Threat Advisories:
Axios npm Supply Chain Attack: What You Need to Know CVE-2026-5281: Chrome Dawn Flaw Sparks In-the-Wild Zero-Day Attacks CVE-2026-3055: Silent Memory Leak in NetScaler Actively Exploited Tracking Beast: Tools, Techniques, and Tradecraft in RaaS Operations FAUX#ELEVATE: Obfuscated VBS Campaign Targeting Enterprise HR System TeamPCP’s Automated Supply Chain: From Trivy to LiteLLM in a Multi-Ecosystem Breach Iranian MOIS Leverages Telegram-Based C2 in Espionage Campaign Targeting Dissidents MuddyWater: Iran’s Adaptive Cyber Espionage Machine March 2026 Linux Patch Roundup From Disclosure to Exploitation Overnight of a CVE-2026-33017 Langflow Flaw CVE-2026-20131: Interlock Ransomware Exploits Critical Cisco Secure FMC Flaw Operation GhostMail: The Invisible Inbox Breach Vidar Stealer 2.0 Distributed via Fake Game Cheats on GitHub and Reddit Targeting the Lens: Iranian Cyber Operations Against IP Cameras in the Middle East Konni APT’s Covert RAT Deployment LeakNet Ransomware’s Low-Cost High-Scale Infection Strategy Phishing in the Fog of War: A Surge in State-Aligned Espionage Campaigns Google Rushes to Fix Actively Exploited Flaws VENON Trojan Targets 33 Brazilian Financial Platforms AI-Assisted Slopoly Backdoor Powers Interlock Ransomware Intrusion
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Learning Center
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Learning Center
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

TA584 and the Business of Breach: Selling Access at Scale

Red | Attack Report
Download PDF

Summary

TA584 is a long-running initial access broker active since 2020 that conducts large-scale phishing campaigns using ClickFix social engineering to deliver Tsundere Bot and XWorm malware. The actor impersonates trusted organizations and sends high-volume, targeted emails containing filtered links that lead victims to CAPTCHA-based landing pages designed to trick them into executing malicious PowerShell commands. The operation relies on layered redirection, infrastructure rotation, and IP filtering to evade detection, indicating a mature, scalable phishing operation focused on broad and sustained access generation. TA584 targets multiple industries including Healthcare, Government, Financial Services, Education, Business Services, Hospitals, Technology, Retail, Insurance, Construction, and Automotive across North America, Central America, the Caribbean, Europe, and Australia. The threat actor operates as an initial access broker, selling compromised network access to other cybercriminals, making this operation a critical enabler for downstream ransomware and data theft attacks.

Attack Details

Long-Running Initial Access Broker Operation

TA584 is a well-established initial access broker active since late 2020. It runs large-scale phishing campaigns that rely on ClickFix social engineering to deliver Tsundere Bot and XWorm malware. The operation focuses on speed, volume, and user manipulation rather than exploit-based intrusion.

Phishing Campaign Infrastructure and Impersonation

The attack begins with phishing emails sent from compromised legitimate accounts or trusted email platforms such as SendGrid and Amazon SES. These messages impersonate recognizable entities, including healthcare providers, government bodies, recruitment firms, and common business services. Each email contains a unique, victim-specific link that applies geofencing and IP filtering before allowing access to the next stage.

CAPTCHA-Based ClickFix Social Engineering

Victims who pass these checks are redirected to themed landing pages that display slide-based CAPTCHAs. Completing the CAPTCHA leads to a ClickFix prompt instructing the user to open the Windows Run dialog and execute a provided command. This step persuades the victim to manually launch a malicious PowerShell command, bypassing many security controls.

Tsundere Bot and XWorm Persistent Compromise

Once active, Tsundere Bot establishes persistent communication with its controller and profiles the system to generate a unique victim identifier. It collects basic hardware and operating system details and halts execution on systems configured for CIS-region languages, indicating deliberate targeting controls. Persistence is reinforced through an accompanying XWorm variant that hides registry run keys using null-byte obfuscation and launches hidden PowerShell activity at every reboot.

Massive Campaign Scale and Evolving Tactics

Campaigns range from thousands to nearly two hundred thousand messages, with targeting shifting by region and sector over time. TA584 has maintained consistent tradecraft for years while gradually expanding its reach. Recent activity suggests continued experimentation with payloads and a sustained effort to broaden victim coverage.

Recommendations

Restrict PowerShell Execution

Enforce Group Policy restrictions to limit PowerShell access to approved roles only, materially reducing exposure to ClickFix-style social engineering and user-driven code execution.

Block Node.js in User Directories

Use application control policies such as AppLocker or Windows Defender Application Control to prevent execution of node.exe from non-standard, user-writable locations including AppData\Local directories.

Monitor PowerShell Spawning Node.js

Create detection rules for powershell.exe or cmd.exe spawning node.exe processes, particularly when Node.js is located in user profile directories or other non-standard locations.

Block Ethereum RPC Endpoints

Block or monitor outbound traffic to Ethereum RPC providers used by Tsundere Bot for C2 retrieval, preventing the malware from receiving command and control instructions via the blockchain.

Inspect WebSocket Traffic

Implement network monitoring to detect and inspect WebSocket connections to unknown or uncategorized domains, as Tsundere Bot uses WebSockets for C2 communication.

Monitor Registry for Hidden Keys

Deploy detection capabilities for registry modifications containing null-byte characters in key names, which are used by SharpHide for persistence evasion.

Implement Network Segmentation

Segment networks to limit lateral movement capabilities if initial compromise occurs, particularly isolating systems that may process sensitive healthcare or financial data.

MITRE ATT&CK TTPs

Initial Access

  • T1566: Phishing
    • T1566.002: Spearphishing Link
  • T1078: Valid Accounts
    • T1078.004: Cloud Accounts

Execution

  • T1059: Command and Scripting Interpreter
    • T1059.001: PowerShell
  • T1204: User Execution
    • T1204.001: Malicious Link

Persistence

  • T1547: Boot or Logon Autostart Execution
    • T1547.001: Registry Run Keys / Startup Folder

Defense Evasion

  • T1027: Obfuscated Files or Information
    • T1027.010: Command Obfuscation
  • T1055: Process Injection
    • T1055.012: Process Hollowing
  • T1562: Impair Defenses
    • T1562.001: Disable or Modify Tools
  • T1564: Hide Artifacts
    • T1564.001: Hidden Files and Directories

Discovery

  • T1082: System Information Discovery

Command and Control

  • T1071: Application Layer Protocol
    • T1071.001: Web Protocols
  • T1102: Web Service
    • T1102.002: Bidirectional Communication

Resource Development

  • T1583: Acquire Infrastructure
    • T1583.001: Domains
  • T1584: Compromise Infrastructure
    • T1584.003: Virtual Private Server

Indicators of Compromise (IOCs)

IP Addresses:

  • 94.159.113.37
  • 85.236.25.119
  • 80.64.19.148
  • 85.208.84.208
  • 178.16.52.242
  • 94.159.113.64
  • 193.17.183.126:3001

URL:

  • hxxp://94.159.113.37/ssd.png

SHA256 Hashes:

  • bbedc389af45853493c95011d9857f47241a36f7f159305b097089866502ac99
  • 441c49b6338ba25519fc2cf1f5cb31ba51b0ab919c463671ab5c7f34c5ce2d30

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox