Keypoints
- TA866 (Asylum Ambuscade) has been active since at least 2020 and continues to evolve its tooling and TTPs.
- Initial access commonly comes from malspam and malvertising that redirect victims into 404 traffic distribution systems (TDS).
- Infection chains frequently use JavaScript downloaders that fetch MSI packages executed via MsiExec to install WasabiSeed, Screenshotter and AHK Bot.
- WasabiSeed provides persistent, drive-serial-number–based polling for arbitrary payload MSI packages; Screenshotter (JS/Python/AHK) captures periodic screenshots and exfiltrates them to C2.
- AHK Bot is a modular AutoHotKey-based framework offering persistence (looper), enumeration, keystroke logging, credential theft, HVNC and remote-access deployment.
- TA866 has deployed additional tools post-compromise including Resident backdoor, CSharp-Streamer-RAT, Rhadamanthys, and Cobalt Strike; overlaps exist with WarmCookie/BadSpace infrastructure and artifacts.
MITRE Techniques
- [T1589.002] Gather Victim Identity Information: Email Addresses – used to collect email addresses for targeting; [‘Collects email addresses from victims for further targeting.’]
- [T1586.002] Compromise Accounts: Email Accounts – targets email accounts to support campaigns and hijack threads; [‘Targets email accounts for unauthorized access.’]
- [T1608.006] Stage Capabilities: SEO Poisoning – increases visibility of malicious content via poisoned search results and ads; [‘Uses SEO techniques to increase visibility of malicious content.’]
- [T2583.008] Acquire Infrastructure: Malvertising – deploys malicious ads to route victims to infection chains; [‘Utilizes malvertising to distribute malware.’]
- [T1566] Phishing – leverages email lures and thread hijacking to deliver malicious links or attachments; [‘Employs phishing techniques to lure victims.’]
- [T1566.001] Spearphishing Attachment – delivers malicious attachments (PDFs, Publisher files) that contain links; [‘Uses malicious attachments in phishing emails.’]
- [T1566.002] Spearphishing Link – embeds links in messages or documents to redirect victims to TDS; [‘Includes malicious links in phishing emails.’]
- [T1059.001] Command and Scripting Interpreter: PowerShell – used for command execution in post-compromise activity; [‘Executes commands through PowerShell for various tasks.’]
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – uses cmd.exe for discovery and other commands; [‘Utilizes Windows Command Shell for command execution.’]
- [T1047] Windows Management Instrumentation – collects system and domain information via WMI for enumeration; [‘Uses WMI for system management and monitoring.’]
- [T1574.002] Hijack Execution Flow: DLL Side-Loading – abuses DLL loading to run malicious code in legitimate process contexts; [‘Loads malicious DLLs to hijack legitimate processes.’]
- [T1218.007] System Binary Proxy Execution: Msiexec – executes MSI packages with MsiExec to deploy malware stages; [‘Uses Msiexec to execute malicious payloads.’]
- [T1069.002] Permission Groups Discovery: Domain Groups – queries domain group membership to identify privileges; [‘Identifies domain groups for privilege escalation.’]
- [T1016] System Network Configuration Discovery – gathers network configuration with commands like ipconfig; [‘Gathers information about network configurations.’]
- [T1482] Domain Trust Discovery – enumerates domain trust relationships using nltest and related commands; [‘Discovers trust relationships between domains.’]
- [T1018] Remote System Discovery – scans and enumerates remote systems within environments; [‘Identifies remote systems within the network.’]
- [T1057] Process Discovery – lists running processes to understand system state; [‘Identifies running processes on the infected system.’]
- [T1007] System Service Discovery – enumerates services to find useful footholds or defensive controls; [‘Discovers services running on the system.’]
- [T1518.001] Software Discovery: Security Software Discovery – probes installed security products to evade or disable them; [‘Identifies security software installed on the system.’]
- [T1124] System Time Discovery – used to collect system time information for operational purposes; [‘System Time Discovery’]
- [T1082] System Information Discovery – gathers OS and hardware details for profiling targets; [‘Gathers system information for reconnaissance.’]
- [T1033] System Owner / User Discovery – identifies user and owner information on compromised hosts; [‘Identifies users and owners of the system.’]
- [T1105] Ingress Tool Transfer – downloads additional tools and payloads (MSI, DLL, EXE) into the environment; [‘Transfers tools into the compromised environment.’]
- [T1219] Remote Access Software – deploys commercial remote access tools (AnyDesk, Remote Utilities, TeamViewer) for persistence and control; [‘Deploys remote access software for persistent access.’]
- [T1071.001] Application Layer Protocol: Web Protocols – uses HTTP/HTTPS for C2, exfiltration and payload retrieval; [‘Uses web protocols for command and control communication.’]
Indicators of Compromise
- [IP address] C2 and infrastructure – 185[.]73[.]124[.]164 (CSharp-Streamer-RAT C2), 109[.]236[.]80[.]191 (previous CSharp-Streamer-RAT C2)
- [Domain / URL] payload hosting and download endpoints – hxxps[:]//perfectsystems-ltd[.]com/x-css/cd.msi, hxxps[:]//temp[.]sh/esuJB/resident[.]exe, and other temp[.]sh URLs
- [File name / artifact] MSI and executable examples used in chains – cd.msi, resident.exe, and additional MSI packages
- [Script / filename] delivered scripts and components – app.js, index.js, screen1.pyw, CustomAction.idt, and other AHK/JS/VBS scripts
TA866, also tracked as Asylum Ambuscade, is an adaptable intrusion operator first observed in 2020 that has run both financially motivated malware campaigns and activity consistent with espionage. Since early 2023 Cisco Talos has documented a steady evolution in TA866’s tooling and operational patterns, with campaigns commonly beginning by steering victims into traffic distribution systems (TDS) via malspam or malvertising. The actor frequently uses 404-style TDS infrastructure that returns an HTTP/404 response but relies on meta refreshes and intermediary servers to probe visiting systems and selectively redirect vulnerable or valuable targets to malicious content.
The most common infection chain observed begins with a malicious JavaScript downloader distributed through phishing emails, hijacked reply threads, or poisoned search/ads. Those JavaScript downloaders pull MSI packages from attacker-controlled hosts; one example URL observed was hxxps[:]//perfectsystems-ltd[.]com/x-css/cd.msi. When executed, MSI packages are handed to MsiExec to run next-stage components. WasabiSeed appears routinely as a second-stage MSI: it drops a VBScript (stored in a CAB within the MSI) under %PROGRAMDATA%, achieves persistence by placing an LNK shortcut in the StartUp folder, and continuously polls attacker-controlled domains for additional MSI payloads.
WasabiSeed’s polling behavior is notable because the actor generates request URLs that incorporate the infected host’s drive serial number, making each beacon unique and allowing the adversary to push arbitrary MSI payloads to chosen victims at any time. The chain commonly delivers Screenshotter, a family of screenshot-capture tools implemented in JavaScript, Python and AutoHotKey variants. JavaScript-based Screenshotter packages typically include two files (app.js to capture screens using a legitimate utility such as IrfanView, and index.js to upload captures), whereas Python builds embed a Python runtime and a screen1.pyw script to perform capture and HTTP exfiltration. All variants append the drive serial number to C2 URIs (for example: http:///screenshot/) to identify victims.
In many infections, an AutoHotKey-based framework called AHK Bot is also installed. AHK Bot is modular: a “looper” script provides persistence and periodic C2 polling, while additional AHK scripts enable system and hardware enumeration (via WMI), domain membership checks, secondary C2 connections, screenshot capture (deskscreen), keystroke logging, browser credential theft, HVNC deployment/removal and the installation or removal of commercial remote access tools such as Remote Utilities. The framework stores results (for example, a hardware.txt file) and exfiltrates data and logs back to attacker servers over HTTP POST requests. Several AHK scripts include comments referencing Russian-language resources.
Post-compromise activity varies by intrusion and target. TA866 operators have executed built-in Windows commands (for example, ipconfig, whoami, nltest, systeminfo and domain group queries) and deployed reconnaissance utilities such as AdFind and network scanners to map environments. On high-value systems the actor has delivered additional payloads including CSharp-Streamer-RAT, Rhadamanthys (an information stealer), Resident backdoor and Cobalt Strike beacons. In one 2024 case, a WarmCookie/BadSpace infection was followed by deployments of CSharp-Streamer-RAT and Cobalt Strike; Talos observed an SSL certificate generation pattern used across multiple CSharp-Streamer-RAT C2 servers (including 185[.]73[.]124[.]164 and 109[.]236[.]80[.]191) that appears to be programmatically produced by the actor.
TA866 often uses public file hosting services such as hxxps[:]//temp[.]sh for payload hosting; observed retrieval mechanisms include bitsadmin and certutil to fetch DLLs or executables, and msiexec to run MSI packages. Resident has been retrieved and launched in this manner, and the execution of DLL-based loaders via AHK Bot to run Rhadamanthys in memory has been reported. Overlaps between historical TA866 activity and WarmCookie/BadSpace include shared delivery patterns, implementation similarities and reuse of C2 infrastructure, leading Talos to assess that the same actor or closely collaborating actors are responsible for both clusters of activity.
Geographically, most follow-on payload observations occurred in the United States, with additional incidents reported in Canada, the United Kingdom, Germany, Italy, Austria and the Netherlands. The manufacturing sector has been heavily affected, followed by government and financial services, though many industries have seen activity. To aid defenders, Talos published detection signatures and indicators: Snort SIDs and ClamAV signatures have been released to detect downloaders, WasabiSeed, Screenshotter, AHK Bot components, WarmCookie, CSharp-Streamer and related tooling, and a GitHub repository contains IOCs associated with TA866 campaigns.
Detection and mitigation guidance from the reporting emphasizes blocking malicious web destinations, scanning email for malicious links/attachments, preventing execution of unexpected MSI and script files, monitoring for the execution of certutil/bitsadmin/msiexec activity, and controlling the use of remote-access applications. Enterprise protections that monitor for unique C2 patterns (including drive-serial–based beaconing) and unusual HTTP POST exfiltration of screenshots, keystrokes or hardware inventories can help identify these campaigns early.
Talos continues to track TA866’s tooling and infrastructure, documenting overlaps with other operators and updating signatures and IOCs as the actor’s tradecraft evolves. Indicators and detection rules are available from the Talos disclosure and the referenced GitHub repository.
Read more: https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/