Konstantin Klinger

Among all the major cybercriminal threat actors currently operating today, one stands out for its creativity, sophistication, and frustration to defenders: TA577. In our talk, we will discuss the history of this unique actor, tips for tracking and creating detections to defend against them, how law enforcement activity impacted its malware distribution, and why it’s one of the most difficult actors to defend against currently in operation.

TA577 was one of two prominent distributors of the Qbot botnet. In fact, the success and spread of Qbot was due in large part to the efforts of TA577. This actor demonstrates the ability to rapidly develop and iterate attack chains, and frequently paves the way for other threat actors to follow their novel techniques. With a combination of campaign volume; evasion techniques; unwavering persistence; and the turnaround to ransomware, TA577 remains one of the biggest threats in the ecrime landscape.

But what happened when global law enforcement disrupted Qbot in August 2023, which was this group’s most useful means of conducting large-scale cybercrime? It pivoted.

Proofpoint observed TA577 return in the fall of 2023 to deliver DarkGate – an unusual payload that took the ecrime landscape by storm in September and October – before eventually appearing to settle on Pikabot. Pikabot’s main objective is to download additional payloads, though it also has information gathering capabilities. TA577 may not write its own malware, but the malware it uses is sure to have significant impacts.