TA575
TA575 is a large cybercrime actor tracked by Proofpoint since late 2020. The group is financially motivated and is associated with distributing Dridex, including as affiliate ID 22203. Proofpoint reported TA575 conducting large-scale email campaigns, often sending thousands of emails per campaign and impacting hundreds of organizations, primarily in the United States across multiple industries. TA575 distributes malware via malicious URLs, Microsoft Office attachments, and password-protected files, and commonly uses invoicing, payment, pop-culture, news, or other socially engineered themes as lures. In one reported campaign, TA575 used Netflix 'Squid Game' themed phishing emails that impersonated people working on the show and enticed recipients with early access to a new season or casting opportunities. The emails carried malicious Excel attachments containing macros that, when enabled, downloaded Dridex from Discord-hosted URLs. Proofpoint also reported that TA575 uses Discord's content delivery network to host and distribute payloads. Dridex is described in the reporting as a banking trojan used for credential and financial theft, information gathering, and as a malware loader that can enable follow-on infections, including ransomware. Additional reporting cited TA575 as specializing in Dridex and operating swaths of Cobalt Strike servers. Known alias in the provided content: TA575.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- various
Associated malware families
2 malware families attributed to this actor across reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
TA575 is a Dridex affiliate known for distributing malware via malicious emails, often using popular cultural references as lures. In this campaign, TA575 used Squid Game-themed phishing emails with malicious Excel attachments to deliver Dridex banking trojan, primarily targeting organizations in the United States.
Financially motivated cybercrime group tracked by Proofpoint since late 2020; runs large-scale email campaigns using pop-culture lures (e.g., "Squid Game") to deliver Dridex via malicious Office attachments, leveraging Discord CDN URLs for payload hosting/delivery; associated with operating Cobalt Strike infrastructure and using Dridex as a banking trojan and loader for follow-on infections (including ransomware).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.