Threat Intelligence Tarot
pentacles · 14
Criminal (suspected Eastern European)
★★★★★
risk 3/5
✦ The False Tax ✦
TA2101
Maze Team (affiliate) · Proofpoint TA2101
German enterprisesItalian businessesUS businessesTax authority impersonation targets
Active since ~2019 · Ransomware delivery via government impersonation, Tax authority phishing, Invoice fraud
The False Tax arrives in the accounts payable inbox as a tax notice. It carries the branding, the formatting, the authority of the German BZSt or Italian revenue service. The attachment is not a tax form. By the time the finance team discovers this, the network is encrypted and the demand has arrived.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Impersonation of German Federal Tax Authority (BZSt) for ransomware delivery
- ◆Italian Revenue Agency (Agenzia delle Entrate) impersonation campaign
- ◆Cobalt Strike and IcedID delivery via fake tax documents
- ◆Maze ransomware affiliate - Maze Cartel participation
Defenses
- ▸Email authentication verification - check sending domain legitimacyCIS Control 9 ↗
- ▸Finance team training for government agency impersonation luresNIST SP 800-50 ↗
- ▸Macro and script execution controls on finance workstationsCIS Control 2 ↗
- ▸Network segmentation isolating finance systems from broader ITCIS Control 12 ↗
Reversed: Their Weakness
TA2101's government impersonation approach creates a forensic trail through domain registration, hosting infrastructure, and language/translation quality that helped researchers identify campaign origin and attribute operations - impersonating government entities requires enough authentic-looking collateral to generate evidence.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.