ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > TA511

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: TA511

NamesTA511 (Proofpoint)
MAN1 (?)
Moskalvzapoe (?)
MotivationFinancial crime
First seen2018
Description(Palo Alto) Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. In a threat brief from 2018, we noted Hancitor was relatively unsophisticated, but it would remain a threat for years to come. Approximately three years later, Hancitor remains a threat and has evolved to use tools like Cobalt Strike. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. This blog illustrates how the threat actor behind Hancitor uses the network ping tool, so security professionals can better identify and block its use.
ObservedCountries: Argentina, Brazil, Canada, Germany, Hong Kong, India, Ireland, Israel, Italy, Japan, Kazakhstan, Lithuania, Malaysia, Netherlands, Russia, Singapore, South Africa, South Korea, Taiwan, Thailand, Turkey, Ukraine, UK, USA, Vietnam.
Tools usedCobalt Strike, Ficker Stealer, Hancitor, NetSupport Manager.
Operations performedOct 2020Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool

Last change to this card: 21 April 2021

Download this actor card in PDF or JSON format

Previous: Smoky Spider
Next: TA516

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]