Dangerous TA866 malware returns with devious new phishing campaign

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

After a nine month hiatus, the infamous TA866 threat actor is back, a new report from cybersecurity researchers Proofpoint has claimed, having recently observed a large phishing campaign targeting people in North America.

As per its report, Proofpoint says TA866 sent “several thousand emails” with subjects such as “Project achievements”, and similar. 

The emails carried a PDF attachment with names like “Document_[10 digits].prf” and similar. These documents contained a OneDrive URL which, if clicked, launched a multi-step infection chain that ultimately deployed a variant of the WasabiSeed malware.

Organized actor

This malware downloads and runs additional payloads, including the Screenshotter custom toolset. Screenshotter, as the name suggests, takes screenshots of the compromised desktop and sends them to the command & control (C2) server. Should the attackers like what they see on the screenshots, they would proceed to deliver additional payloads. The researchers are unsure which malware that would be, but said that in previous campaigns, the attackers dropped AHK Bot and Rhadamanthys Stealer.

Proofpoint attributed the campaign to TA866 due to the similarities it had to another campaign by the threat actor, observed in March last year. In both examples, the researchers claim, the TA571 spam service was used, the WasabiSeed downloader was delivered, and the Screenshotter script was ultimately deployed. There are some notable changes compared to the March campaign, though. For example, the group decided to use PDF attachments with OneDrive links, which wasn’t previously the case. Earlier campaigns used macro-enabled Publisher attachments, or 404 TDS URLs, directly in the email body. 

The researchers describe TA866 as an “organized actor able to perform well thought-out attacks at scale”, based on their availability of custom tools, and the ability to acquire additional tools from other threat actors (such as the spam tool from TA571). The group runs both crimeware and cyberespionage campaigns, the researchers further elaborated, saying that this specific campaign was financially motivated. The recipients of the phishing emails were not named. 

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
Red padlock open on electric circuits network dark red background
Aviation firms hit by devious new polyglot malware
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
These fake macOS updates are actually just looking to spread malware
Shutterstock.com / kanlaya wanon
Microsoft Teams abused in Russian email bombing ransomware campaign
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Close up of Leica M11-P viewfinder
I wince at the prospect of the rumored Leica M11-V – here's why