TA571
TA571 is a sophisticated, financially motivated cybercriminal threat actor tracked by Proofpoint as a high-volume spam distributor and initial access broker that delivers malware for cybercriminal customers. Proofpoint describes TA571 as running large-scale email campaigns and has assessed with high confidence that TA571 infections can lead to ransomware. Observed delivery activity includes high-volume malspam, thread hijacking, use of PDF attachments containing OneDrive links, and use of 404 TDS infrastructure with intermediary gates that apply IP and geo-fencing to validate targets and evade sandboxes and researchers. TA571 has also been associated with ClickFix-style social engineering and with use of fake error messages impersonating Google Chrome, Microsoft Word, and OneDrive. Malware and payloads directly mentioned in connection with TA571 include IcedID, including the Forked IcedID variant, Rhadamanthys, AsyncRAT, NetSupport, DarkGate, and PowerShell-based malware. Proofpoint first tracked Rhadamanthys in December 2022 in a campaign attributed to TA571, with post-exploitation attributed to TA866. In January 2024, Proofpoint attributed spam distribution in a campaign delivering a PDF-to-OneDrive-to-JavaScript-to-MSI/VBS chain to TA571, while post-exploitation tooling including WasabiSeed and Screenshotter was attributed to TA866. In October 2023, Proofpoint observed TA571 delivering Forked IcedID in two campaigns using thread-hijacking lures and 404 TDS URLs leading to password-protected ZIP archives containing a VBS script that launched an embedded loader via regsvr32. TA571 activity has been linked to 404 TDS. Separate reporting states Vacant Viper is known to affiliate with TA571 and that 404TDS delivered IcedID and other malware. TA571 has also been cited alongside ClearFake in reporting on social-engineering delivery of PowerShell malware and was identified as an early actor using ClickFix. Proofpoint observed TA571 decrease activity or disappear from email campaign data since mid-2024.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Observables
22 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a threat actor associated (in related reporting) with ClearFake-style social engineering used to deliver PowerShell-based malware via fake CAPTCHA/ClickFix lures.
Priority cybercriminal threat actor that distributed Rhadamanthys in campaigns beginning in December 2022 and has used both exclusive and broadly available malware.
TA571 is involved in phishing campaigns using fake Google Meet pages to deliver malware such as AsyncRAT, StealC, and Rhadamanthys, targeting both Windows and macOS users.
Referenced as an early adopter of ClickFix (from March 2024) in cybercriminal activity; no further operational details provided in the content.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.