Financially Motivated🇷🇺 RU5 malware families

TA542

Also known asMUMMY SPIDERta542

TA542, also known as Mummy Spider, is a prolific cybercrime threat actor associated with the development, distribution, and operation of the Emotet botnet (also referred to as Geodo). Reporting in the provided content states Proofpoint has tracked TA542 since 2014, with large-scale international malspam campaigns often sending hundreds of thousands to millions of messages per campaign. The actor has targeted organizations and users across North America, Central America, South America, Europe, Asia, and Australia, with frequent targeting of Germany, the United Kingdom, the United States, Latin America, Japan, and other regions, and no clear industry-specific targeting noted in some periods. TA542 relies heavily on email-based delivery and social engineering. Observed tactics include high-volume malicious email campaigns, thread hijacking, localized language lures, invoice/payment/business-themed messages, COVID-19 themes, brand impersonation, malicious Microsoft Word documents with macros, PDFs linking to macro-enabled Word documents, JScript, ZIP archives, URLs hosted on compromised sites including WordPress installations, and frequent rotation of hardcoded payload URLs. The content also notes recurring use of Outlook address book and email harvesting capabilities, credential theft from browsers and mail clients, and a network spreader module for lateral movement. The content describes Emotet as having evolved from a banking trojan into a modular malware platform and botnet used for spam distribution, credential theft, email harvesting, and delivery of additional malware. TA542 has been observed delivering follow-on payloads including Qbot, TrickBot, IcedID, Gootkit, Zeus Panda, and, in one report, Bumblebee. CrowdStrike reporting cited in the content states that by mid-2017 Emotet was downloading other trojans including QakBot and Dridex, suggesting Mummy Spider was operating a pay-per-install loader service for other criminal groups. Proofpoint also observed IcedID Lite distributed as a follow-on payload in a TA542 Emotet campaign in November 2022. The provided content identifies Mummy Spider/TA542 as a Russian-aligned cybercrime group in Five Eyes reporting. It does not describe TA542 as a state-sponsored actor. The aliases directly supported by the content are TA542 and Mummy Spider.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Banks
Consumer Discretionary Distribution & Retail
Health Care Equipment & Services
Academia & Research
Government & Administration
Software & Services

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics5 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

TA0006

Credential Access

1 technique

T1649

Steal or Forge Authentication Certificates

TA0011

Command and Control

1 technique

T1105

Ingress Tool Transfer

TA0040

Impact

2 techniques

T1486

Data Encrypted for Impact

T1498

Network Denial of Service

ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

EmotetEmotet is advanced, modular malware that originated as a banking trojan (malware designed to steal information from banking systems but that may also be used to drop additional malware and ransomware). Today Emotet primarily functions as a downloader and distribution service for other cybercrime groups.7May 26, 2026

IcedIDProofpoint researchers have observed and documented, for the first time, three distinct variants of the malware known as IcedID. Proofpoint calls the two new variants recently identified “Forked” and “Lite” IcedID.1Mar 18, 2026

QakBotQbot affiliate id “partner01” is the primary payload dropped by Emotet seen almost daily.1Mar 18, 2026

TrickBotDistribution of Qbot affiliate “partner01” as the primary payload delivered by Emotet instead of The Trick.1Mar 18, 2026

Zeus PandaOn at least one occasion during the Christmas week, Emotet also downloaded Zeus Panda. This instance of Zeus Panda primarily targeted online retail sites during the holiday season.1Mar 18, 2026

IOCS

Observables

111 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

111 IOCsView more in app

ip.v4

100 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+92

hash.sha256

11 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+3

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

proofpoint threat insight blogNews

Mar 24, 2023

Fork in the Ice: IcedID Malware Analysis | Proofpoint US

Associated with Emotet campaigns that delivered IcedID Lite as a follow-on payload; Proofpoint notes limited visibility into follow-on payload attribution.

anvilogic blogNews

Jan 26, 2023

Forge Charged News: Surging Threats Heading into 2023

TA542 is responsible for distributing Emotet malware via large-scale email campaigns, often using hijacked email threads or invoice-themed lures. They have recently resumed activity after a hiatus, updating their tactics and leveraging additional malware loaders such as IcedID and Bumblebee.

cso onlineNews

Apr 21, 2022

New Five Eyes alert warns of Russian threats targeting critical infrastructure | CSO Online

Russian cybercriminal group highlighted in the alert as part of the broader Russian cyber threat landscape.

Apr 21, 2022

Five Eyes fear fresh Russian attacks against infrastructure

Threat group that developed and operates the Emotet botnet; included among Russian cybercrime groups posing a threat amid the Ukraine conflict.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping5

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables111

Domains, IPs, and hashes tied to this actor, refreshed continuously.