TA584 is a prominent initial access broker tracked by Proofpoint since November 2020, known for its high-volume campaigns targeting organizations globally. The actor employs various TTPs, including macro-enabled Excel documents, aggressive URL filtering, and geo-fenced landing pages, while frequently changing lures and delivery methods to evade detection. In 2025, TA584 expanded its geographic targeting to include Germany and Australia, while also introducing new malware such as Tsundere Bot alongside XWorm with the "P0WER" configuration. The actor's campaigns are characterized by rapid turnover and deliberate variability, making static indicators less effective for detection.
Also known as
Storm-0900.
References
Actor metadata imported from Malpedia (Fraunhofer FKIE).