13 malware familiesExploits CVEs in the wild

TA551

Also known asGOLD CABINmario_kartmonster_libraShathakTA551

TA551 is a cybercrime threat actor tracked by Proofpoint since 2016. It is also known as Shathak, Gold Cabin, Monster Libra, and Mario Kart. The actor is responsible for distributing a wide variety of malware families, including Ursnif, IcedID, Valak, Qbot, Emotet, and more recently BazarLoader. Proofpoint describes TA551 as a malware distributor that frequently leverages thread hijacking to send malicious email attachments, including password-protected ZIP files and malicious Office documents, with broad geographic and industry targeting. TA551 has repeatedly used spearphishing attachments that prompt users to enable macros to install malware. Reported tradecraft in the provided content includes use of HTTP for command-and-control, encoded ASCII text for initial C2 communications, cmd.exe for command execution, regsvr32 in delivery chains, and use of the Sliver post-exploitation framework in 2021, with additional Sliver campaigns observed in 2022. In one described BazarLoader campaign, TA551 used malspam with a password-protected ZIP containing a macro-enabled Word document that wrote an HTA file from hidden document text, launched obfuscated script content, downloaded a payload over HTTP, and executed it via regsvr32. In a November 2022 intrusion described in the content, TA551 is assessed as the malware distributor that delivered IcedID via a thread-hijacked phishing email and HTML smuggling chain that preceded Nokoyawa ransomware deployment by a separate hands-on-keyboard actor. Proofpoint also assessed with high confidence that TA551 IcedID implants were associated with Maze and Egregor ransomware events in 2020.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

34 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics42 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1584

Compromise Infrastructure

T1584.005×3

Botnet

TA0001

Initial Access

3 techniques

T1078

Valid Accounts

T1133×2

External Remote Services

T1566×5

Phishing

T1566.001×18

Spearphishing Attachment

T1566.002×4

Spearphishing Link

TA0002

Execution

2 techniques

T1059×2

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.003×4

Windows Command Shell

T1059.005×2

Visual Basic

T1059.007×2

JavaScript

T1204

User Execution

T1204.002×8

Malicious File

TA0003

Persistence

2 techniques

T1078

Valid Accounts

T1133×2

External Remote Services

TA0004

Privilege Escalation

3 techniques

T1055×2

Process Injection

T1078

Valid Accounts

T1134×2

Access Token Manipulation

TA0005

Stealth

7 techniques

T1027×2

Obfuscated Files or Information

T1027.006

HTML Smuggling

T1027.010

Command Obfuscation

T1036

Masquerading

T1036.005

Match Legitimate Resource Name or Location

T1055×2

Process Injection

T1078

Valid Accounts

T1134×2

Access Token Manipulation

T1218

System Binary Proxy Execution

T1218.005×2

Mshta

T1218.010×2

Regsvr32

T1218.011×2

Rundll32

T1564

Hide Artifacts

T1564.006

Run Virtual Instance

TA0009

Collection

1 technique

T1560

Archive Collected Data

T1560.001

Archive via Utility

TA0011

Command and Control

4 techniques

T1071

Application Layer Protocol

T1071.001×8

Web Protocols

T1071.004

DNS

T1105×7

Ingress Tool Transfer

T1132×2

Data Encoding

T1219

Remote Access Tools

TA0040

Impact

1 technique

T1486×7

Data Encrypted for Impact

ARSENAL

Associated malware families

13 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

IcedIDTA551, also known as Shathak or Gold Cabin, is an attacker group that is responsible for spreading a wide variety of malware families including IcedID, Valak, Ursnif and, more recently, BazarLoader.10Jun 27, 2026

SliverSliver is an open source post-exploitation framework written in Go. It executes commands through PowerShell or the Windows Command Shell.7Jun 14, 2026

QakBotSince the Emotet takedown, Proofpoint observed consistent, ongoing activity from The Trick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads in attempts to enable further infections, including ransomware attacks.5Jun 14, 2026

URSNIFTA551, also known as Shathak or Gold Cabin, is an attacker group that is responsible for spreading a wide variety of malware families including IcedID, Valak, Ursnif and, more recently, BazarLoader.4Jun 27, 2026

EmotetThe versatile and disruptive malware Emotet previously served as one of the most prolific distributors of malware enabling costly ransomware infections between 2018 and 2020.3Jun 14, 2026

8 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2025-55182React2Shell RCE in React Server Components Flight ProtocolIn the wildEvidence1

"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."

IOCS

Observables

125 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

125 IOCsView more in app

ip.v4

50 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+42

Domains

43 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+35

hash.sha256

26 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+18

uri

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

hash.md5

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Apr 13, 2026

Detection: Windows Command Obfuscation with Environment Variable Substrings | Splunk Security Content

Referenced as a threat actor associated with the command obfuscation technique using environment variable substrings in Windows command lines.

splunk researchNews

Apr 13, 2026

Detection: Windows File Association Modification via Ftype | Splunk Security Content

Listed as a threat actor associated with Windows Command Shell execution behavior relevant to this detection.

splunk researchNews

Apr 13, 2026

Detection: Windows EFI Volume Mount Attempt Via Mountvol | Splunk Security Content

Listed in the detection annotations as a threat actor associated with EFI volume mounting / installation-related behavior.

splunk researchNews

Apr 13, 2026

Detection: Windows IOBit Unlocker Extension DLL Registration via Regsvr32 | Splunk Security Content

Referenced as a threat actor associated with the Regsvr32 stealth technique (T1218.010).

+165 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping34

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal13

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables125

Domains, IPs, and hashes tied to this actor, refreshed continuously.