TA543

TA543 is a financially motivated threat actor tracked by Proofpoint and mapped by Microsoft to Storm-0324, with the alias Sagrid. The actor is characterized by widespread distribution and opportunistic targeting, typically sending large-volume email campaigns that target several hundred organizations at a time across sectors including finance, manufacturing, technology, retail, healthcare, education, and transportation. Observed activity includes large-scale malspam campaigns using invoice, billing-notification, and package-delivery themed lures, including spoofed Intuit and UPS branding and stolen branding from a New Zealand-based accounting software company. Delivery chains described in the source material include malicious Microsoft Word documents, SharePoint-hosted VBS or Windows Scripting File downloaders, Keitaro TDS landing pages, BlackTDS, and intermediate scripts. TA543 has been attributed with campaigns delivering Ursnif, including a campaign targeting Australian users, and with most observed JSSLoader campaigns since 2019. Proofpoint described JSSLoader as an initial-access loader used to profile infected hosts, establish persistence, communicate with command-and-control infrastructure, and execute or load additional payloads. In one 2019 TA543 campaign, JSSLoader additionally loaded Griffon, a payload historically associated with TA3546/FIN7/Carbanak. The provided content also places TA543 in the broader ISFB/Gozi ecosystem, noting links between the RM3_boss ecosystem and TA543, alongside TA547, QQAAZZ, Evil Corp, and Dridex operations. One cited source states that if operators need to send spam, they hire Sagrid (TA543) or TA547. Known aliases directly supported by the content are TA543, Sagrid, and Microsoft’s Storm-0324.