Skip to main content
Mallory
Back to threat actors
5 malware familiesExploits CVEs in the wild

TA2541

Also known asTA2541

TA2541 is a threat actor tracked as TA2541. In the provided content, it is associated with phishing-led intrusion activity using malicious attachments, including Microsoft Word documents and macro-enabled Word files, to lure victims into executing payloads. The actor has used commodity remote access tools, including AsyncRAT, and has used TLS-encrypted command-and-control communications. Observed tradecraft in the provided content includes persistence via VBS files placed in the Startup folder, Registry Run keys, and scheduled tasks; system discovery and victim profiling through collection of system information and WMI queries for installed security products; PowerShell for file download and injection into Windows processes; code injection into legitimate .NET-related processes including regsvcs.exe, msbuild.exe, and installutil.exe; use of compressed and character-encoded scripts; masquerading through filenames that mimic legitimate Windows files or system functionality; and defense evasion through attempts to disable built-in protections such as Windows AMSI.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

43 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics61 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
2 techniques
T1588
Obtain Capabilities
T1588.002×3
Tool
T1608×2
Stage Capabilities
T1608.001×2
Upload Malware
T1608.002
Upload Tool
TA0001
Initial Access
2 techniques
T1190
Exploit Public-Facing Application
T1566
Phishing
T1566.001×6
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0002
Execution
6 techniques
T1047×2
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.001×14
PowerShell
T1059.005
Visual Basic
T1059.007
JavaScript
T1129
Shared Modules
T1204
User Execution
T1204.002×4
Malicious File
T1574×2
Hijack Execution Flow
TA0003
Persistence
5 techniques
T1037
Boot or Logon Initialization Scripts
T1037.001
Logon Script (Windows)
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1112×2
Modify Registry
T1137
Office Application Startup
T1547
Boot or Logon Autostart Execution
T1547.001×5
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
5 techniques
T1037
Boot or Logon Initialization Scripts
T1037.001
Logon Script (Windows)
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1055×3
Process Injection
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1547
Boot or Logon Autostart Execution
T1547.001×5
Registry Run Keys / Startup Folder
TA0005
Stealth
6 techniques
T1027×2
Obfuscated Files or Information
T1027.002
Software Packing
T1027.013
Encrypted/Encoded File
T1036
Masquerading
T1055×3
Process Injection
T1218
System Binary Proxy Execution
T1218.005×2
Mshta
T1564
Hide Artifacts
T1564.006
Run Virtual Instance
T1574×2
Hijack Execution Flow
TA0112
Defense Impairment
2 techniques
T1112×2
Modify Registry
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
TA0007
Discovery
6 techniques
T1012
Query Registry
T1018
Remote System Discovery
T1049
System Network Connections Discovery
T1082×3
System Information Discovery
T1087
Account Discovery
T1087.002
Domain Account
T1518×2
Software Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
TA0011
Command and Control
2 techniques
T1105×4
Ingress Tool Transfer
T1573
Encrypted Channel
T1573.002×2
Asymmetric Cryptography
ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Cobalt StrikeDetects the PowerShell pattern used at the end of a Cobalt Strike PowerShell loader to perform the decompression of the executable. This loader is used in attacks such as scripted web delivery. Cobalt Strike is a legitimate, commercial penetration testing tool that has been largely co-opted by ransomware gangs to launch attacks. Cobalt Strike's popularity is mainly due to its beacons or payload being stealthy, and easily customizable. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands.5May 6, 2026
AsyncRATTA2541 has used TLS encrypted C2 communications including for campaigns using AsyncRAT.2May 26, 2026
ImpacketThe following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.2Mar 17, 2026
NishangThe following analytic detects the use of the Nishang Invoke-PowerShellTCPOneLine utility, which initiates a callback to a remote Command and Control (C2) server.1Mar 17, 2026
RhadamanthysRhadamanthys is a prominent malware observed since 2022, used by multiple cybercriminal threat actors. It is a modular information stealer with multiple pricing plans, and the creators sell it alongside Elysium Proxy Bot and a Crypt Service.1Apr 22, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Apr 22, 2026
Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

Read more
splunk researchNews
Apr 20, 2026
Detection: PowerShell Environment Variable Execution | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Binary Execution from an Archive | Splunk Security Content

Listed as a threat actor associated with the malicious file execution technique detected by this analytic.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Cobalt Strike PowerShell Loader | Splunk Security Content

Listed as a threat actor associated with use of Cobalt Strike PowerShell loader patterns.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping43

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.