TAC5279

TAC5279 is a ransomware affiliate threat activity cluster tracked by Sophos X-Ops, assessed to overlap with Microsoft’s Vanilla Tempest (formerly DEV-0832). Sophos observed this cluster across six enterprise intrusions from November 2022 through June 2023, targeting organizations in government/logistics, logistics, education, and manufacturing. The cluster deployed Vice Society ransomware in incidents from November 2022 through May 2023 and Rhysida in June 2023. Sophos states with high confidence that this affiliate cluster transitioned from deploying Vice Society to deploying Rhysida while maintaining consistent tradecraft, but does not confirm that Vice Society rebranded as Rhysida. Observed initial access in all six incidents involved valid VPN credentials on accounts without MFA. Sophos assesses the credentials may have been obtained before intrusion, potentially via an initial access broker. Dwell time ranged from 4 to 112 days. In at least one case, the cluster exploited ZeroLogon (CVE-2020-1472) to gain domain controller control. TAC5279’s post-compromise activity included network discovery with Advanced Port Scanner and Advanced IP Scanner, and use of commands such as whoami, nltest.exe /dclist, quser.exe, query.exe, net.exe, and tracert.exe. Lateral movement primarily relied on RDP, with PuTTY/SSH and PsExec also observed. Credential access included dumping ntds.dit from domain controllers using ntdsutil.exe, repeated use of a PowerShell plus ntdsutil IFM backup pattern to c:\temp_l0gs, use of secretsdump.exe, and LSASS memory dumping. For command and control and persistence, Sophos observed PortStarter, a Go-based backdoor used to modify firewall settings, open ports, and connect to configured C2 servers, especially in earlier Vice Society cases. PortStarter persistence was established via scheduled tasks such as System and SystemCheck executing DLLs with rundll32. Sophos also observed SystemBC as a proxy/remote administration tool; it became the primary C2 method in Rhysida cases, and PortStarter was not observed after the transition. SystemBC persistence included PowerShell scripts named svchost.ps1 creating an HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value named socks. The cluster also frequently used AnyDesk for remote access. Data theft preceded encryption in nearly all incidents. TAC5279 used 7zip, WinSCP, and MegaSync for staging and exfiltration, and Sophos observed a PowerShell exfiltration script that enumerated drives via WMI and uploaded data to a C2 /upload endpoint. In one long-dwell Vice Society case, the attackers exfiltrated 770GB of data. Known aliases and related tracking: TAC5279; Vanilla Tempest; DEV-0832. Associated ransomware payloads observed in this cluster: Vice Society and Rhysida.