Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0127: TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. [1] The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. [2]

EnterpriseG0127GroupObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

TA551 is a financially motivated ATT&CK group associated with email-based malware distribution campaigns aimed at English, German, Italian, and Japanese speakers. For leaders, the practical issue is not just “phishing”: the relationships show a pattern that can involve malicious attachments, user execution, Windows living-off-the-land utilities, obfuscation, web-based command and control, tool transfer, and malware families such as Ursnif, Valak, IcedID, QakBot, and Sliver. This makes email security, endpoint visibility, and incident response readiness the key decision areas.

Executive priority

Prioritize TA551 as an email-led intrusion risk that can affect business continuity through credential or financial data theft, malware deployment, and follow-on access. Executives should ask whether the organization can prove coverage across the full chain: exposed email-address collection, malicious attachment delivery, user execution, suspicious Windows utility use, outbound web C2, DGA-like DNS behavior, and downloaded tooling. This is also useful for audit and compliance evidence because it tests whether phishing defenses, endpoint logging, network monitoring, and response playbooks operate together rather than as isolated controls.

Technical view

ATT&CK does not provide a dedicated detection section for TA551, so validation should be built from the related techniques and software. SOC and detection teams should map coverage for T1566.001 Spearphishing Attachment, T1204.002 Malicious File, T1059.003 Windows Command Shell, T1218.005 Mshta, T1218.010 Regsvr32, T1218.011 Rundll32, T1027.003 Steganography, T1027.010 Command Obfuscation, T1071.001 Web Protocols, T1105 Ingress Tool Transfer, T1132.001 Standard Encoding, T1568.002 Domain Generation Algorithms, and T1589.002 Email Addresses. Because several related malware entries list Windows and Sliver is cross-platform, endpoint and network validation should not rely on email gateway alerts alone.

Likely telemetry

  • Email gateway and mailbox telemetry for attachments, sender metadata, URLs, and user reporting outcomes
  • Endpoint process creation telemetry for cmd.exe, mshta.exe, regsvr32.exe, rundll32.exe, script interpreters, and parent-child process chains from email clients or document readers
  • File creation and execution telemetry for downloaded or attachment-originated files, including archives, documents, scripts, DLLs, and executables
  • DNS logs for high-volume, algorithmic, newly observed, or unusual domain lookups consistent with DGA-style behavior
  • Web proxy, firewall, and TLS metadata for outbound HTTP/S or WebSocket-like command-and-control patterns

Detection direction

  • Validate correlation from email delivery to endpoint execution; isolated phishing detections may miss post-click activity.
  • Tune detections for suspicious use of mshta.exe, regsvr32.exe, rundll32.exe, and cmd.exe, especially when launched from office productivity tools, email clients, temporary directories, or user-writable paths.
  • Hunt for command obfuscation and standard encodings such as Base64 or hexadecimal in command lines and script content, while accounting for legitimate administrative scripts.
  • Review network detections for outbound web protocols used by unusual processes, rare destinations, or newly observed domains; avoid relying only on static domain blocklists because DGA-related behavior is listed.
  • Include malware-family context for Ursnif, Valak, IcedID, QakBot, and Sliver in threat intelligence enrichment, but confirm local indicators before treating an alert as TA551-related.

Mitigation priorities

  • Reduce initial access risk first: strengthen email attachment controls, sandboxing, user reporting workflows, and handling of high-risk attachment types.
  • Harden execution paths: restrict or monitor abuse-prone Windows utilities such as mshta.exe, regsvr32.exe, and rundll32.exe where business use is limited.
  • Improve endpoint visibility and response: ensure process, command-line, file, and network telemetry are retained long enough to reconstruct email-to-execution events.
  • Strengthen outbound controls: monitor and filter suspicious web traffic, unusual DNS behavior, and external payload downloads.
  • Use threat intelligence operationally: map detections and playbooks to the related malware and techniques, but avoid assuming attribution without corroborating evidence.
Analyst notes and limits

The supplied ATT&CK object identifies TA551 as financially motivated, active since at least 2018, and primarily associated with email-based malware distribution campaigns targeting speakers of specific languages. The strongest defensive value comes from the relationship set, which connects the group to phishing attachments, malicious file execution, Windows proxy execution utilities, obfuscation, web C2, DGA behavior, and several malware families or frameworks.

ATT&CK provides no official detection text for this group, and the group object itself lists no platforms or tactics. Platform references here come only from related software and techniques. Local telemetry, business process knowledge, and current threat intelligence are required before asserting exposure, detection coverage, incident attribution, or active targeting.

Official MITRE ATT&CK definition

TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. [1] The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

14 rows
Domain ID Name Relationship / procedure
Enterprise T1218.010 Regsvr32 Sub-technique

TA551 has used regsvr32.exe to load malicious DLLs.CitationUnit 42 Valak July 2020
Enterprise T1589.002 Email Addresses Sub-technique

TA551 has used spoofed company emails that were acquired from email clients on previously infected hosts to target other individuals.CitationUnit 42 TA551 Jan 2021
Enterprise T1204.002 Malicious File Sub-technique

TA551 has prompted users to enable macros within spearphishing attachments to install malware.CitationUnit 42 TA551 Jan 2021
Enterprise T1218.011 Rundll32 Sub-technique

TA551 has used rundll32.exe to load malicious DLLs.CitationUnit 42 TA551 Jan 2021
Enterprise T1027.003 Steganography Sub-technique

TA551 has hidden encoded data for malware DLLs in a PNG.CitationUnit 42 TA551 Jan 2021
Enterprise T1566.001 Spearphishing Attachment Sub-technique

TA551 has sent spearphishing attachments with password protected ZIP files.CitationUnit 42 Valak July 2020CitationUnit 42 TA551 Jan 2021CitationSecureworks GOLD CABIN
Enterprise T1132.001 Standard Encoding Sub-technique

TA551 has used encoded ASCII text for initial C2 communications.CitationUnit 42 Valak July 2020
Enterprise T1568.002 Domain Generation Algorithms Sub-technique

TA551 has used a DGA to generate URLs from executed macros.CitationUnit 42 TA551 Jan 2021CitationSecureworks GOLD CABIN
Enterprise T1027.010 Command Obfuscation Sub-technique

TA551 has used obfuscated variable names in a JavaScript configuration file.CitationUnit 42 Valak July 2020
Enterprise T1071.001 Web Protocols Sub-technique

TA551 has used HTTP for C2 communications.CitationUnit 42 Valak July 2020
Enterprise T1105 Ingress Tool Transfer

TA551 has retrieved DLLs and installer binaries for malware execution from C2.CitationUnit 42 TA551 Jan 2021
Enterprise T1218.005 Mshta Sub-technique

TA551 has used mshta.exe to execute malicious payloads.CitationUnit 42 TA551 Jan 2021
Enterprise T1059.003 Windows Command Shell Sub-technique

TA551 has used cmd.exe to execute commands.CitationUnit 42 TA551 Jan 2021
Enterprise T1036 Masquerading

TA551 has masked malware DLLs as dat and jpg files.CitationUnit 42 TA551 Jan 2021
Associated objects

Groups, software, and campaigns

Malware Enterprise

S0650: QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[1][2][3][4]

Windows
Malware Enterprise

S0483: IcedID

IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.[1][2]

Windows
Malware Enterprise

S0476: Valak

Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.[1][2]

Windows
Tool Enterprise

S0633: Sliver

Sliver is an open source, cross-platform, red team command and control (C2) framework written in Golang. Sliver includes its own package manager, "armory," for staging and downloading additional tools and payloads to the primary C2 framework.[1][2]

WindowsLinuxmacOS
Malware Enterprise

S0386: Ursnif

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1218.010: Regsvr32 Enterprise uses · Malware S0650: QakBot Enterprise uses · Technique T1589.002: Email Addresses Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Malware S0483: IcedID Enterprise uses · Malware S0476: Valak Enterprise uses · Technique T1218.011: Rundll32 Enterprise uses · Technique T1027.003: Steganography Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1132.001: Standard Encoding Enterprise uses · Tool S0633: Sliver Enterprise uses · Technique T1568.002: Domain Generation Algorithms Enterprise uses · Technique T1027.010: Command Obfuscation Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1218.005: Mshta Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Malware S0386: Ursnif Enterprise uses · Technique T1036: Masquerading Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
2801977a311554d8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 2801977a3115…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Secureworks GOLD CABIN

    Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.

    Open source URL
  2. [2]
    Unit 42 TA551 Jan 2021

    Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.

    Open source URL
  3. [3]
    GOLD CABIN

    (Citation: Secureworks GOLD CABIN)

  4. [4]
    Shathak

    (Citation: Unit 42 Valak July 2020)(Citation: Unit 42 TA551 Jan 2021)

  5. [5]
    Unit 42 Valak July 2020

    Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.

    Open source URL
  6. [6]
    mitre-attack G0127
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use