TA577: Adaptive Initial Access Broker Evolving to Post-Exploitation
- Suspected Origin
- Russia
- Motivation
- Financial Gain, Credential Theft
- Aliases
- None documented
- Target Sectors
- All sectors, Unspecified
- Associated Malware
- QakBot, Pikabot, Latrodectus, IcedID, SystemBC, SmokeLoader, Ursnif, Cobalt Strike
Overview
TA577, also tracked by Microsoft Threat Intelligence as Hive0118, is a highly active and adaptive cybercrime group that primarily functions as an initial access broker (IAB). This group has been operational since mid-2020 and is recognized for its consistent deployment of extensive, global email-based campaigns targeting organizations across all sectors.
While historically known for distributing various malware loaders, TA577 has demonstrated a notable evolution in its operational strategy. Recent activities indicate a pivot beyond simply delivering malware for initial access, moving towards more advanced post-exploitation objectives, specifically through the theft of NT LAN Manager (NTLM) authentication hashes. This shift elevates their threat profile significantly, as stolen credentials can facilitate deeper network penetration. The group is assessed to be composed of Russian-speaking cybercriminals, driven predominantly by financial gain. They monetize their access and stolen data, including selling access to other criminal enterprises, such as ransomware affiliates like Black Basta.
Tactics & Techniques
TA577’s primary method for initial access relies heavily on sophisticated, large-scale phishing campaigns. A common and effective social engineering tactic they employ is “thread hijacking” or “reply-chain injection,” where malicious emails are meticulously inserted into existing, legitimate email conversations. This makes the fraudulent messages appear highly credible to recipients, significantly increasing the likelihood of engagement.
Their delivery mechanisms have shown adaptability in response to evolving defensive measures. Historically, TA577 leveraged malicious Microsoft Office documents, often macro-enabled, as well as HTML smuggling and ZIP archive containers to deliver payloads. Following Microsoft’s implementation of stricter macro restrictions in 2023, the group quickly adjusted, embedding malware loaders within PDF or OneNote files to maintain their access operations. More recently, in campaigns focused on NTLM hash theft, they deliver malicious HTML files enclosed within ZIP archives. These HTML files contain meta refresh tags designed to automatically redirect a victim’s browser to an attacker-controlled Server Message Block (SMB) server.
The pivot to credential theft, particularly NTLM hashes, marks a significant capability enhancement for TA577. Campaigns in early 2024 specifically aimed to capture NTLM authentication hashes by tricking the victim’s system into attempting authentication with a malicious SMB server controlled by the threat actor. This process exposes NTLMv2 challenge/response pairs, which can then be used for pass-the-hash attacks or offline cracking. A critical aspect of this technique is its ability to bypass multi-factor authentication (MFA) in scenarios where the targeted user is already authenticated on their Windows machine. Researchers have observed TA577 utilizing the open-source Impacket toolkit on their malicious SMB servers to facilitate these operations.
For execution and delivery of malware, TA577 has been observed using JavaScript and LNK files to initiate additional malicious payloads, and BAT files within their execution chains. The group demonstrates a high degree of evasion capability, rapidly adopting new tactics, techniques, and procedures (TTPs) to circumvent detections. The use of unique identifiers for each attachment in their NTLM campaigns, for instance, is a deliberate strategy to bypass signature-based security systems. Furthermore, TA577 employs robust, redundant infrastructure, incorporating rotating domains, fast-flux techniques, and compromised web properties to maintain persistence and evade blocking.
Notable Campaigns
TA577’s operational history is marked by several significant campaign shifts and involvements:
- QakBot Distribution (Mid-2020 - August 2023): For an extended period, TA577 was a primary distributor of the QakBot (also known as Qbot) botnet, alongside IcedID. This activity ceased following the major international takedown of the QakBot infrastructure in August 2023.
- Pikabot and Latrodectus Campaigns (Post-August 2023): Demonstrating remarkable agility, TA577 rapidly reorganized its operations after the QakBot disruption. They quickly pivoted to distributing new malware loaders, notably Pikabot and Latrodectus. The group was among the first observed distributing Latrodectus in 2023, maintaining its large-scale email delivery capabilities with these new payloads.
- NTLM Hash Theft Campaigns (February-October 2024): A critical development in TA577’s operations began in February 2024 with the launch of campaigns specifically designed to steal NTLM hashes. Two distinct waves were identified on February 26 and 27, 2024, which targeted hundreds of organizations globally through tens of thousands of emails. This marked a strategic evolution towards post-exploitation capabilities. TA577 continued these NTLM-targeted credential thefts against large enterprises globally through October 2024.
- Ransomware Facilitation: TA577 is known to act as an initial access provider for various downstream criminal activities, including ransomware operations. They have been linked to providing access for the Black Basta ransomware group, indicating their role in the broader cybercrime ecosystem.
Associated Malware & Tools
TA577 has leveraged a diverse array of malware and tools to achieve its objectives:
- Loaders/Bots:
- QakBot (Qbot): A long-standing primary payload, widely distributed by TA577 prior to its disruption.
- Pikabot: Rapidly adopted as a key replacement for QakBot, distributed extensively after mid-2023.
- Latrodectus: Another significant loader that TA577 quickly integrated into its campaigns following QakBot’s takedown.
- IcedID: Historically, IcedID was also a notable malware family distributed by TA577.
- SystemBC, SmokeLoader, Ursnif: These malware families have also been observed as payloads delivered by TA577, showcasing their varied arsenal for initial compromise.
- Post-Exploitation Tools:
- Impacket: An open-source toolkit frequently used on attacker-controlled SMB servers during NTLM hash theft campaigns to capture authentication material.
- Cobalt Strike: The presence of Cobalt Strike in TA577’s payload delivery suggests capabilities for more advanced post-exploitation activities, including lateral movement, reconnaissance, and command and control.
Current Status
TA577 remains a highly active and continuously evolving threat actor in the cybercrime landscape. Evidence from threat intelligence sources indicates consistent operational activity and surges from 2021 through 2025.
As of early 2024, the group has demonstrably shifted its operational scope beyond that of a typical initial access broker. Their engagement in large-scale credential theft, particularly NTLM hash capture, signifies an expansion into more advanced post-exploitation phases. This strategic pivot allows them to potentially facilitate deeper network compromise for themselves or for their clients in the cybercriminal underworld.
Their multi-loader campaigns, heavily relying on Pikabot and Latrodectus, were ongoing in October 2024, concurrently with persistent NTLM-targeted credential theft efforts against large enterprises globally. Further expansion of their campaign activities across diverse international industries, with continued links to Black Basta ransomware incidents, was observed in January 2025. TA577’s adaptability, combined with their focus on credential theft and ties to ransomware, elevates their threat profile, presenting a significant and ongoing risk for organizations susceptible to lateral movement and domain compromise.
Related content
TA578: A Persistent Initial Access Broker Evolving with New Loaders
Adversary ProfileTA551: Persistent Initial Access Broker Fueling Cybercrime
Adversary ProfileStorm-1811: Financially Motivated Ransomware Affiliate
Adversary ProfileFIN7: From Point-of-Sale Theft to Ransomware Kingpins
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call