ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > TA551, Shathak

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: TA551, Shathak

NamesTA551 (Proofpoint)
Gold Cabin (SecureWorks)
Shathak (?)
Monster Libra (Palo Alto)
CountryRussia Russia
MotivationFinancial gain
First seen2016
Description(Palo Alto) TA551 (also known as Shathak) is an email-based malware distribution campaign that often targets English-speaking victims. The campaign discussed in this blog has targeted German, Italian and Japanese speakers. TA551 has historically pushed different families of information-stealing malware like Ursnif and Valak. After mid-July 2020, this campaign has exclusively pushed IcedID malware, another information stealer.
Observed
Tools usedBokBot, Gozi, Sliver, Valak.
Operations performedOct 2021TA551 Uses ‘SLIVER’ Red Team Tool in New Activity
<https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity>
Jan 2021From IcedID to Domain Compromise
<https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise>
Information<https://unit42.paloaltonetworks.com/ta551-shathak-icedid/>
<https://unit42.paloaltonetworks.com/valak-evolution/>
<https://github.com/pan-unit42/iocs/tree/master/TA551>
MITRE ATT&CK<https://attack.mitre.org/groups/G0127/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=monsterlibra>

Last change to this card: 10 March 2024

Download this actor card in PDF or JSON format

Previous: TA516
Next: TA554

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]