TA2726

TA2726 is a financially motivated cybercriminal threat actor tracked by Proofpoint that operates as a malicious traffic distribution service (TDS) provider for other threat actors. Proofpoint assesses with high confidence that TA2726 acts as a traffic distribution service for both TA569 and TA2727, and has been active since at least September 2022. TA2726 appears to function as a traffic seller and likely handles webserver or website compromises that enable malicious injects used by other actors. TA2726 is repeatedly associated with abuse of Keitaro TDS, including operation of a malicious Keitaro-based service and use of illicit, stolen, or cracked Keitaro licenses. Reporting links TA2726 to compromised websites where highly obfuscated JavaScript or Keitaro TDS links are injected, after which victims are filtered and redirected by geography, browser, device type, IP, and other criteria. Proofpoint reported that in observed 2025 activity, TA2726 redirected North American traffic to TA569’s SocGholish/FakeUpdates infection chain, while traffic from other regions was routed to TA2727 campaigns. TA2726 has been described as a traffic provider for SocGholish and TA2727, including by compromising websites and injecting Keitaro TDS links for resale. In TA569-related chains, TA2726 operated a malicious Keitaro service used to route users into SocGholish delivery, and reporting states TA2726 injected highly obfuscated JavaScript into compromised sites through a fake WordPress plugin that ultimately loaded SocGholish code. TA2726 infrastructure has also been observed delivering traffic for TA2727, whose campaigns used fake browser update lures to distribute malware including Lumma Stealer, DeerStealer, Marcher, and FrigidStealer. Known aliases directly reflected in the content are limited to TA2726.