Threat Actor Profile
High APT
Description

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020)

Confidence Score
90%
Known Aliases
TA505 Hive0065 Spandex Tempest CHIMBORAZO
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (34)
T1071.001 - Web Protocols
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1568.001 - Fast Flux DNS
Command and Control
T1552.001 - Credentials In Files
Credential Access
T1555.003 - Credentials from Web Browsers
Credential Access
T1027.002 - Software Packing
Defense Evasion
T1027.010 - Command Obfuscation
Defense Evasion
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1055.001 - Dynamic-link Library Injection
Defense Evasion
T1078.002 - Domain Accounts
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1218.007 - Msiexec
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1553.005 - Mark-of-the-Web Bypass
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1069 - Permission Groups Discovery
Discovery
T1087.003 - Email Account
Discovery
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1059.007 - JavaScript
Execution
T1106 - Native API
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1559.002 - Dynamic Data Exchange
Execution
T1486 - Data Encrypted for Impact
Impact
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1583.001 - Domains
Resource Development
T1588.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['TA505', 'Hive0065', 'Spandex Tempest', 'CHIMBORAZO'],
 'created': '2019-05-28T15:54:17.213Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[TA505](https://attack.mitre.org/groups/G0092) is a cyber '
                'criminal group that has been active since at least 2014. '
                '[TA505](https://attack.mitre.org/groups/G0092) is known for '
                'frequently changing malware, driving global trends in '
                'criminal malware distribution, and ransomware campaigns '
                'involving '
                '[Clop](https://attack.mitre.org/software/S0611).(Citation: '
                'Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June '
                '2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC '
                'Group TA505)(Citation: Korean FSI TA505 2020)',
 'external_references': [{'external_id': 'G0092',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0092'},
                         {'description': '(Citation: IBM TA505 April 2020)',
                          'source_name': 'Hive0065'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Spandex Tempest'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'CHIMBORAZO'},
                         {'description': 'Financial Security Institute. (2020, '
                                         'February 28). Profiling of TA505 '
                                         'Threat Group That Continues to '
                                         'Attack the Financial Sector. '
                                         'Retrieved July 14, 2022.',
                          'source_name': 'Korean FSI TA505 2020',
                          'url': 'https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory='},
                         {'description': 'Frydrych, M. (2020, April 14). TA505 '
                                         'Continues to Infect Networks With '
                                         'SDBbot RAT. Retrieved May 29, 2020.',
                          'source_name': 'IBM TA505 April 2020',
                          'url': 'https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Proofpoint Staff. (2017, September '
                                         '27). Threat Actor Profile: TA505, '
                                         'From Dridex to GlobeImposter. '
                                         'Retrieved May 28, 2019.',
                          'source_name': 'Proofpoint TA505 Sep 2017',
                          'url': 'https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter'},
                         {'description': 'Proofpoint Staff. (2018, June 8). '
                                         'TA505 shifts with the times. '
                                         'Retrieved May 28, 2019.',
                          'source_name': 'Proofpoint TA505 June 2018',
                          'url': 'https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times'},
                         {'description': 'Schwarz, D. and Proofpoint Staff. '
                                         '(2019, January 9). ServHelper and '
                                         'FlawedGrace - New malware introduced '
                                         'by TA505. Retrieved May 28, 2019.',
                          'source_name': 'Proofpoint TA505 Jan 2019',
                          'url': 'https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505'},
                         {'description': 'Terefos, A. (2020, November 18). '
                                         'TA505: A Brief History of Their '
                                         'Time. Retrieved July 14, 2022.',
                          'source_name': 'NCC Group TA505',
                          'url': 'https://research.nccgroup.com/2020/11/18/ta505-a-brief-history-of-their-time/'}],
 'id': 'intrusion-set--7eda3dd8-b09b-4705-8090-c2ad9fb8c14d',
 'modified': '2024-04-10T22:37:02.592Z',
 'name': 'TA505',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '3.0'}
Quick Actions
Related TTPs (34)
Web Protocols
Command and Control
Ingress Tool Transfer
Command and Control
Fast Flux DNS
Command and Control
Credentials In Files
Credential Access
Credentials from Web Browsers
Credential Access
View All 34 TTPs
Back to Threat Actors
Dashboard Home