12 malware familiesExploits CVEs in the wild

TA551

Also known asGOLD CABINmario_kartmonster_libraShathakTA551

TA551 is a Russia-based cybercriminal threat actor also tracked as Shathak, Mario Kart, GOLD CABIN, and Monster Libra; additional aliases mentioned in the content include ATK236 and G0127. Court records cited in the content state that between 2017 and 2021 the group was co-managed by Ilya Angelov, who used the monikers "milan" and "okart," and that the FBI designated the group as Mario Kart. The same reporting states the group operated a botnet used in ransomware attacks against U.S. organizations. The content describes TA551 primarily as a malware distributor associated with spearphishing-driven initial access. Reported delivery tradecraft includes spearphishing attachments, including password-protected ZIP files, and lures that prompt users to enable macros. One intrusion described in the content attributes the distribution stage to TA551, with a separate hands-on-keyboard actor conducting later intrusion activity. In that November 2022 case, TA551 was assessed as the distributor for a thread-hijacked phishing campaign using HTML smuggling to deliver a password-protected ZIP containing an ISO and LNK-based execution chain that installed IcedID, after which a separate affiliate deployed Nokoyawa ransomware. The content explicitly associates TA551 with use of cmd.exe for command execution, HTTP for command-and-control communications, and encoded ASCII text for initial C2 communications. ATT&CK-style annotations in the content also associate TA551 with Windows Command Shell (T1059.003), Regsvr32 abuse (T1218.010), Command Obfuscation (T1027.010), Malicious File Execution (T1204.002), and spearphishing attachment activity including UDL-file-based lures. A separate 2026 report in the content describes an IcedID Stage-1 MSI dropper leading to Latrodectus Stage-2 activity and assesses the operation with medium-high confidence as TA577- or TA551-aligned based on delivery and infrastructure patterns. That report notes likely delivery via the KongTuke traffic distribution system and reiterates that IcedID infections linked to this ecosystem should be treated as ransomware-precursor events due to historical follow-on ransomware deployment.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

30 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics43 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

1 technique

T1584

Compromise Infrastructure

T1584.005×3

Botnet

TA0001

Initial Access

3 techniques

T1078

Valid Accounts

T1133×2

External Remote Services

T1566×4

Phishing

T1566.001×21

Spearphishing Attachment

T1566.002×4

Spearphishing Link

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.003×3

Windows Command Shell

T1059.005

Visual Basic

T1059.007

JavaScript

T1204

User Execution

T1204.002×12

Malicious File

TA0003

Persistence

2 techniques

T1078

Valid Accounts

T1133×2

External Remote Services

TA0004

Privilege Escalation

3 techniques

T1055×2

Process Injection

T1078

Valid Accounts

T1134×2

Access Token Manipulation

TA0005

Stealth

7 techniques

T1027

Obfuscated Files or Information

T1027.006

HTML Smuggling

T1027.010

Command Obfuscation

T1036

Masquerading

T1036.005

Match Legitimate Resource Name or Location

T1055×2

Process Injection

T1078

Valid Accounts

T1134×2

Access Token Manipulation

T1218

System Binary Proxy Execution

T1218.005×4

Mshta

T1218.010×2

Regsvr32

T1218.011×3

Rundll32

T1564

Hide Artifacts

T1564.006

Run Virtual Instance

TA0007

Discovery

1 technique

T1087

Account Discovery

T1087.002

Domain Account

TA0008

Lateral Movement

1 technique

T1210

Exploitation of Remote Services

TA0011

Command and Control

5 techniques

T1071

Application Layer Protocol

T1071.001×8

Web Protocols

T1105×6

Ingress Tool Transfer

T1132×2

Data Encoding

T1219×2

Remote Access Tools

T1568

Dynamic Resolution

T1568.002

Domain Generation Algorithms

TA0040

Impact

1 technique

T1486×7

Data Encrypted for Impact

ARSENAL

Associated malware families

12 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

IcedIDInside the ZIP was an ISO file... When the malicious DLL was executed, persistence was also established via a scheduled task on the beachhead host... Around three hours after execution of the initial IcedID malware, a cmd process was spawned from IcedID. This new process began beaconing to a Cobalt Strike server.8May 26, 2026

SliverSliver, an open-source, cross-platform adversary simulation and C2 framework originally designed for red team and penetration testing, enables command-and-control over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS...6Apr 1, 2026

QakBotThe eSentire Security Operations Center (SOC) has intercepted several incidents stemming from a recent Qakbot campaign. Qakbot is a malware-as-a-service (MaaS) known to precede ransomware intrusions associated with Maze, Egregor, and Conti ransomware groups.4Mar 18, 2026

URSNIF"TA551 has previously distributed malware payloads such as Ursnif, IcedID, Qbot, and Emotet."3Mar 18, 2026

Cobalt Strike"...potentially broker access to enable the deployment of Cobalt Strike and eventually ransomware."2Mar 18, 2026

7 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2025-55182React2ShellIn the wildEvidence1

"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."

IOCS

Observables

121 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

121 IOCsView more in app

ip.v4

50 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+42

Domains

42 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+34

hash.sha256

26 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+18

uri

2 total

•••••••••••••••••

hash.md5

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

splunk researchNews

Apr 13, 2026

Detection: Windows Command Obfuscation with Environment Variable Substrings | Splunk Security Content

Referenced as a threat actor associated with the command obfuscation technique using environment variable substrings in Windows command lines.

splunk researchNews

Apr 13, 2026

Detection: Windows File Association Modification via Ftype | Splunk Security Content

Listed as a threat actor associated with Windows Command Shell execution behavior relevant to this detection.

splunk researchNews

Apr 13, 2026

Detection: Windows EFI Volume Mount Attempt Via Mountvol | Splunk Security Content

Listed in the detection annotations as a threat actor associated with EFI volume mounting / installation-related behavior.

splunk researchNews

Apr 13, 2026

Detection: Windows IOBit Unlocker Extension DLL Registration via Regsvr32 | Splunk Security Content

Referenced as a threat actor associated with the Regsvr32 stealth technique (T1218.010).

+160 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping30

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal12

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables121

Domains, IPs, and hashes tied to this actor, refreshed continuously.