ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > TA516

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: TA516

NamesTA516 (Proofpoint)
SmokingDro (Proofpoint)
MotivationFinancial crime, Financial gain
First seen2016
Description(Proofpoint) This actor typically distributes instances of the SmokeLoader intermediate downloader, which, in turn, downloads additional malware of the actor’s choice -- often banking Trojans. Figure 3 shows a lure document from a November campaign in which TA516 distributed fake resumes with malicious macros that, if enabled, launch a PowerShell script that downloads SmokeLoader. In this instance, we observed SmokeLoader downloading a Monero coinminer. Since the middle of 2017, TA516 has used similar macro-laden documents as well as malicious JavaScript hosted on Google Drive to distribute both Panda Banker and a coinminer executable via SmokeLoader, often in the same campaigns.
ObservedCountries: Worldwide.
Tools usedAZORult, Chthonic, Smoke Loader, Zeus Panda.
Operations performedJul 2016Threat Actors Using Legitimate PayPal Accounts To Distribute Chthonic Banking Trojan
Jul 2018New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Nov 2019New AZORult campaign abuses popular VPN service to steal cryptocurrency
Feb 2020AZORult Campaign Adopts Novel Triple-Encryption Technique
Feb 2020AZORult spreads as a fake ProtonVPN installer

Last change to this card: 01 January 2023

Download this actor card in PDF or JSON format

Previous: TA511
Next: TA551, Shathak

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]