TA544

TA544 is a financially motivated cybercrime threat actor first documented in 2017. Proofpoint describes it as part of a financial crime ring targeting industries in Japan and several European countries, with a focus on manufacturing and technology firms. Reported targeting includes organizations in Italy and Japan. Known aliases in the provided content are NARWHAL SPIDER and Storm-0302. TA544 is associated with high-volume malicious email activity. Proofpoint reported that, among malicious emails tied to known actors in Q4 2020, more than 60% of total volume came from TA544 and TA542. Proofpoint also observed TA544 activity decrease or disappear from email campaign data since mid-2024, alongside other tracked initial access brokers. The actor has distributed multiple malware families, including Ursnif, Panda Banker, URLZone, and IcedID. Proofpoint stated TA544 frequently used Ursnif and observed a campaign targeting Japanese users in which malicious Microsoft Excel documents dropped URLZone and ultimately led to a final Ursnif payload. Proofpoint also reported TA544 used IcedID in limited campaigns throughout 2022, typically targeting organizations in Italy and Japan, and that TA544 used the Standard IcedID variant. The content notes that TA544 campaign IDs contained Italian references. TA544 is noted for email-based delivery and use of malicious Office documents, and Proofpoint specifically states the actor is known for using steganography to hide malicious code in benign-looking images. The provided content also references NARWHAL SPIDER’s Cutwail v2 spambot being heavily utilized by DOPPEL SPIDER.