Proofpoint researchers have recently observed the reappearance of the TA866 group in email threat campaigns after a nine-month hiatus [4]. This group, known for criminal activity and cyber espionage [4], had been inactive for nine months but has now resurfaced using another threat actor [2], TA571 [2] [3] [4] [5], to distribute its malicious content [2].


TA866 has been active since October 2022 and initially targeted a small number of organizations with a limited number of emails. However, by the end of 2022 [2], the group began using traffic distribution systems (TDSes) to link to malicious content URLs [2], resulting in their campaigns growing to thousands of emails [2]. On January 11, 2024 [4] [5], a large-scale campaign primarily targeted thousands of emails in North America [4]. The attackers employed malicious emails disguised as invoices with PDF attachments named “Document_[10 digits [4]].pdf.” These attachments contained OneDrive links that led to a multi-stage infection process involving JavaScript files, MSI files [4], and tools like WasabiSeed and Screenshotter [1] [4], ultimately leading to the installation of malicious software [4].

It remains unclear what additional payload TA866 would install if they are satisfied with the screenshots taken by the Screenshotter [1]. This attack closely resembled a previous campaign attributed to the TA571 group [4], indicating their involvement alongside TA866 [4]. Notably, this campaign deviated from previous methods by using PDF attachments with OneDrive links instead of Publisher attachments with macros or TDS 404 URLs [4]. The post-exploitation tools used in this campaign were associated with the TA866 group [4], suggesting a financial motivation [3] [4].

Proofpoint researchers also discovered another threat actor called “BattleRoyal” that utilized TDS networks [2]. It was found that BattleRoyal also made use of TA571’s services [2]. The cybercrime ecosystem involves various actors with specific roles, such as spam senders [2], loaders sellers [2], and ransomware threat actors [2]. Previous TA866 campaigns involved the Rhadamanthys stealer [2], which is used for stealing various types of data [2].


The resurgence of the TA866 group highlights the evolving nature of cyber threats and underscores the importance of maintaining constant vigilance and implementing adaptive cybersecurity strategies. Organizations should be aware of the tactics employed by TA866, including the use of OneDrive links in PDF attachments, and take appropriate measures to protect their systems and data. Ongoing monitoring and collaboration with cybersecurity experts are crucial in mitigating the risks posed by such threat actors.