analyst @ nohacky :~/threat-actors $
cat / threat-actors / ta4903
analyst@nohacky:~/ta4903.html
active threat profile
type cybercrime
threat_level high
status active
origin Nigeria (suspected)
last_updated 2025-03-27
T4
threat-actor / cybercrime / bec

TA4903

also known as: Edward-Ambakederemo (campaign attribution)

TA4903 is a financially motivated BEC actor operating a two-stage playbook: first impersonate a US government agency to harvest corporate credentials through fake bid proposal portals, then use those stolen credentials to search compromised inboxes for payment threads and execute invoice fraud or payroll redirect. Tracked by Proofpoint since December 2021, the group has been active since at least 2019 and continues to evolve its delivery mechanisms.

attributed origin Nigeria (suspected)
suspected sponsor Unknown — financially motivated criminal
first observed 2019
primary motivation Financial — invoice fraud, payroll redirect
primary targets Construction, Finance, Healthcare, Manufacturing, Energy
known campaigns Multiple confirmed — high operational tempo
mitre att&ck group Not formally listed (Proofpoint-tracked)
target regions United States (primary), global (secondary)
threat level High

Overview

TA4903 is a financially motivated cybercriminal threat actor that has been conducting high-volume credential phishing and business email compromise campaigns since at least 2019. Proofpoint began formally tracking the group in December 2021, when it first observed campaigns impersonating the US Department of Labor. The actor's operational tempo increased sharply in mid-2023 and remained elevated through 2024, with campaigns targeting hundreds to tens of thousands of recipients per run.

The group operates a clearly defined two-stage attack chain. In the first stage, phishing emails spoof US government agencies or small-to-medium businesses, directing targets to fake bid portals or document-sharing sites that clone legitimate infrastructure. Victims who enter credentials hand over access to corporate mailboxes. In the second stage, TA4903 searches those mailboxes for financial keywords — banking information, payment, merchant — and pivots to BEC fraud using thread hijacking or lookalike domains to request fraudulent payments or redirect payroll.

PDF metadata from phishing documents used in government-spoofing campaigns contains an author name consistent with Nigerian origin. Proofpoint attributes the activity to TA4903 based on consistent patterns in domain construction, email lure content, and hosting provider selection across campaigns spanning several years.

Target Profile

TA4903 targets organizations located in the United States across a broad range of industries, with particular focus on sectors that routinely process large financial transactions or maintain complex supplier networks.

  • Construction: Project-based billing cycles and multi-party payment chains create frequent opportunities to intercept or redirect payment communications.
  • Finance and Professional Services: Accounting firms and financial intermediaries handle client funds and are targeted at elevated frequency; professional services firms represented a significant share of phishing campaign targets in early 2025.
  • Healthcare: High volume of vendor payments and insurance transactions make healthcare organizations a consistent target for invoice manipulation.
  • Manufacturing and Energy: Complex supplier relationships and recurring remittance patterns create openings for thread-hijacking attacks impersonating known vendors.
  • Food and Beverage: Observed as a recurring spoofing theme in SMB-impersonation campaigns beginning mid-2023.
  • Government-adjacent organizations: Entities that regularly engage with federal bidding or contracting processes are especially susceptible to the initial government-spoofing lure phase.

Tactics, Techniques & Procedures

The following TTPs are derived from Proofpoint threat intelligence, the Anomali research team, and open-source reporting on TA4903 campaign activity observed from 2021 through 2025.

mitre id technique description
T1566.001 Phishing: Spearphishing Attachment PDF attachments containing embedded links or QR codes direct targets to fake government bid portals or credential phishing sites.
T1566.002 Phishing: Spearphishing Link Direct URL delivery via email body, often leading to cloned Microsoft O365 login pages or spoofed agency portals.
T1598.002 Phishing for Information: Spearphishing Attachment PDF lures themed after spoofed agencies (DOT, USDA, DOL, SBA, HUD, DOC) used to harvest corporate credentials.
T1598.003 Phishing for Information: Spearphishing Link Embedded QR codes redirect to phishing infrastructure; victims scanning codes are taken to O365 lookalike login flows.
T1078 Valid Accounts Stolen credentials are used to log into legitimate victim mailboxes, typically within six days of credential capture per Proofpoint honeypot analysis.
T1114.002 Email Collection: Remote Email Collection Compromised mailboxes are searched for financial keywords including "bank information," "payment," and "merchant" to identify BEC opportunities.
T1586.002 Compromise Accounts: Email Accounts Thread hijacking using compromised email accounts allows TA4903 to insert fraudulent payment requests into existing, trusted email threads.
T1584.001 Compromise Infrastructure: Domains Actor registers domains that closely resemble legitimate supplier or business partner domains to send BEC messages with spoofed sender addresses.
T1557 Adversary-in-the-Middle EvilProxy (a reverse proxy MFA bypass toolkit) was used throughout 2023 to intercept session cookies and defeat MFA on Microsoft and Google accounts.
T1656 Impersonation Systematic impersonation of US government agencies (DOT, USDA, DOL, SBA, HUD, DOC) and SMBs across construction, manufacturing, finance, and food and beverage sectors.

Known Campaigns

TA4903 operates in distinct phases defined by the spoofed entity and delivery mechanism. Campaign volume ranges from hundreds to tens of thousands of messages per run.

Department of Labor Spoofing — Initial Campaign Series Dec 2021 — 2022

Proofpoint's first formally attributed TA4903 activity. Emails impersonated the US Department of Labor with PDF lures directing recipients to fake bid submission portals. Subsequent 2022 campaigns expanded to include the Department of Commerce, Department of Housing and Urban Development, and Department of Transportation.

USDA QR Code Credential Phishing Late 2023

First observed use of QR codes embedded in PDFs. Campaigns impersonating the USDA directed victims to scan QR codes that redirected to O365 credential capture pages. This marked a significant delivery evolution, deploying quishing to evade link-based detection controls.

EvilProxy MFA Bypass Operations Throughout 2023

TA4903 subscribed to EvilProxy at approximately $400 per month, using the reverse proxy framework to intercept real-time session cookies from MFA-protected accounts. This allowed credential theft even when targets used authenticator apps or push notifications. EvilProxy usage declined in late 2023 and had not been observed in 2024.

SMB Cyberattack-Themed BEC Mid-2023 — 2024

Shift from government spoofing toward impersonating small and medium-sized businesses across construction, manufacturing, energy, finance, and food and beverage sectors. Emails claimed the sender had suffered a cyberattack and requested updated banking information. Messages were benign in content (no malicious links) and used actor-owned lookalike domains spoofing likely suppliers. Operational tempo was notably higher than prior campaigns.

Invoice and Remittance BEC Wave 2024 — Present

High-frequency campaigns using invoicing, remittance, and ACH payment themes. Campaigns draw on intelligence gathered from previously compromised accounts, targeting a victim's known business partners and financial institutions. Thread hijacking from compromised accounts is a common execution path. Proofpoint honeypot testing confirmed credentials captured via government-themed phishing were used within six days to search mailboxes for payment-related threads.

Tools & Infrastructure

TA4903 relies on phishing-as-a-service tooling, custom domain infrastructure, and cloned government portal sites rather than traditional malware. No commodity RAT or loader has been attributed to this actor.

  • EvilProxy: Reverse proxy MFA bypass toolkit used throughout 2023. Deployed as a subscription service at approximately $400 per month, enabling real-time session cookie interception to defeat MFA on Microsoft and Google accounts. Usage tapered off in late 2023.
  • Cloned Government Portals: Phishing sites are direct visual clones of spoofed agency websites, themed consistently with the impersonated organization. PDF attachments feature matching branding and are constructed from consistent metadata, including an author field attributed to Nigerian origin.
  • Lookalike Domains: The actor registers new domains referencing government entities and private organizations at high frequency. Domains are used in both credential phishing infrastructure and as sender/reply-to addresses in BEC campaigns.
  • HTML Attachments: Beginning in 2023, TA4903 added HTML and zipped HTML attachments as delivery options alongside PDF lures, likely to evade PDF-based detection signatures.
  • QR Codes: Embedded within PDF attachments from late 2023 onward, used to redirect victims to phishing pages while bypassing URL reputation scanning in email security products.

Indicators of Compromise

TA4903 registers new domains at high frequency across campaigns. The following indicators represent patterns observed in public reporting. Live IOC lists are maintained by Anomali and Proofpoint ET Intelligence.

warning

IOCs may be stale or burned after public disclosure. TA4903 registers new domains at high frequency. Cross-reference with live Proofpoint ET Intelligence or Anomali feeds before blocking. Domain-based indicators in particular have short shelf lives with this actor.

indicator patterns — behavioral / structural
pdf metadata PDF author field containing Nigerian-attributed name across government-themed campaign documents
domain pattern Newly registered domains incorporating government agency names (dot-, usda-, sba-, hud-, dol-) or SMB company name fragments
email header Reply-to address differs from sender; reply-to points to actor-controlled lookalike domain spoofing a legitimate supplier
lure theme Government bid solicitation; cyberattack notification requesting updated banking information; invoice or remittance request with urgency framing
post-compromise Mailbox keyword searches for: "bank information", "payment", "merchant" within six days of credential use
note

Proofpoint seeded credentials into a TA4903-controlled DOT-themed phishing portal and observed the actor using those credentials within six days to search email history. This honeypot analysis provides direct behavioral evidence of the actor's post-compromise workflow and establishes the six-day access window as an operationally relevant detection timeframe.

Mitigation & Defense

TA4903's two-stage attack chain — credential harvest followed by mailbox exploitation — creates multiple detection opportunities if the right controls are in place.

  • Phishing-Resistant MFA: EvilProxy and similar adversary-in-the-middle toolkits bypass SMS, authenticator app, and push-based MFA by stealing session cookies. FIDO2/WebAuthn hardware keys and passkeys are not susceptible to this interception technique and should be prioritized for privileged and finance-role accounts.
  • Email Authentication (DMARC, DKIM, SPF): Enforced DMARC policies reduce the ability of TA4903 to send convincing messages from lookalike domains spoofing your organization to your partners. Publish strict DMARC policies and monitor reporting feeds for spoofing attempts.
  • Mailbox Audit Logging: Enable audit logging for mailbox access and keyword-based search activity. Alert on access from unfamiliar IP addresses or geographic locations, especially when followed by searches for financial keywords within a compressed timeframe.
  • QR Code Awareness Training: Educate employees that QR codes embedded in email attachments — including those appearing to come from government agencies — should be treated with the same suspicion as links. Phishing awareness programs should include quishing scenarios.
  • Payment Change Verification Procedures: Establish an out-of-band verification requirement for any request to update banking details, payment routing information, or payroll direct deposit. Phone verification using a number on file — not a number provided in the request — is the minimum acceptable control.
  • Sender Domain Scrutiny: Train staff to inspect the full sender address and reply-to address on any financially themed email. Lookalike domains often differ from legitimate addresses by a single character, a hyphen, or a TLD substitution.
  • Conditional Access Policies: Implement conditional access rules in Microsoft Entra ID (Azure AD) that flag or block logins from unfamiliar devices, locations, or IP ranges, particularly for accounts in finance, HR, and accounts payable roles.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile — ta4903 — last updated 2025-03-27