language localization, and thread hijacking. Since early April 2019, TA542 has consistently used thread hijacking by replying to existing benign email conversations. Emotet is described in the content as having evolved from a banking Trojan into a modular botnet and malware delivery platform. Reported Emotet capabilities include spamming, credential theft, email harvesting, and network spreading/lateral movement. TA542 consistently uses the latest Emotet version and has used Emotet to deliver additional malware. Payloads directly mentioned in the content include Qbot, TrickBot, IcedID, Gootkit, Zeus Panda, and Bumblebee. Proofpoint also observed IcedID Lite distributed as a follow-on payload in a TA542 Emotet campaign in November 2022. Targeting is broad rather than industry-specific in the cited reporting, with recurring focus on countries including Germany, the United Kingdom, the United States, Latin America, Japan, and others. Specific reporting cited high-volume campaigns impacting Japan in April 2019. TA542 activity has also shown seasonal spikes around holidays such as Christmas, Thanksgiving, Black Friday, and Cyber Monday. Known aliases in the provided content are TA542 and Mummy Spider.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇯🇵 Japan

MITRE ATT&CK

Tradecraft

9 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics11 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566×2

Phishing

T1566.001

Spearphishing Attachment

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.005×2

Visual Basic

T1204

User Execution

T1204.002×2

Malicious File

TA0005

Stealth

1 technique

T1218

System Binary Proxy Execution

TA0006

Credential Access

1 technique

T1649

Steal or Forge Authentication Certificates

TA0011

Command and Control

1 technique

T1105

Ingress Tool Transfer

TA0040

Impact

2 techniques

T1486

Data Encrypted for Impact

T1498

Network Denial of Service

ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

EmotetTA542, the actor delivering the Emotet malware, conducted more campaigns with higher volumes of messages than preceding months. Typically, TA542 uses Microsoft Excel or Word documents containing VBA or XL4 macros. Emotet activity subsequently dropped off in April and it began using additional delivery methods including Excel Add In (XLL) files and zipped LNK attachments in subsequent campaigns.9Jun 14, 2026

IcedIDProofpoint researchers have observed and documented, for the first time, three distinct variants of the malware known as IcedID. Proofpoint calls the two new variants recently identified “Forked” and “Lite” IcedID.1Mar 18, 2026

QakBotQbot affiliate id “partner01” is the primary payload dropped by Emotet seen almost daily.1Mar 18, 2026

TrickBotDistribution of Qbot affiliate “partner01” as the primary payload delivered by Emotet instead of The Trick.1Mar 18, 2026

Zeus PandaOn at least one occasion during the Christmas week, Emotet also downloaded Zeus Panda. This instance of Zeus Panda primarily targeted online retail sites during the holiday season.1Mar 18, 2026

IOCS

Observables

111 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

111 IOCsView more in app

ip.v4

100 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+92

hash.sha256

11 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+3

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app

proofpoint threat insight blogNews

Mar 24, 2023

Fork in the Ice: IcedID Malware Analysis | Proofpoint US

Associated with Emotet campaigns that delivered IcedID Lite as a follow-on payload; Proofpoint notes limited visibility into follow-on payload attribution.

anvilogic blogNews

Jan 26, 2023

Forge Charged News: Surging Threats Heading into 2023

TA542 is responsible for distributing Emotet malware via large-scale email campaigns, often using hijacked email threads or invoice-themed lures. They have recently resumed activity after a hiatus, updating their tactics and leveraging additional malware loaders such as IcedID and Bumblebee.

proofpointNews

Jul 26, 2022

Macro-Blocking & How Threat Actors Are Adapting | Proofpoint US

Conducted high-volume email campaigns delivering Emotet and adapted delivery methods amid Microsoft's macro-blocking changes, using VBA/XL4 macro documents and later XLL files and zipped LNK attachments.

cso onlineNews

Apr 21, 2022

New Five Eyes alert warns of Russian threats targeting critical infrastructure | CSO Online

Russian cybercriminal group highlighted in the alert as part of the broader Russian cyber threat landscape.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping9

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables111

Domains, IPs, and hashes tied to this actor, refreshed continuously.