TA543
TA543 is a financially motivated threat actor observed by Proofpoint conducting malspam campaigns. During the 2017–2018 holiday period, Proofpoint identified TA543 running an Ursnif campaign targeting Australian users via malicious Microsoft Word documents. The campaign used a billing-notification lure and stolen branding from a widely recognized New Zealand-based accounting software company. Based on the provided content, TA543 is associated with Ursnif delivery activity and email-based infection chains using malicious Office documents. The content also includes a mention of "Storm-0324 Financially motivated TA543, Sagrid," but does not provide sufficient supporting detail to state a confirmed alias mapping beyond TA543 itself.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Financially motivated threat actor tracked by Microsoft as a Storm cluster.
Targeted Ursnif campaign against Australian users using malicious Microsoft Word documents and a billing-notification lure leveraging stolen branding from a New Zealand-based accounting software company.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.