MalwareRansomwareUsed by 2 actors

Ostap

Ostap is a malware downloader/loader used in email-borne infection chains. The provided content describes it as a downloader that uses JavaScript to hide itself from security sandbox analysis tools, and also references OSTap-style macro execution, payload download behavior, and a JavaScript variant. Proofpoint reporting cited in the content associates Ostap with TA800, a cybercrime actor that has delivered first-stage malware including The Trick, BazaLoader, Buer Loader, and Ostap. In this context, Ostap is part of the initial-access ecosystem that enables follow-on malware deployment and can contribute to ransomware intrusion chains, although the content does not establish a one-to-one relationship between Ostap and a specific ransomware family. The available material indicates delivery via malicious files and macro-enabled documents, with JavaScript-based evasion behavior aimed at defeating sandbox analysis. No high-confidence IOCs are provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA800

This threat actor attempts to deliver and install banking malware or malware loaders including The Trick, BazaLoader, Buer Loader, and Ostap.

via proofpointproofpoint.com

TA574

"The group also uses Ostap, a malware downloader that uses JavaScript to hide itself from security sandbox analysis tools."

via proofpoint threat insight blogproofpoint.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence1

These access facilitators distribute their backdoors via malicious links and attachments sent via email.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

proofpointNews

Jun 14, 2021

How Initial Access Brokers Lead to Ransomware | Proofpoint US

A malware loader delivered by TA800 as part of initial access activity.

proofpoint threat insight blogNews

Feb 16, 2021

Security Brief: Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes

Downloader used to fetch/execute additional payloads; noted for JavaScript-based evasion against sandbox analysis.

rapid7 velociraptor artifact exchangeNews

Dec 30, 2025

Windows.AttackSimulation.AtomicRedTeam

OSTap is a malware loader known for delivering secondary payloads, often via malicious macros in Office documents. It is commonly used to download and execute other malware, such as banking trojans or ransomware.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.