3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
TA505

TA505

ID: 3096a101f68888b9770d28d37bdf765648253
Cybercrime Ransomware Affiliate
Threat types: Ransomware, Data Leak, Intrusion
Unknown
Updated: 2026-02-23
Created: 2025-10-20
Progress: 44% Completeness: 33% Freshness: 70%
Operation zone:
Aliases Limited alias preview
FIN11
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop. Ref: https://attack.mitre.org/groups/G0092/


Technique Technique name Tactics Evidence
T1027.002 Software Packing TA0005
  • Obfuscated Files or Information: Software Packing - TA505 has used UPX to obscure malicious code. · ref
T1027.010 Command Obfuscation TA0005
  • Obfuscated Files or Information: Command Obfuscation - TA505 has used base64 encoded PowerShell commands. · ref
T1027.013 Encrypted/Encoded File TA0005
  • Obfuscated Files or Information: Encrypted/Encoded File - TA505 has password-protected malicious Word documents. · ref
T1055.001 Dynamic-link Library Injection TA0004 TA0005
  • Process Injection: Dynamic-link Library Injection - TA505 has been seen injecting a DLL into winword.exe. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - TA505 has used PowerShell to download and execute malware and reconnaissance scripts. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - TA505 has executed commands using cmd.exe. · ref
T1059.005 Visual Basic TA0002
  • Command and Scripting Interpreter: Visual Basic - TA505 has used VBS for code execution. · ref
T1059.007 JavaScript TA0002
  • Command and Scripting Interpreter: JavaScript - TA505 has used JavaScript for code execution. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - TA505 has used HTTP to communicate with C2 nodes. · ref
T1078.002 Domain Accounts TA0001 TA0003 TA0004 TA0005
  • Valid Accounts: Domain Accounts - TA505 has used stolen domain admin accounts to compromise additional hosts. · ref
T1087.003 Email Account TA0007
  • Account Discovery: Email Account - TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. · ref
T1218.007 Msiexec TA0005
  • System Binary Proxy Execution: Msiexec - TA505 has used msiexec to download and execute malicious Windows Installer files. · ref
T1218.011 Rundll32 TA0005
  • System Binary Proxy Execution: Rundll32 - TA505 has leveraged rundll32.exe to execute malicious DLLs. · ref
T1552.001 Credentials In Files TA0006
  • Unsecured Credentials: Credentials In Files - TA505 has used malware to gather credentials from FTP clients and Outlook. · ref
T1553.002 Code Signing TA0005
  • Subvert Trust Controls: Code Signing - TA505 has signed payloads with code signing certificates from Thawte and Sectigo. · ref
T1553.005 Mark-of-the-Web Bypass TA0005
  • Subvert Trust Controls: Mark-of-the-Web Bypass - TA505 has used .iso files to deploy malicious .lnk files. · ref
T1555.003 Credentials from Web Browsers TA0006
  • Credentials from Password Stores: Credentials from Web Browsers - TA505 has used malware to gather credentials from Internet Explorer. · ref
T1559.002 Dynamic Data Exchange TA0002
  • Inter-Process Communication: Dynamic Data Exchange - TA505 has leveraged malicious Word documents that abused DDE. · ref
T1562.001 Disable or Modify Tools TA0005
  • Impair Defenses: Disable or Modify Tools - TA505 has used malware to disable Windows Defender. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - TA505 has used spearphishing emails with malicious attachments to initially compromise victims. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - TA505 has sent spearphishing emails containing malicious links. · ref
T1568.001 Fast Flux DNS TA0011
  • Dynamic Resolution: Fast Flux DNS - TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs. · ref
T1583.001 Domains TA0042
  • Acquire Infrastructure: Domains - TA505 has registered domains to impersonate services such as Dropbox to distribute malware. · ref
T1588.001 Malware TA0042
  • Obtain Capabilities: Malware - TA505 has used malware such as Azorult and Cobalt Strike in their operations. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit. · ref
T1608.001 Upload Malware TA0042
  • Stage Capabilities: Upload Malware - TA505 has staged malware on actor-controlled domains. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.