2 malware families

TA2715

Also known asTA2715

TA2715 is a threat actor tracked by Proofpoint and described in the provided content as a cybercriminal group involved in phishing campaigns. Proofpoint observed TA2715 using the DTPacker malware packer/downloader in campaigns since at least 2020. In the cited activity, TA2715 conducted phishing campaigns delivering Stealerium, and DTPacker associated with TA2715 has also been used to distribute information stealers and RATs including Agent Tesla, Ave Maria (Warzone RAT), AsyncRAT, FormBook, and Snake Keylogger. Email is described as the primary infection vector, with malicious attachments leading to DTPacker execution and subsequent decoding/execution of payloads. DTPacker used in activity associated with TA2715 employs multiple obfuscation techniques, including custom XOR routines, character code substitution, string obfuscation, junk Unicode characters, base64 encoding, and fixed decoding passwords such as "trump2020" and "Trump2026." Proofpoint observed DTPacker in dozens of campaigns and noted that it has been used by multiple threat actors, including TA2715 and TA2536, against hundreds of customers across multiple industries. No additional aliases, sub-groups, or nation-state attribution for TA2715 are directly provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

finance

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Snake Keylogger... TA2715 and TA2536, both of which favored Snake Keylogger ...1Mar 18, 2026

Stealerium... delivering an open-source information stealer called Stealerium (or variants of it).1Mar 18, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the hacker newsNews

Sep 8, 2025

⚡ Weekly Recap: Drift Breach Chaos, Zero-Days Active, Patch Warnings, Smarter Threats & More

E-crime phishing campaigns delivering the Stealerium information stealer (and previously associated with Snake Keylogger), using lures impersonating charities, banks, courts, and document services.

proofpoint threat insight blogNews

Jan 24, 2022

DTPacker – a .NET Packer with a Curious Password

TA2715 is another threat actor observed leveraging DTPacker to deliver various malware payloads, including RATs and information stealers. Their operations have included the use of themed download locations and advanced obfuscation techniques.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.