← Home·Gallery·Techniques
Threat Intelligence Tarot
cups · 5
Criminal (Russian-speaking, suspected)
G0092
risk 4/5
The Broker
TA505
Hive0065 · GRACEFUL SPIDER
Financial institutionsHealthcareRetailGlobal250+ countries targeted
Active since ~2014 · Malware distribution as a service, Ransomware delivery, Banking trojan deployment
TA505 is infrastructure. It does not specialize in one crime - it specializes in delivery. The Broker runs the largest spam and malware distribution operation ever documented, renting its capacity to ransomware groups, banking trojan operators, and whoever pays. It is a criminal logistics company.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1204.002
Malicious File
Execution
T1059.003
Windows Command Shell
Execution
T1105
Ingress Tool Transfer
Command and Control
T1486
Data Encrypted for Impact
Impact
T1134
Access Token Manipulation
Privilege Escalation
Notable Operations
  • Dridex banking trojan distribution - billions in banking fraud
  • Locky ransomware global campaigns
  • FlawedAmmyy RAT and ServHelper malware distribution
  • Clop ransomware affiliate operations
Defenses
Reversed: Their Weakness
TA505's scale - the sheer volume of malicious email - ultimately generates extensive telemetry that feeds detection systems globally. The same volume that makes it dangerous makes it one of the best-documented threat actors, with indicator sharing across the security industry.

Share this adversary profile

swipe to browse

← PreviousThe Hospitality ThiefNext →The False Itinerary
Related Adversaries
The Specter
Lazarus Group
5 shared TTPs
The Frozen Account
IcedID / Bokbot
4 shared TTPs
The Second Stage
TrickBot / Ryuk
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.