Threat Actor Profile
High APT
Description

TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)

Confidence Score
90%
Known Aliases
TA2541
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (28)
T1105 - Ingress Tool Transfer
Command and Control
T1568 - Dynamic Resolution
Command and Control
T1573.002 - Asymmetric Cryptography
Command and Control
T1027.002 - Software Packing
Defense Evasion
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1027.015 - Compression
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1055 - Process Injection
Defense Evasion
T1055.012 - Process Hollowing
Defense Evasion
T1218.005 - Mshta
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1016.001 - Internet Connection Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.005 - Visual Basic
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1583.001 - Domains
Resource Development
T1583.006 - Web Services
Resource Development
T1588.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['TA2541'],
 'created': '2023-09-12T17:00:22.615Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[TA2541](https://attack.mitre.org/groups/G1018) is a '
                'cybercriminal group that has been targeting the aviation, '
                'aerospace, transportation, manufacturing, and defense '
                'industries since at least 2017. '
                '[TA2541](https://attack.mitre.org/groups/G1018) campaigns are '
                'typically high volume and involve the use of commodity remote '
                'access tools obfuscated by crypters and themes related to '
                'aviation, transportation, and travel.(Citation: Proofpoint '
                'TA2541 February 2022)(Citation: Cisco Operation Layover '
                'September 2021)',
 'external_references': [{'external_id': 'G1018',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1018'},
                         {'description': 'Larson, S. and Wise, J. (2022, '
                                         "February 15). Charting TA2541's "
                                         'Flight. Retrieved September 12, '
                                         '2023.',
                          'source_name': 'Proofpoint TA2541 February 2022',
                          'url': 'https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight'},
                         {'description': 'Ventura, V. (2021, September 16). '
                                         'Operation Layover: How we tracked an '
                                         'attack on the aviation industry to '
                                         'five years of compromise. Retrieved '
                                         'September 15, 2023.',
                          'source_name': 'Cisco Operation Layover September '
                                         '2021',
                          'url': 'https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/'}],
 'id': 'intrusion-set--467271fd-47c0-4e90-a3f9-d84f5cf790d0',
 'modified': '2024-04-10T22:38:45.199Z',
 'name': 'TA2541',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Pooja Natarajan, NEC Corporation India',
                          'Aaron Jornet'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.1'}
Quick Actions
Related TTPs (28)
Ingress Tool Transfer
Command and Control
Dynamic Resolution
Command and Control
Asymmetric Cryptography
Command and Control
Software Packing
Defense Evasion
Encrypted/Encoded File
Defense Evasion
View All 28 TTPs
Back to Threat Actors
Dashboard Home