Threat Research

Can’t stop, won’t stop: TA584 innovates initial access

Proofpoint

TA584 increased its operational tempo in 2025, expanded geographic and language targeting, and changed its attack chains to include ClickFix social engineering, layered redirects, rapid domain rotation, and new payloads such as Tsundere Bot alongside XWorm. These changes produced high campaign churn, frequent use of PowerShell/Node.js-based installers and WebSocket/Ethereum-based C2 retrieval, increasing the difficulty of detection and enabling infections that could lead to ransomware. #TA584 #TsundereBot #XWorm

Keypoints

  • TA584 tripled its monthly campaign volume from March to December 2025 and maintained a high operational tempo characterized by brief, rapidly rotated campaigns.
  • The actor broadened geographic targeting in 2025 to consistently include Germany and continued heavy targeting of North America, UK, and Ireland with occasional campaigns against Australia.
  • Social engineering evolved to include ClickFix dialog-based trickery, highly localized and branded lures, CAPTCHA gating, and personalized images (recipient name/address) to increase believability.
  • Delivery chains use layered redirects, third-party TDS services (404 TDS, Keitaro), compromised senders and ESPs, unique per-target URLs, and frequent domain rotation while often reusing static hosting IPs.
  • Payloads included XWorm (“P0WER” config) via process hollowing and reflective loaders, and the newly observed Tsundere Bot (MaaS) which retrieves C2 via Ethereum-based EtherHiding and requires Node.js.
  • Tsundere Bot uses WebSockets for C2, checks system locale to avoid CIS countries, and supports autonomous Node.js tasking and proxy/socks functionality, increasing post-compromise capabilities.
  • Defensive recommendations include restricting PowerShell, application control for node.exe, monitoring WebSocket and Ethereum RPC traffic, and targeted user training on ClickFix-style prompts.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Email-delivered unique URLs and landing pages used as the initial access vector. [‘TA584 sends emails impersonating various organizations.’]
  • [T1204.002] User Execution: Malicious File – Social-engineered ClickFix dialogs and macro-enabled documents induce users to run commands or enable macros. [‘ClickFix social engineering … trick people into copying, pasting, and running malicious content on their own computer.’]
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell commands are used to run remote intermediate scripts that install malware. [‘runs a PowerShell command which in turn runs another remote intermediate PowerShell script…’]
  • [T1105] Ingress Tool Transfer – Remote installers and dependencies (Node.js, MSI/PowerShell installers) and payloads are downloaded from actor-controlled or third-party hosts. [‘installs Node.js and its dependencies directly from nodejs[.]org, then decrypts two AES-encrypted embedded Node.js files…’]
  • [T1055.012] Process Injection: Process Hollowing – Loader empties a legitimate process memory and replaces it with XWorm to execute file-less in RAM. [‘performs process hollowing, a technique where the loader starts a legitimate, signed Microsoft utility, RegSvcs[.]exe, in a suspended state, empties its memory, and replaces it with the XWorm payload.’]
  • [T1562.001] Impair Defenses: Disable or Modify Security Tools – AMSI bypass is used to prevent detection during script-based loading. [‘disabling AMSI scanning via a reflection trick that forces an initialization failure (amsiInitFailed)’].
  • [T1071.004] Application Layer Protocol: Web Protocols (WebSockets) – Malware uses WebSockets for C2 communication and heartbeat/ping-pong traffic. [‘Uses WebSockets to communicate with the C2.’]
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistent, hidden Run key entries (including null-byte obfuscation) launch mshta/VBScript to execute PowerShell on boot. [‘manipulates the Windows Registry by inserting null-byte characters (x00) into the key names … hiding the malicious “Run” key from casual inspection.’]

Indicators of Compromise

  • [IP address] Actor hosting and C2 infrastructure – 94[.]159[.]113[.]37 (TA584 host), 85[.]236[.]25[.]119 (Tsundere Bot C2), and other C2 IPs such as 80[.]64[.]19[.]148 (XWorm C2).
  • [URL] ClickFix and payload URLs – hxxp://94[.]159[.]113[.]37/ssd.png (ClickFix payload URL), AWS S3 and Blogspot redirect URLs observed in redirect chains.
  • [SHA256 Hash] Malicious PowerShell and payload binaries – bbedc389af45853493c95011d9857f47241a36f7f159305b097089866502ac99 (SHA256 of remote PowerShell script leading to XWorm), 441c49b6338ba25519fc2cf1f5cb31ba51b0ab919c463671ab5c7f34c5ce2d30 (SHA256 XWorm SharpHide payload).
  • [File name / Process] Signed legitimate process abused and tools to monitor – RegSvcs.exe (used as process hollowing host), node.exe installers launched in user AppData locations.

Read more: https://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access