TA582
TA582 is a post-exploitation and malware delivery operator tracked by Recorded Future, with Mandiant tracking the same activity as UNC4108. The reporting places TA582 downstream of the SocGholish fake browser update ecosystem and as a user of the TAG-124/KongTuke traffic distribution system. TA582 has been identified among multiple threat actors incorporating TAG-124 into initial infection chains, alongside operators such as TA866/Asylum Ambuscade, SocGholish, D3F@CK Loader, Rhysida, and Interlock. TA582 is associated in the provided reporting with GhostWeaver, a non-commodity, fileless in-memory PowerShell RAT that communicates over TLS on TCP port 25658 using a custom protocol with GZip-compressed JSON. GhostWeaver uses four DGAs across the kill chain, hardcoded public DNS resolvers to bypass enterprise DNS controls, and a plugin architecture supporting browser, Outlook, and cryptocurrency wallet credential theft, web injection via MITM proxy, and redeployment of the initial loader. Researchers observed active GhostWeaver C2 nodes accepting beacons without challenge-response and rapidly pushing a PowerShell persistence framework. The infection chain described for TA582 involves compromised WordPress sites and fake browser update lures associated with SocGholish/ParrotTDS and TAG-124/KongTuke. Delivery uses MintsLoader to profile victims and evade sandbox analysis by scoring host characteristics such as VM indicators, GPU type, and CPU cache levels; payloads may be withheld from sandbox-like environments or replaced with decoys. GhostWeaver persistence includes AV-aware mode selection, a CMSTPLUA COM UAC bypass, PEB masquerading to impersonate explorer.exe, scheduled-task persistence running every three minutes, and disabling of the Task Scheduler operational event log. Aliases directly supported by the content are TA582 and UNC4108.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
26 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
4 malware families attributed to this actor across reporting.
Observables
33 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as an APT customer of KongTuke's infection distribution service.
Operator attributed to the GhostWeaver fileless PowerShell RAT activity, delivered downstream of the SocGholish fake browser update infection chain; uses sandbox-aware delivery (MintsLoader profiling), AV-aware persistence selection, fileless in-memory execution, DGA-based C2 with direct queries to public DNS resolvers, and TLS C2 on a non-standard port.
Post-exploitation operator within the TAG-124 TDS ecosystem. Runs downstream activity after initial access, including MintsLoader victim scoring/profiling, DGA infrastructure, GhostWeaver (Pantera) deployment, and delivery of a PowerShell persistence installer; uses sandbox evasion to deliver decoys to analysis environments and real payloads to low-score (real) machines.
A named activity cluster assessed to leverage TAG-124 as a delivery component in initial infection chains.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.