4 malware families

TA577

Also known asTA577

TA577 is an initial access broker (IAB) and prolific malware distributor active in email-driven intrusion chains. The content describes TA577 as a prolific Qbot/Qakbot distributor prior to Qbot’s 2023 disruption and notes that TA577 campaigns have previously led to Black Basta ransomware. TA577 has also been associated with Water Curupira as an alias. Based on the provided content, TA577 has used BAT files in malware execution chains, JavaScript to execute additional malicious payloads, and LNK files to execute embedded DLLs. The content also maps TA577 to spearphishing links (T1566.002), Windows command shell execution (T1059.003), and JavaScript execution (T1059.007). The actor is described as having used Latrodectus in at least three campaigns in November 2023 before reverting to Pikabot. In mid-February, TA577 experimented with a Java Archive (JAR) dropper to deliver Pikabot; the described sample extracted an embedded DLL disguised as a PNG file to the Windows temporary directory and executed it via regsvr32.exe. The content also states that TA577 typically uses thread hijacking to deliver malware, with Qbot as a preferred payload, and that IcedID has also been observed delivered by TA577. Additional content states that TA577 has been used in campaigns associated with Latrodectus and that multiple threat actors, including TA577, have utilized Qakbot. Proofpoint reporting in the provided content states that TA577, along with TA571 and TA544, considerably decreased activity or disappeared from email campaign data since mid-2024.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

19 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics28 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1586

Compromise Accounts

T1586.002

Email Accounts

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.001×5

Spearphishing Attachment

T1566.002×8

Spearphishing Link

T1566.003

Spearphishing via Service

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.003×7

Windows Command Shell

T1059.005

Visual Basic

T1059.007×5

JavaScript

T1204

User Execution

T1204.001×2

Malicious Link

TA0003

Persistence

1 technique

T1547

Boot or Logon Autostart Execution

T1547.009

Shortcut Modification

TA0004

Privilege Escalation

1 technique

T1547

Boot or Logon Autostart Execution

T1547.009

Shortcut Modification

TA0005

Stealth

4 techniques

T1027

Obfuscated Files or Information

T1027.009

Embedded Payloads

T1036

Masquerading

T1070

Indicator Removal

T1070.003

Clear Command History

T1218

System Binary Proxy Execution

T1218.010

Regsvr32

T1218.014

MMC

TA0112

Defense Impairment

1 technique

T1553

Subvert Trust Controls

T1553.002

Code Signing

TA0006

Credential Access

1 technique

T1003

OS Credential Dumping

TA0011

Command and Control

1 technique

T1105

Ingress Tool Transfer

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

IcedIDIcedID is a malware originally classified as a banking trojan and was first observed in 2017. It also acts as a loader for other malware, including ransomware.3May 25, 2026

LatrodectusProofpoint first observed new malware named Latrodectus appear in email threat campaigns in late November 2023. Latrodectus is an up-and-coming downloader with various sandbox evasion functionality.3May 25, 2026

PikabotTA577 used Latrodectus in at least three campaigns in November 2023 before reverting to Pikabot.3May 25, 2026

QakBotThis malware was first observed being distributed by TA577, an IAB known as a prolific Qbot distributor prior to the malware’s disruption in 2023.3May 25, 2026

IOCS

Observables

73 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

73 IOCsView more in app

Domains

47 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+39

uri

11 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+3

hash.sha256

8 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

ip.v4

4 total

••••••••••••••••••••••••••••••••••••••

hash.md5

2 total

•••••••••••••••••

hash.sha1

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Apr 13, 2026

Detection: Windows File Association Modification via Ftype | Splunk Security Content

Listed as a threat actor associated with Windows Command Shell execution behavior relevant to this detection.

splunk researchNews

Apr 13, 2026

Detection: Windows GrimResource - MMC Process Accessing APDS DLL | Splunk Security Content

Listed as a threat actor associated with the MMC/GrimResource detection analytic.

breakglass intelNews

Mar 14, 2026

IcedID / Latrodectus - Signed WiX MSI Dropper Campaign - Breakglass Intelligence - Breakglass Intelligence

Likely delivery operator for this campaign, using KongTuke traffic distribution to deliver a signed MSI that drops IcedID, which then leads to Latrodectus C2 activity. The report frames this as a ransomware-precursor and credential-theft intrusion chain.

splunk researchNews

Feb 25, 2026

Detection: CMD Echo Pipe - Escalation | Splunk Security Content

Listed as a threat actor associated with the named-pipe impersonation privilege-escalation detection.

+32 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping19

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables73

Domains, IPs, and hashes tied to this actor, refreshed continuously.