TA570

TA570 is a Proofpoint-tracked threat actor and Qbot/Qakbot affiliate routinely associated with distributing Qbot malware via phishing campaigns. The actor is described as one of the more active Qbot affiliates and is sometimes referred to as the “presidents” affiliate because its campaign identifiers use U.S. presidents’ names, such as “obama186,” “obama187,” and similar tags embedded in Qbot DLL configurations. TA570 has been observed using thread-hijacked email campaigns and opportunistic malspam for initial access. Reported delivery chains include large HTML attachments that reconstruct password-protected ZIP archives, disk image files containing .LNK shortcuts and hidden DLLs, and Word documents attempting to exploit CVE-2022-30190 (Follina) via the ms-msdt protocol. In the documented June 2022 activity, TA570 used both a traditional disk image -> LNK -> rundll32-loaded DLL execution path and a Follina-based Word document path to download and execute Qbot; subsequent waves reportedly dropped the Follina component and continued with the LNK and hidden DLL method. TA570 has also been associated with HTML smuggling-based Qakbot delivery activity. The content links TA570-delivered Qbot activity to follow-on intrusion activity including credential theft, browser data theft, email exfiltration for replay attacks, host and network discovery, and occasional delivery of Cobalt Strike. Qbot activity associated with TA570 is described as affecting multiple sectors, including government, financial services, legal, manufacturing, and education. The broader reporting notes that Qbot has been used as an access mechanism preceding ransomware operations, including activity correlated with Black Basta, but the content specifically identifies TA570 as the distributor/affiliate rather than attributing ransomware operations directly to TA570. Known aliases directly supported by the content: ta570.