TA547

TA547, also referred to as Scully Spider in the provided reporting, is a financially motivated cybercriminal threat actor assessed as an initial access broker (IAB). The content links TA547 to sophisticated banking malware and loaders, including DanaBot, and reports that the group offered access to DanaBot for approximately $3,000 to $4,000 per month. Prosecutorial reporting cited in the content describes the DanaBot group as Russia-based and tracks it as TA547 / Scully Spider. Proofpoint reported that TA547 leveraged Rhadamanthys throughout 2024 and identified the actor targeting German organizations with invoice-themed email campaigns impersonating the retailer Metro. In that activity, TA547 sent password-protected ZIP archives containing LNK files that launched PowerShell to retrieve and execute a remote script, which decoded a Base64-encoded Rhadamanthys payload and executed it in memory as a .NET assembly. The reporting states this was the first observed TA547 use of Rhadamanthys and marked a shift from the actor’s more typical NetSupport RAT deliveries. The content also states that since 2023 TA547 has typically delivered NetSupport RAT and has also delivered StealC and Lumma Stealer. In 2023 the actor favored zipped JavaScript attachments, and by early March 2024 had shifted to compressed LNK attachments. The German Rhadamanthys campaign targeted dozens of organizations across multiple industries. Recent geographic targeting mentioned in the content also includes Spain, Switzerland, Austria, and the United States. Proofpoint further suspected that a PowerShell loader used by TA547 in the Rhadamanthys campaign may have been written with assistance from an LLM, based on unusually specific and grammatically correct comments, though the reporting notes this did not alter the malware’s core behavior or defensive detection approach. Known aliases in the provided content: Scully Spider.