Can't Stop, Won't Stop: TA584 Innovates Initial Access
Summary:
TA584, a prolific initial access broker (IAB) also tracked as Storm-0900, has significantly evolved its tactics throughout 2025 to bypass modern security controls. Historically known for more predictable patterns, the group transitioned in the latter half of the year to a high-velocity operational model characterized by short-lived campaigns that churn rapidly. Key innovations include the adoption of "ClickFix" social engineering, which tricks users into executing malicious PowerShell commands under the guise of fixing browser or document errors, and the deployment of a new Node.js-based malware dubbed Tsundere Bot. The actor’s delivery chain has become increasingly complex, utilizing compromised legitimate email accounts, geo-fencing, and IP filtering to ensure only intended targets reach their malicious landing pages. Once a target is compromised, TA584 typically delivers payloads like XWorm or Tsundere Bot, which often serve as precursors to ransomware deployment.
Security Officer Comments:
It is critical to recognize that TA584 represents a tier of cybercriminal activity that bridges the gap between traditional phishing and sophisticated state-sponsored techniques. Their shift toward "file-less" execution, specifically using PowerShell commands copied directly into the system clipboard, directly challenges traditional file-scanning and sandbox solutions. For our broad range of stakeholders, from critical infrastructure operators to retail and financial services, the impact is twofold: first, the actor’s use of compromised, aged, and authenticated domains makes email "sender reputation" a less reliable metric for security; second, their use of the Ethereum blockchain (EtherHiding) for C2 infrastructure makes their command-and-control traffic harder to disrupt via standard DNS blacklisting. This actor is essentially "innovating at the speed of defense," meaning organizations can no longer rely on static indicators of compromise (IoCs) which may expire within hours.
Suggested Corrections:
Link(s):
https://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access
TA584, a prolific initial access broker (IAB) also tracked as Storm-0900, has significantly evolved its tactics throughout 2025 to bypass modern security controls. Historically known for more predictable patterns, the group transitioned in the latter half of the year to a high-velocity operational model characterized by short-lived campaigns that churn rapidly. Key innovations include the adoption of "ClickFix" social engineering, which tricks users into executing malicious PowerShell commands under the guise of fixing browser or document errors, and the deployment of a new Node.js-based malware dubbed Tsundere Bot. The actor’s delivery chain has become increasingly complex, utilizing compromised legitimate email accounts, geo-fencing, and IP filtering to ensure only intended targets reach their malicious landing pages. Once a target is compromised, TA584 typically delivers payloads like XWorm or Tsundere Bot, which often serve as precursors to ransomware deployment.
Security Officer Comments:
It is critical to recognize that TA584 represents a tier of cybercriminal activity that bridges the gap between traditional phishing and sophisticated state-sponsored techniques. Their shift toward "file-less" execution, specifically using PowerShell commands copied directly into the system clipboard, directly challenges traditional file-scanning and sandbox solutions. For our broad range of stakeholders, from critical infrastructure operators to retail and financial services, the impact is twofold: first, the actor’s use of compromised, aged, and authenticated domains makes email "sender reputation" a less reliable metric for security; second, their use of the Ethereum blockchain (EtherHiding) for C2 infrastructure makes their command-and-control traffic harder to disrupt via standard DNS blacklisting. This actor is essentially "innovating at the speed of defense," meaning organizations can no longer rely on static indicators of compromise (IoCs) which may expire within hours.
Suggested Corrections:
- Restrict users from running PowerShell unless necessary for their job function.
- Use application control policies (like AppLocker or Windows Defender Application Control) to prevent the execution of tools like node.exe from non-standard, user-writable locations such as “C:\Users\*\AppData\Local\”.
- Create detection rules for powershell[.]exe or cmd[.]exe spawning a node[.]exe process, especially when node[.]exe is located in a user's AppData or other non-standard locations.
- Block or monitor Ethereum endpoints. The malware relies on a hardcoded list of public Ethereum RPC providers to retrieve its C2 server address. Blocking (or, monitoring) outbound traffic to these specific URLs at the network firewall or web proxy can prevent the malware from receiving its instructions.
- Monitor and inspect WebSocket traffic. The malware uses WebSockets (ws:// or wss://) for C2 communication. Implement network monitoring to detect and inspect WebSocket connections to unknown or uncategorized domains.
- Consider disabling Windows+R via Group Policy for users who do not need it for their job function.
- Organizations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can be integrated into an existing user training program.
Link(s):
https://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access