3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
TA578

TA578

ID: 7c3997c8dc0bad89bccc6b369497edf256712
Cybercrime Phishing Operator
Threat types: Phishing, Malware, Intrusion
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-22
Progress: 51% Completeness: 51% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

TA578 (G1038) is an email/contact-form phishing cluster active since 2020 that distributes loaders and stealers including IcedID, Bumblebee, and Latrodectus via reply-chain hijacks, malicious links and ISO attachments; campaigns enable credential theft and follow-on access.


Technique Technique name Tactics Evidence
T1566.002 Spearphishing Link TA0001
  • 2020-06 — Proofpoint observed TA578 delivering IcedID in email campaigns using business-themed lures and links. · ref
T1204.001 Malicious Link TA0002
  • 2024-01 — Vendor reporting documents campaigns where malicious JavaScript/BAT files downloaded MSI/DLL payloads (Latrodectus chains) via links in email. · ref
T1566.001 Spearphishing Attachment TA0001
  • 2022-05-09 — SANS/ISC documented thread-hijacked emails delivering ISO attachments that led to Bumblebee payloads linked to TA578 activity. · ref
T1105 Ingress Tool Transfer TA0011
  • 2022-05-09 — Use of cloud-hosted download links (storage.googleapis.com and other transient hosts) to transfer loader binaries and payloads to victims. · ref
T1059 Command and Scripting Interpreter TA0002
  • 2024-10-08 — Latrodectus/Javascript/BAT chains execute MSI/DLL via script interpreters as part of initial execution chains. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-25T22:00:47+00:00
TA578 — email/contact-form initial access operator distributing loaders (IcedID, Latrodectus, Bumblebee)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

TA578 (MITRE G1038) is a financially-motivated criminal activity cluster tracked by multiple vendors since 2020 that conducts email-based and contact-form campaigns to deliver malware loaders and stealers — historically including IcedID, Ursnif, Bumblebee, BazaLoader, Buer, and, more recently, the Latrodectus loader. The actor uses thread-hijacked reply-chains, phishing links, malicious attachments (including ISO files), and business-impersonation lures to compel victims to fetch or execute payloads. TA578’s campaigns have been observed delivering follow-on tooling such as Cobalt Strike and commodity stealers; vendors document sustained activity from 2020–2025. Confidence in these operational facts: high.


  • Industries / Sectors: Broad — observed targets include enterprise and government recipients across multiple verticals (TA578 uses opportunistic phishing themes such as copyright, legal notices, stolen images and business contact).
  • Geography (Region): Global — campaigns observed across EMEA, APAC and the Americas; distribution via email and public web contact forms.
  • Timeframe: 2020-05 — 2025-05+ (tracking since mid-2020; Latrodectus use observed Nov 2023 onward; continued activity documented through 2025).
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — TA578 (G1038)

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2025-11-25T20:46:00+00:00

IOC Appendix (TLP:WHITE)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.