3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
TA577

TA577

ID: 4177a76e7299ce14d383074bf5dc1aa457090
Cybercrime Phishing Operator
Threat types: Phishing, Malware, Intrusion
Unknown UNKNOWN
Updated: 2026-01-26
Created: 2025-10-22
Progress: 61% Completeness: 57% Freshness: 70%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

TA577 is a prolific, email-focused initial access broker that historically distributed QakBot and, after the 2023 takedown, pivoted to Pikabot and early Latrodectus campaigns; in March 2024 it added forced-authentication flows to steal NTLM credentials.


Technique Technique name Tactics Evidence
T1566.002 Spearphishing Link TA0001
  • 2023-05-12 — TA577 ran multiple email delivery chains (PDF, LNK, ISO, OneNote, CHM) linked to malware payload distribution. · ref
T1204.001 Malicious Link TA0002
  • 2023-05-12 — Campaign success relies on user execution of malicious links/attachments across rotating file formats. · ref
  • 2020-03-02 — Technique definition for malicious-link user execution aligned with TA577 delivery chains. · ref
T1187 Forced Authentication TA0006
  • 2024-03-04 — Proofpoint observed TA577 using a new chain aimed at stealing NTLM authentication information (forced authentication). · ref
  • 2018-01-16 — MITRE technique reference for Forced Authentication to capture NTLM over SMB/WebDAV. · ref
T1027.009 Embedded Payloads TA0005
  • 2023-05-12 — Use of embedded/obfuscated payloads within benign-looking files across shifting delivery chains. · ref
  • 2022-09-30 — Technique reference for embedded payloads in files. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-27T19:15:15+00:00
TA577 — Prolific initial-access broker and malware distributor (QakBot → Pikabot/Latrodectus)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

TA577 is a financially motivated, email-centric threat actor tracked by Proofpoint as an initial-access broker (IAB). Historically one of the most active QakBot affiliates, the group pivoted to Pikabot after the August 2023 QakBot takedown and was among the first observed to distribute the Latrodectus loader in late 2023. attack.mitre.org+3Red Canary+3Proofpoint+3 Throughout 2023–2025, TA577 relied on large-scale phishing and thread hijacking, delivering loaders such as IcedID/Ursnif in prior waves and later Pikabot/Latrodectus, with frequent packaging shifts (LNK, ISO, HTML/JS, CHM, OneNote). Proofpoint In March 2024, Proofpoint documented a notable technique pivot: campaigns crafted to steal NTLM authentication information via forced authentication flows—expanding beyond pure loader delivery. Proofpoint+1 Overall assessment: TA577 demonstrates adaptable delivery tradecraft, rapid payload substitution, and credible capacity to seed follow-on access for ransomware affiliates. Confidence: high for payload/use history; medium for specific initial-access vectors per campaign.

  • Industries/Sectors: Broad enterprise targeting typical of crimeware IABs (finance, manufacturing, professional services, government, education), with lures tailored to business workflows (reply-chains, invoices, HR, shipping). INFERENCE (confidence: medium) based on multi-vertical telemetry in public reporting of the delivered families.
  • Geography (Region): Global distribution observed by vendors; campaigns routinely span North America and Europe. INFERENCE (confidence: medium).
  • Countries (if available): Not consistently constrained; global.
  • Timeframe: At least 2021–2025 (distinct payload phases across 2021–2025).
  • Orientation/Motive: Profit-driven access brokering for downstream crimeware/ransomware operations. INFERENCE (confidence: high).
  • Typical tradecraft: High-volume email, thread-hijacking, link- and attachment-based delivery, staging to loaders (QakBot→Pikabot/Latrodectus), experimentation with file formats, occasional identity-centric objectives (NTLM theft).
  • Umbrella affiliations: Not publicly claimed; overlaps stem from payload ecosystems (e.g., QakBot, IcedID, Pikabot, Latrodectus) used by multiple crews. INFERENCE (confidence: medium).
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO

What: TA577 (IAB) delivers loaders (historically QakBot; later Pikabot/Latrodectus) via thread-hijacked email and link/attachment chains; in 2024 it added NTLM forced-auth credential theft.

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook (20+ ready-to-paste rules)

Email/Proxy

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2025-11-25T20:45:59+00:00

IOC Appendix (TLP:WHITE)

Minimal, vetted indicators tied to TA577’s loader ecosystem. Prefer **behavioral** detection; these IOCs churn quickly.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.