Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G1037: TA577

TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023.[1]

EnterpriseG1037GroupObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

TA577 matters because ATT&CK describes it as an initial access broker associated with distributing malware families used to create follow-on access, including QakBot, Pikabot, and Latrodectus. For leaders, the decision value is not the group name alone; it is whether email, identity, web, and endpoint controls can stop or quickly confirm link-driven initial access before it becomes broader intrusion activity.

Executive priority

Prioritize this as an initial-access readiness issue. Ask whether the organization can prove coverage for spearphishing links, malicious link clicks, compromised email account abuse, downloader activity, and Windows execution patterns tied to related malware. This supports incident triage, control investment, audit evidence for phishing and endpoint monitoring, and business-continuity planning around early containment.

Technical view

ATT&CK provides no official detection text for TA577, so defenders should validate coverage through the related behaviors: Spearphishing Link, Malicious Link, Email Accounts, JavaScript execution, Windows Command Shell execution, and Embedded Payloads. The related software context points to QakBot, Pikabot, and Latrodectus, with Windows explicitly present in those software records and several related techniques. SOC and IR teams should correlate email delivery and click events with web/DNS activity, file downloads, script execution, cmd.exe activity, and endpoint alerts rather than relying on a single group-specific signature.

Likely telemetry

  • Email security logs for inbound messages, sender reputation, URLs, rewriting, and delivery disposition
  • User click telemetry from secure email gateway, browser, or web proxy controls
  • DNS and web proxy records for post-click destinations and downloaded content
  • Endpoint process creation telemetry for cmd.exe, script engines, JavaScript/JScript execution, and child processes
  • File creation and inspection telemetry for downloaded files and possible embedded payloads

Detection direction

  • Build correlation around the sequence: suspicious email or compromised sender, malicious link click, web retrieval, script or command shell execution, and downloaded payload behavior.
  • Tune detections for JavaScript/JScript and Windows Command Shell execution spawned from browsers, email clients, archive handlers, or downloaded files, while accounting for legitimate administrative and business scripting.
  • Validate phishing-link detection separately from attachment scanning, because the related Spearphishing Link technique specifically highlights link-based delivery.
  • Monitor for trusted or previously known email accounts sending unusual campaigns, since ATT&CK relates TA577 to compromised email account resource development.
  • Use related malware names as threat-intelligence enrichment, not as the only detection method; ATT&CK does not provide TA577-specific detection logic here.

Mitigation priorities

  • Sequence controls around prevention and fast verification: email filtering and URL analysis, user reporting paths, web controls, endpoint execution monitoring, and identity protections for mail accounts.
  • Harden mailbox and identity controls with MFA, suspicious login review, mailbox rule monitoring, and rapid disable/reset procedures for compromised accounts.
  • Reduce script and command-shell abuse where operationally feasible through application control, script restrictions, and least-privilege endpoint configuration.
  • Ensure IR playbooks connect phishing reports to web, DNS, endpoint, and identity evidence so responders can determine whether a click produced execution or download activity.
  • Maintain detection engineering tests that emulate benign versions of link-click-to-script or link-click-to-cmd patterns without using offensive malware procedures.
Analyst notes and limits

The strongest business takeaway is initial-access resilience: TA577 is represented in ATT&CK as an IAB, and the supplied relationships emphasize email-link delivery, user execution, compromised email accounts, and downloader/backdoor malware relationships. Treat this as a coverage-validation object for email, identity, web, and endpoint telemetry.

ATT&CK provides no official detection text, no explicit tactics or platforms on the TA577 group object itself, and only one cited external source in the supplied fields. Platform and behavior inferences should be limited to the supplied relationship context and validated against local telemetry before making risk or coverage claims.

Official MITRE ATT&CK definition

TA577

TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1059.007 JavaScript Sub-technique

TA577 has used JavaScript to execute additional malicious payloads.CitationLatrodectus APR 2024
Enterprise T1059.003 Windows Command Shell Sub-technique

TA577 has used BAT files in malware execution chains.CitationLatrodectus APR 2024
Enterprise T1027.009 Embedded Payloads Sub-technique

TA577 has used LNK files to execute embedded DLLs.CitationLatrodectus APR 2024
Enterprise T1586.002 Email Accounts Sub-technique

TA577 has sent thread hijacked messages from compromised emails.CitationLatrodectus APR 2024
Enterprise T1204.001 Malicious Link Sub-technique

TA577 has lured users into executing malicious JavaScript files by sending malicious links via email.CitationLatrodectus APR 2024
Enterprise T1566.002 Spearphishing Link Sub-technique

TA577 has sent emails containing links to malicious JavaScript files.CitationLatrodectus APR 2024
Associated objects

Groups, software, and campaigns

Malware Enterprise

S1145: Pikabot

Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023. Pikabot is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. Pikabot has some overlaps with QakBot, but insufficient evidence exists to definitively link these two malware families. Pikabot is frequently used to deploy follow on tools such as Cobalt Strike or ransomware variants.[1][2][3]

Windows
Malware Enterprise

S0650: QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[1][2][3][4]

Windows
Malware Enterprise

S1160: Latrodectus

Latrodectus is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. Latrodectus has most often been distributed through email campaigns, primarily by TA577 and TA578, and has infrastructure overlaps with historic IcedID operations.[1][2][3]

Windows
Relationship explorer

All related ATT&CK context

uses · Malware S1145: Pikabot Enterprise uses · Malware S0650: QakBot Enterprise uses · Technique T1059.007: JavaScript Enterprise uses · Malware S1160: Latrodectus Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1027.009: Embedded Payloads Enterprise uses · Technique T1586.002: Email Accounts Enterprise uses · Technique T1204.001: Malicious Link Enterprise uses · Technique T1566.002: Spearphishing Link Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
822c6f11dd2feaec...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 822c6f11dd2f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Latrodectus APR 2024

    Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.

    Open source URL
  2. [2]
    mitre-attack G1037
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use