Kegotip is an information-stealing malware family observed in financially motivated email-borne malware operations. The provided content states that it steals credentials and harvests email addresses. Proofpoint observed it being loaded on April 6 and 7, 2016 by the RockLoader intermediary downloader alongside other payloads including Dridex 220, Pony, and Locky, indicating it could be delivered as one of multiple payloads in flexible spam-driven campaigns. The content also states that TA505 briefly distributed Kegotip in April 2017 using macro-laden Word documents and zipped VBScript attachments. Based on the provided reporting, Kegotip is associated with TA505 activity and delivery via malicious email attachments, particularly Office documents with macros and archived VBScript, and has also been delivered through RockLoader.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA505 briefly distributed the Kegotip information stealer in April 2017.
2 distinct techniques documented for this family, organized by ATT&CK tactic.
In recent weeks, we detected a marked increase in email campaigns attempting to install Locky... This particular campaign... used malicious document attachments... Outside of the very large campaign detected on April 7th, the ransomware in many of these campaigns is being installed via JavaScript attachment files rather than documents.
This actor is frequently using it as an intermediate “downloader”. This downloader has been distributed both through JavaScript attachments and malicious documents and, in turn, downloads Locky... on April 6th and 7th, 2016, we spotted this downloader being used to load other malware including Dridex 220, Pony, and Kegotip.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential and email-address harvesting infostealer (FTP clients, Outlook, Internet Explorer) used to support further crimeware/spam operations; delivered via macro docs and zipped VBScript attachments.
Malware payload observed being delivered by RockLoader in addition to Locky, Dridex 220, and Pony.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.