>samit_hota
Back to adversary profiles
G1018HighActive

TA2541 Threat Profile: A Persistent Cybercriminal Group

Samit Hota·
Suspected Origin
Eastern Europe
Motivation
Financial Gain
Aliases
None documented
Target Sectors
Aviation, Aerospace, Transportation, Manufacturing, Defense
Associated Malware
AsyncRAT, NetSupport Manager, RedLine Stealer, LokiBot, Remcos, DarkCrystal RAT, Agent Tesla, Nanocore, Warzone RAT, PureCrypter, SmokeLoader
#threat-actor#g1018

Overview

TA2541 is a persistent and prolific cybercriminal group that has been a significant threat since at least 2017. Their operations are characterized by high-volume phishing campaigns designed to deliver various commodity remote access tools (RATs) and information stealers. While not exceptionally sophisticated, the group’s consistency and adaptability make them a continuous concern for organizations in their targeted sectors. Their campaigns often leverage themes related to travel, shipping, and aviation, reflecting their primary industry targets. The group’s primary motivation appears to be financial gain, achieved through data exfiltration and potential follow-on activities enabled by the delivered malware.

Attribution efforts suggest TA2541 likely operates from Eastern Europe, though specific country attribution remains unconfirmed. Their operations demonstrate a pragmatic approach, focusing on readily available tools and social engineering at scale rather than bespoke, highly advanced exploits. This strategy allows them to maintain a wide net and consistently compromise a diverse set of victims within their target industries.

Tactics & Techniques

TA2541’s attack methodology predominantly relies on highly effective social engineering delivered through email. Their campaigns are notable for their volume and the use of carefully crafted lures tailored to their target industries. Initial access is almost exclusively achieved via phishing emails that contain malicious attachments or links. These emails frequently impersonate legitimate entities within the aviation, transportation, and logistics sectors, using themes like flight information, shipping confirmations, or invoice disputes to entice recipients to open malicious files.

Once a user is enticed, the group employs a variety of techniques to deliver their payload. Historically, they have favored compressed archives (ZIP, RAR) containing executable files, often disguised as documents (e.g., .iso, .img, .vhd). These executables are frequently obfuscated using crypters to evade detection. Execution typically leads to the installation of various commodity RATs or information stealers.

The group has also been observed using HTML attachments that redirect to malicious downloads or directly execute scripts. Their C2 infrastructure often relies on legitimate services or compromised websites, adding another layer of evasion. Persistence is achieved through standard malware techniques, such as modifying registry keys or creating scheduled tasks. Once established, the malware allows for remote control, data exfiltration, and potentially further compromise of the victim’s network.

Notable Campaigns

TA2541 has maintained a consistent operational tempo, with several notable campaigns highlighting their enduring presence and tactical evolution. One significant campaign, documented in early 2022 by Proofpoint, showcased the group’s continued targeting of critical infrastructure sectors, primarily using malicious ISO file attachments to deliver commodity malware like AsyncRAT and NetSupport Manager. This campaign reinforced their reliance on high-volume email distribution and crypter-obfuscated payloads.

Another prominent activity detailed by Cisco Talos in 2021, dubbed “Operation Layover,” described TA2541’s efforts to target aviation, travel, and related industries. This campaign, active since at least 2020, also leveraged phishing emails with malicious attachments, but uniquely used themes such as flight status updates and shipping documents to distribute malware like NetSupport Manager. The use of these specific themes demonstrates a keen understanding of their target environments and the types of communications employees would typically expect.

More recently, research from Secureworks in 2023 indicated TA2541’s continued activity, observing them distributing RedLine Stealer and other commodity malware. This shows their adaptability in adopting new readily available tools while maintaining their core TTPs. Their campaigns consistently demonstrate an iterative approach, adjusting lures and payloads based on efficacy and detection rates rather than fundamental changes in their attack chain.

Associated Malware & Tools

TA2541’s toolkit is primarily composed of readily available, off-the-shelf commodity malware and remote access tools, which they frequently update and rotate to maintain effectiveness. This approach allows them to operate efficiently without the need for developing custom, sophisticated malware.

Some of the most frequently observed malware and tools in TA2541’s campaigns include:

  • AsyncRAT: A popular open-source RAT capable of remote control, keylogging, and data exfiltration.
  • NetSupport Manager: A legitimate remote administration tool often abused by threat actors for unauthorized access.
  • RedLine Stealer: An information stealer designed to exfiltrate sensitive data from web browsers, cryptocurrency wallets, and FTP clients.
  • LokiBot: An info-stealer and trojan that collects credentials and other sensitive data.
  • Remcos: A legitimate remote control software that, like NetSupport Manager, is frequently weaponized by cybercriminals.
  • DarkCrystal RAT (DCRat): A feature-rich RAT offering various remote access capabilities.
  • Agent Tesla: Another prevalent information stealer.
  • Nanocore: A commercial RAT known for its comprehensive remote control features.
  • Warzone RAT: A remote access trojan with capabilities for surveillance and control.
  • PureCrypter: A crypter service used by TA2541 to obfuscate their payloads and evade detection.
  • SmokeLoader: A modular downloader used to fetch and execute other malware payloads.

The group’s reliance on crypters, such as PureCrypter, is a consistent element, enabling them to obfuscate their various payloads and hinder static analysis.

Current Status

TA2541 remains an active and persistent threat. Intelligence from 2023 and 2024 indicates the group continues to launch high-volume phishing campaigns targeting their established sectors. Their modus operandi, while consistent, shows a continuous adaptation in the specific lures, attachment types, and commodity malware used, reflecting an ongoing effort to circumvent security defenses.

Their primary focus remains financial gain, and they continue to leverage social engineering and readily available tools to achieve their objectives. Organizations in the aviation, aerospace, transportation, manufacturing, and defense industries should consider TA2541 a current and ongoing threat, requiring robust email security, user awareness training, and endpoint detection and response capabilities to mitigate the risk posed by this group. Their consistent activity over several years underscores their resilience and the effectiveness of their chosen tactics.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call