>samit_hota
Back to adversary profiles
G0127HighActive

TA551: Persistent Initial Access Broker Fueling Cybercrime

Samit Hota·
Suspected Origin
Unknown
Motivation
Financial Gain
Aliases
GOLD CABIN, Shathak
Target Sectors
N/A
Associated Malware
Ursnif, IcedID, Qbot, Emotet, Valak, Zloader, SLIVER, TrickBot, BazarBackdoor, ElectroRAT, Cobalt Strike
#threat-actor#g0127

Overview

TA551, also known by its aliases GOLD CABIN and Shathak, is a highly persistent and financially-motivated cybercrime group (G0127) that has been active since at least 2018, with some tracking extending its operations back to 2016. This group specializes in widespread, email-based malware distribution campaigns, primarily functioning as an initial access broker (IAB) for other threat actors, most notably ransomware operators. Their operations have global reach, consistently targeting individuals and organizations across various sectors by focusing on language rather than specific industries. Their primary targets include English, German, Italian, and Japanese speakers, with a significant number of victims located in the U.S. and the UK. TA551’s campaigns are characterized by high volume and adaptability, making them a significant and prevalent threat. For instance, Red Canary identified TA551 as the most prevalent threat actor they encountered in 2020 and it remained a leading threat in 2022.

The group’s ultimate goal is financial gain, achieved through the initial compromise of victim networks, which they then often sell or leverage for follow-on attacks by other financially motivated groups, particularly those deploying ransomware. This role as an IAB has linked TA551 to major ransomware events, including those involving Maze and Egregor ransomware in 2020.

Tactics & Techniques

TA551’s operational methodology is centered around highly effective social engineering and robust technical evasion techniques, particularly in its initial access phase. The primary vector for compromise is malicious email (malspam) campaigns.

Their social engineering tactics are sophisticated and designed to bypass typical email security defenses and user scrutiny. A common technique involves “thread hijacking,” where the group gains access to stolen messages or compromised email accounts and uses these legitimate-looking email chains to distribute malware. This makes their phishing attempts appear highly credible to recipients. They also utilize spoofed company emails acquired from previously infected hosts. Lures often involve seemingly innocuous but urgent topics, such as “Stolen Images Evidence” or “Client Proposal” documents, designed to prompt user interaction.

To deliver their malicious payloads, TA551 consistently employs password-protected ZIP archives attached to their phishing emails. The password for these archives is typically provided within the email body, a method that helps these malicious attachments bypass many mail protection filters by preventing direct analysis. Inside these ZIP files, victims usually find macro-enabled Microsoft Word documents. If a user opens the document and enables macros, a malicious Visual Basic for Applications (VBA) AutoOpen macro is triggered, initiating the download and execution of the next-stage malware.

The group demonstrates significant adaptability in its execution and defense evasion techniques. They leverage legitimate Windows binaries like mshta.exe, regsvr32.exe, and rundll32.exe to execute malicious payloads or load malicious DLLs. To further evade detection, TA551 has been observed renaming mshta.exe and employing obfuscated variable names in JavaScript configuration files. They also mask malware DLLs as benign .dat or .jpg files and hide encoded data for malware DLLs within PNG images. In some instances, they have used Windows Management Instrumentation (WMI) to break the typical parent-child process lineage from winword.exe, making macro execution harder to detect. More recently, they’ve been observed using legitimate services like Google Drive links within contact form-generated emails to bypass protections.

For command and control (C2), TA551 primarily uses HTTP communications. They have also used encoded ASCII text for initial C2 communications and have implemented domain generation algorithms (DGAs) to create dynamic C2 infrastructure.

Notable Campaigns

TA551 has a long history of active campaigns, continually adapting its payloads and delivery mechanisms.

In 2019 and early 2020, TA551 frequently distributed banking trojans and info-stealers such as Ursnif and Zloader. By mid-2020, they shifted their focus, predominantly delivering Valak as a first-stage payload, often followed by IcedID as a second stage. However, by mid-July 2020, TA551 moved to exclusively delivering IcedID as its primary initial payload. This strategic shift underscored their agility in response to defensive measures or changes in the cybercrime landscape.

After a brief hiatus, TA551 returned in January 2021, featuring Qbot as a new prevalent payload in their campaigns. A significant evolution in their TTPs was observed in October 2021 when Proofpoint identified TA551 utilizing SLIVER, an open-source, cross-platform adversary simulation and red team platform, as a direct payload. This marked a notable departure from their previous methods, allowing the actors more direct interactive access and potentially removing their reliance on secondary access after an initial compromise. Menlo Security also reported on TA551’s use of Sliver in campaigns as recent as June 2022, including “Stolen Images Evidence” and “Client Proposal” phishing campaigns. These campaigns showcased highly evasive techniques, often leveraging victims’ own infrastructure and legitimate Google Drive links to deliver malicious JavaScript files that download Windows DLLs.

TA551’s effectiveness as an initial access broker is highlighted by its confirmed association with major ransomware incidents, including those involving Maze and Egregor in 2020.

Associated Malware & Tools

TA551 has a diverse and evolving arsenal of malware and tools, reflecting their opportunistic and adaptive nature. Their payloads have historically included a range of banking trojans and information stealers:

  • Ursnif (Gozi/ISFB): A prominent banking trojan and info-stealer, frequently distributed in their earlier campaigns.
  • IcedID (BokBot): Another widespread banking trojan that became a primary payload for TA551 from mid-2020 onwards.
  • Qbot (Qakbot): A modular banking trojan with worm-like capabilities, observed in their campaigns in early 2021.
  • Emotet: A highly sophisticated banking trojan and downloader, previously distributed by TA551.
  • Valak: An information stealer and loader, frequently used in mid-2020 before TA551 transitioned to IcedID.
  • Zloader: Another banking trojan and info-stealer observed in their earlier activities.
  • TrickBot: A modular banking trojan and general-purpose malware loader.
  • BazarBackdoor: Often used for initial access to facilitate ransomware, it was distributed via malicious documents.
  • ElectroRAT: A remote access trojan and stealer designed for Windows, macOS, and Linux, which TA551 has been linked to distributing.

Beyond traditional malware, TA551 has increasingly incorporated legitimate red team and adversary simulation tools into its operations:

  • SLIVER: An open-source, cross-platform adversary simulation framework, its adoption in late 2021 marked a significant shift, providing TA551 with direct interactive access to compromised systems.
  • Cobalt Strike: While not always directly deployed as the initial payload, TA551 has been observed brokering access that could lead to the deployment of Cobalt Strike for post-exploitation activities and eventual ransomware deployment.

Current Status

TA551 remains an active and evolving threat actor. Reports throughout 2021, 2022, and early 2023 consistently described them as a “highly active cybercrime actor” known for distributing a high volume of malicious spam. While specific detailed public reporting for 2024-2026 is not readily available, their historical pattern of continuous operation and adaptation suggests ongoing activity.

Proofpoint identified new campaigns from TA551 leveraging the SLIVER red team tool in October 2021, noting this as a “significant departure” from their previous TTPs, indicating their continuous efforts to innovate and evade defenses. Menlo Security continued to report on TA551’s use of Sliver in campaigns as of June 2022, stating that TA551 “may continue to conduct targeted attacks”. Furthermore, a study in October 2022 by Cyware Social noted recent TA551 attacks using stealers, including ElectroRAT, targeting English-speaking victims. The consistent references to TA551 as a leading threat in reports such as Red Canary’s 2022 Threat Detection Report, for which AttackIQ released emulation tools in March 2023, further affirm its sustained impact and relevance within the cybercrime landscape.

Given their long operational history, consistent volume of campaigns, and demonstrated adaptability in TTPs and payloads up through 2022 and early 2023, it is highly probable that TA551 continues to operate, refining its methods to maintain effectiveness in the face of evolving defenses.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call