Keypoints
- TA4903 conducts large-volume credential-phishing campaigns that spoof U.S. government agencies (e.g., USDA, DOT, SBA) and private-sector organizations.
- Primary delivery methods include multi-page PDF attachments with embedded URLs and QR codes, and ZIP attachments containing HTML that redirect to phishing sites.
- Phishing pages are often direct clones of government or O365 login portals designed to capture corporate credentials.
- The actor has used the EvilProxy reverse-proxy MFA bypass toolkit to defeat multifactor authentication in 2023.
- Post-compromise behavior includes logging into stolen accounts, searching for payment-related keywords, and conducting BEC (invoice fraud, payroll redirect) via thread hijacking and lookalike domains.
- TA4903 predominantly uses actor-owned domains and a consistent phishing kit, with recurring traits such as similar domain naming patterns and PDF metadata (author: Edward Ambakederemo).
- Observed campaign volumes vary from hundreds to tens of thousands of messages, primarily targeting U.S. entities across multiple industries.
MITRE Techniques
- No MITRE ATT&CK technique identifiers (e.g., [T1566]) are explicitly mentioned in the article.
Indicators of Compromise
- [Domain] credential-phishing hosts – auth01-usda[.]com, orga-portal[.]com (credential landing pages)
- [URLs] phishing redirect domains – hxxp://tracking[.]tender-usdabids[.]com, shortsync[.]net
- [File hashes] malicious attachment SHA256 – d398eef8cf3a69553985c4fd592a4500b791392cf86d7593dbdbd46f8842a18d, ed4134de34fbc67c6a14c4a4d521e69b3cd2cb5e657b885bd2e8be0e45ad2bda (and 1 more hash)
- [File names] lure attachments – usda2784748973bid.pdf, 11-30Receipt.zip
- [Email] spoofed sender addresses – entry@ams-usda[.]com; donotreply@secureserver5[.]com (used in phishing email headers)
TA4903 distributes high-volume phishing emails that frequently include multi-page PDF attachments mimicking government bid solicitations; these PDFs embed both clickable links and QR codes that point to government-branded credential-capture sites. PDFs often contain consistent metadata (author listed as Edward Ambakederemo) and the landing pages are near-exact clones of target login portals, intended to harvest corporate O365 and other email credentials.
Other delivery variants observed include ZIP attachments containing HTML files that redirect users to spoofed Microsoft O365 login pages, and actor-operated domains that impersonate North American companies. In 2023 the actor leveraged EvilProxy, a reverse-proxy MFA bypass toolkit, to defeat multifactor authentication when capturing credentials, though use of EvilProxy decreased later in the year.
After obtaining credentials, TA4903 logs into compromised mailboxes to search for payment-related keywords (e.g., “bank information,” “payment,” “merchant”) and perform thread-hijacking to launch BEC campaigns. These follow-on activities use lookalike domains, reply-to manipulation, and the same phishing kit and hosting infrastructure observed in initial phishing, enabling invoice fraud and payroll redirect schemes against business partners and financial contacts.