Skip to main content
Mallory
Back to threat actors
1 malware family

TA581

Also known asTA581

TA581 is a newly classified threat actor tracked by Proofpoint since mid-2022 and officially designated in March 2023. Proofpoint describes TA581 as using the Forked IcedID variant and notes that the actor appears to function as an initial access facilitator or distributor. Proofpoint observed TA581 distributing the Forked IcedID variant beginning in February 2023, including campaigns using invoice-themed lures with Microsoft OneNote (.one) attachments and recall/FDA-themed lures with .URL attachments. In these campaigns, the infection chain used concealed HTA content, PowerShell, BAT execution, and rundll32 with the non-standard export "PluginInit" to execute the loader. Supporting reporting states that TA581 campaign IDs had no unique patterns, which supports the suspicion that the actor is solely a distributor or overlaps with another threat group. The content also links TA581 to distribution of the new Forked IcedID variant, which Proofpoint assessed was a modified or forked codebase rather than a direct upgrade of Standard IcedID. No additional aliases or sub-groups are provided beyond TA581.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

8 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics12 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001
Spearphishing Attachment
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1204
User Execution
TA0005
Stealth
2 techniques
T1036
Masquerading
T1218
System Binary Proxy Execution
T1218.005
Mshta
T1218.011
Rundll32
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1105
Ingress Tool Transfer
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
IcedIDIcedID is a malware originally classified as a banking trojan and was first observed in 2017. It also acts as a loader for other malware, including ransomware.2May 25, 2026
IOCS

Observables

11 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

11 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
proofpoint threat insight blogNews
Apr 4, 2024
Latrodectus: This Spider Bytes Like Ice | Proofpoint UK

Referenced as an IcedID-associated activity cluster; lack of unique campaign-ID patterns suggests it may be primarily a distributor or overlapping with another group. No additional operational details provided in this content.

Read more
proofpoint threat insight blogNews
Apr 4, 2024
Latrodectus: This Spider Bytes Like Ice 

Threat actor referenced in the IcedID campaign-ID attribution analysis; suspected to be primarily a distributor or to overlap with another threat group.

Read more
proofpoint threat insight blogNews
Mar 24, 2023
Fork in the Ice: IcedID Malware Analysis | Proofpoint US

Initial access facilitator distributing the Forked IcedID variant (and sometimes Bumblebee/TOAD), using business-themed lures and varied attachment types; linked to large-scale email campaigns delivering IcedID via OneNote/HTA/PowerShell chains.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping8

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables11

Domains, IPs, and hashes tied to this actor, refreshed continuously.