3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
TA551

TA551

ID: 6b116128b71ca3e0bd0730a8d0f5787647909
Cybercrime Cybercriminal
Threat types: Intrusion, Loader/Dropper, Malware
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
Shathak
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

TA551 is a financially-motivated threat group that has been active since at least 2018. The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. Ref: https://attack.mitre.org/groups/G0127/


Technique Technique name Tactics Evidence
T1027.003 Steganography TA0005
  • Obfuscated Files or Information: Steganography - TA551 has hidden encoded data for malware DLLs in a PNG. · ref
T1027.010 Command Obfuscation TA0005
  • Obfuscated Files or Information: Command Obfuscation - TA551 has used obfuscated variable names in a JavaScript configuration file. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - TA551 has used cmd.exe to execute commands. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - TA551 has used HTTP for C2 communications. · ref
T1132.001 Standard Encoding TA0011
  • Data Encoding: Standard Encoding - TA551 has used encoded ASCII text for initial C2 communications. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - TA551 has prompted users to enable macros within spearphishing attachments to install malware. · ref
T1218.005 Mshta TA0005
  • System Binary Proxy Execution: Mshta - TA551 has used mshta.exe to execute malicious payloads. · ref
T1218.010 Regsvr32 TA0005
  • System Binary Proxy Execution: Regsvr32 - TA551 has used regsvr32.exe to load malicious DLLs. · ref
T1218.011 Rundll32 TA0005
  • System Binary Proxy Execution: Rundll32 - TA551 has used rundll32.exe to load malicious DLLs. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - TA551 has sent spearphishing attachments with password protected ZIP files. · ref
T1568.002 Domain Generation Algorithms TA0011
  • Dynamic Resolution: Domain Generation Algorithms - TA551 has used a DGA to generate URLs from executed macros. · ref
T1589.002 Email Addresses TA0043
  • Gather Victim Identity Information: Email Addresses - TA551 has used spoofed company emails that were acquired from email clients on previously infected hosts to target other individuals. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.