Threat Group Cards: A Threat Actor Encyclopedia

Names	TA558 (Proofpoint)
Country	[Unknown]
Motivation	Financial crime
First seen	2018
Description	(Proofpoint) Since 2018, Proofpoint has tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads, typically remote access trojans (RATs), that can enable reconnaissance, data theft, and distribution of follow-on payloads.
Observed	Sectors: Hospitality. Countries: Latin America, Western Europe and North America.
Tools used	AsyncRAT, AZORult, Loda, njRAT, RemcosRAT, Vjw0rm, RevengeRAT, XtremeRAT.
Information	<https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel>

Last change to this card: 12 September 2022

Download this actor card in PDF or JSON format