ta505

TA505

also known as: FIN11 GRACEFUL SPIDER Lace Tempest Spandex Tempest CHIMBORAZO DEV-0950 Hive0065 GOLD TAHOE ATK103

Assessed as the largest phishing and malspam distributor in the world, responsible for some of the most impactful ransomware campaigns of the past decade. TA505 drove the Dridex banking trojan and Locky ransomware campaigns through the Necurs botnet, then pivoted to Clop ransomware — culminating in a serial zero-day exploitation strategy against enterprise file transfer platforms that collectively breached thousands of organizations, including multiple US federal agencies, across the Accellion, GoAnywhere, MOVEit, and Cleo campaigns.

attributed origin Russia / CIS (assessed)

suspected sponsor Organized Crime (no state link confirmed)

first observed 2014 (named by Proofpoint)

primary motivation Financial — Ransomware / Extortion / IAB

primary targets Finance, Healthcare, Government, Enterprise

total extorted $500M+ (estimated)

mitre att&ck group G0092

target regions Global — North America, Europe, Asia-Pacific

threat level CRITICAL

Overview

TA505 is a Russian-speaking financially motivated cybercrime group that has operated since at least 2014. The designation was assigned by Proofpoint, whose researchers identified the group as responsible for the largest malicious spam campaigns they had ever observed. Through the first several years of operation, TA505 leveraged the Necurs botnet — at the time the world's largest spam distribution infrastructure — to send tens of millions of malicious emails per day delivering Dridex banking trojans and Locky ransomware. The group's operating tempo followed a standard workweek pattern, Monday through Friday, with campaign volumes sometimes reaching tens of millions of messages in a single day.

TA505 functions as a multifaceted criminal enterprise rather than a single-purpose threat group. Its operations span industrial-scale phishing and malspam distribution, development and operation of custom malware including remote access trojans and ransomware, initial access brokering (selling network access to other criminal groups), and Ransomware-as-a-Service (RaaS) operations. The Clop ransomware operation — TA505's flagship since approximately 2019 — is considered the group's most profitable unit, having extorted an estimated $500 million or more from victims globally and directly affected more than 11,000 organizations.

The group is assessed with high confidence to be based in Russia or a Commonwealth of Independent States (CIS) country, based on multiple lines of evidence: Clop malware explicitly checks for Russian-language keyboard layouts and CIS system configurations and terminates itself if detected; code comments and group communications contain Russian-language elements; operational timing aligns with Eastern European working hours; and the group avoids targeting organizations within Russia or former Soviet states. Despite this Russian origin, TA505 has publicly denied any political or state affiliation, framing itself as a financially motivated criminal organization. No specific TA505 leadership identities have been publicly confirmed; arrests in Ukraine in June 2021 netted six suspected Clop gang members but did not disrupt the group's operations.

The defining characteristic of TA505's operational evolution is a consistent pattern of identifying the most lucrative attack surface and pivoting to exploit it at scale. In 2014–2018, that was high-volume malspam through Necurs. In 2019–2020, it was targeted enterprise ransomware using Clop. From 2020 onward, it became the systematic zero-day exploitation of enterprise file transfer platforms — a strategy the group has now executed four times against Accellion FTA, SolarWinds Serv-U, GoAnywhere MFT, and MOVEit Transfer, plus a fifth campaign against Cleo software in late 2024 that was still producing victim disclosures into 2025. By Q1 2025, Clop surpassed LockBit to become the single most prolific ransomware group by publicly disclosed breaches, with nearly 400 named victims in that quarter alone.

Target Profile

TA505 does not restrict its targeting to specific sectors or geographies in the way that many APT groups do. Proofpoint has described the group as an "equal opportunist" that pursues whatever targets offer the highest financial return at any given time. That said, distinct targeting patterns emerge across different operational phases.

Financial Services: The primary target during the Dridex and early Clop phases. Banking institutions, payment processors, and financial services firms were prioritized for credential theft and fraud facilitation. FlawedAmmyy RAT campaigns in 2018–2019 were explicitly focused on financial sector organizations.
Healthcare: Consistently targeted across ServHelper campaigns and Clop ransomware operations. Healthcare organizations are valued for the sensitivity of patient data, constrained security budgets, and high willingness to pay ransoms to restore operations critical to patient care.
Government and Public Sector: Multiple US federal agencies were among the victims of the 2023 MOVEit Transfer exploitation campaign, confirmed by CISA. Government entities in North America, Europe, and Asia have been targets across multiple TA505 campaign generations.
Enterprise File Transfer Customers: The dominant targeting category since 2020. Any organization using Accellion FTA, GoAnywhere MFT, MOVEit Transfer, or Cleo software products was at risk during the respective zero-day exploitation windows — meaning victim selection was determined by which enterprise software was being exploited rather than by sector.
Retail and E-commerce: Heavily targeted during early Dridex campaigns for payment card data and customer credential theft. Less prominent in post-2020 operations focused on enterprise ransomware and extortion.

Tactics, Techniques & Procedures

TA505's TTPs span two distinct operational eras. The first (2014–2019) was characterized by industrial-scale malspam using Necurs. The second (2020–present) is defined by targeted enterprise exploitation and data-theft extortion. Both eras share an underlying architecture of custom tooling, rapid TTP adaptation, and financially optimized decision-making.

mitre id	technique	description
T1190	Exploit Public-Facing Application	The primary initial access method in post-2020 operations. TA505 has exploited zero-day vulnerabilities in Accellion FTA (CVE-2021-27101/27102/27103/27104), GoAnywhere MFT (CVE-2023-0669), MOVEit Transfer (CVE-2023-34362), and Cleo LexiCom/VLTrader/Harmony (CVE-2024-50623 / CVE-2024-55956). Attacks on Accellion and MOVEit were deliberately timed around US federal holidays to exploit reduced security staffing windows.
T1566.001	Spearphishing Attachment	The primary initial access method during 2014–2019. TA505 distributed hundreds of millions of malicious emails via Necurs botnet carrying macro-enabled Office documents, VBScript in ZIP and 7-Zip archives, and LNK files. Lure themes included invoices, HR notices, legal documents, banking alerts, and COVID-19 content. The group operated Monday through Friday with near-daily campaign cadence.
T1505.003	Web Shell	Custom web shells deployed on compromised file transfer appliances enable persistent server-side access independent of endpoint-based detection. DEWMODE (PHP-based) targeted Accellion FTA servers to interact with the underlying MySQL database. LEMURLOOT (C#-based) targeted MOVEit Transfer, authenticating via a hardcoded password and enabling file download, Azure settings extraction, and user account manipulation. Malichus/Cleopatra (Java-based) was deployed in Cleo attacks for reconnaissance, command execution, and data exfiltration.
T1486	Data Encrypted for Impact	Clop ransomware uses AES encryption to encrypt victim files and appends .clop or similar extensions. Early operations combined encryption with data exfiltration. From approximately 2021 onward, TA505 increasingly shifted toward data exfiltration without encryption in supply chain exploitation campaigns, prioritizing speed of data theft over the operational overhead of deploying ransomware.
T1567	Exfiltration Over Web Service	Stolen data is aggregated and exfiltrated, then published on the Tor-hosted Cl0p^_-LEAKS data leak site if ransom negotiations fail. More recently, Clop has also used torrents for data leaks, distributing stolen files through peer-to-peer networks in a manner that makes takedowns significantly more difficult for law enforcement.
T1059.001	PowerShell / Scripting Interpreter	PowerShell and Windows Command Shell are used extensively throughout TA505 attack chains for dropper execution, payload staging, lateral movement commands, and privilege escalation. LOLBins — legitimate Windows tools including PowerShell, wscript, and mshta — were adopted from 2018 onward to reduce signature-based detection footprint. CVE-2024-55956 in Cleo software was exploited specifically by manipulating the Autorun directory to execute arbitrary PowerShell and Bash commands as an unauthenticated user.
T1078	Valid Accounts / IAB Access	TA505 operates an initial access broker (IAB) function, purchasing or harvesting stolen credentials for use in its own operations and selling network access to other criminal groups. RDP credential abuse is a documented entry point for Clop ransomware deployment. The group's IAB services contribute to the broader cybercriminal ecosystem, enabling other ransomware affiliates to operate.
T1490	Inhibit System Recovery	Clop terminates processes associated with security tools, databases, and backup software before encrypting files. Batch scripts delete Volume Shadow Copies and disable Windows automatic recovery to prevent file restoration without payment. These actions maximize ransom leverage by eliminating recovery options.
T1027	Obfuscated Files / Signed Binaries	Clop binaries are digitally signed with verified certificates to appear as legitimate executables and bypass security software signature checks. TA505 uses signed payloads as a consistent evasion mechanism across multiple campaign generations. Excel 4.0 macro variants of ServHelper used signed payloads to further evade detection.
T1497	Virtualization / Sandbox Evasion	Clop malware performs a check of the system's keyboard layout and active system fonts at execution. If a Russian-language or Commonwealth of Independent States (Azerbaijan, etc.) configuration is detected, the ransomware terminates and deletes itself, protecting the operator's domestic environment from accidental self-infection.

Known Campaigns

Major confirmed operations across TA505's operational history, from the Necurs-era malspam campaigns through the Clop zero-day exploitation series.

Dridex & Locky Necurs Era 2014–2018

TA505's foundational operational period. The group distributed the Dridex banking trojan and Locky ransomware at unprecedented scale using the Necurs botnet, sending tens of millions of malicious emails per campaign day. Locky was introduced in 2016 and became the dominant ransomware payload through 2017. Proofpoint assessed these as the largest malicious spam campaigns ever observed at the time. Lulls in activity consistently corresponded with Necurs botnet disruptions, confirming deep operational dependency. Other payloads distributed in this era include Jaff ransomware, GlobeImposter, The Trick banking trojan, Kegotip infostealer, and Bart ransomware — many of which were otherwise low-profile strains elevated to global threat status through TA505's distribution scale.

FlawedAmmyy, ServHelper & SDBBot Targeted Phase 2018–2020

From 2018, TA505 reduced bulk campaign volume and shifted toward more targeted operations. FlawedAmmyy RAT — built from leaked source code of the legitimate Ammyy Admin remote desktop tool — was deployed in campaigns explicitly targeting financial sector organizations. ServHelper backdoor was introduced as a persistence mechanism designed to survive reboots and user logoffs, supporting longer dwell times. SDBBot was introduced as a RAT for post-compromise operations. LOLBins (wscript, mshta, PowerShell) replaced more detectable custom droppers. Get2 downloader was used to stage subsequent payloads. This era reflects TA505's deliberate move from spray-and-pray volume to surgical "big game hunting" targeting of large enterprises.

Clop Ransomware Launch & Double Extortion 2019–2020

Clop ransomware was first observed in February 2019, distributed via large-scale spear-phishing campaigns using macro-enabled documents to drop Get2 loader, which staged SDBot, FlawedGrace, and Cobalt Strike before deploying Clop as the final payload. Clop evolved from the CryptoMix ransomware family and was notably distributed as a digitally signed binary to bypass security controls. In early 2020, TA505 adopted double extortion — exfiltrating data before encryption and threatening publication on the Cl0p^_-LEAKS Tor leak site — adding data exposure as a second extortion lever alongside file encryption. This model set a template rapidly adopted by the broader ransomware industry.

Accellion FTA Zero-Day Campaign 2020–2021

Beginning December 23, 2020 — deliberate holiday timing to exploit reduced security staffing — TA505 exploited multiple zero-day vulnerabilities (CVE-2021-27101 through CVE-2021-27104) in Accellion's legacy File Transfer Appliance (FTA), which was approaching end of life. A web shell named DEWMODE was installed on compromised appliances to interact with the underlying MySQL database and exfiltrate stored files. Approximately 100 organizations were breached. Six Clop gang members were arrested by Ukrainian authorities in June 2021 in coordination with US and South Korean law enforcement, but TA505 resumed operations through other personnel.

GoAnywhere MFT Zero-Day Campaign 2023

In late January 2023, TA505 exploited a zero-day vulnerability in Fortra's GoAnywhere MFT platform (CVE-2023-0669), a remote code injection flaw that was actively exploited for approximately two weeks before the vendor identified the breach. Over 130 organizations were claimed as victims over the course of 10 days. Lateral movement from GoAnywhere into broader victim networks was not identified, suggesting the campaign was limited to data accessible through the MFT platform. Clop contacted victims via email with ransom notes directed at executive leadership.

MOVEit Transfer Zero-Day Campaign 2023

Beginning May 27, 2023 — during the US Memorial Day holiday weekend — TA505 exploited a SQL injection zero-day (CVE-2023-34362) in Progress Software's MOVEit Transfer managed file transfer solution, deploying the LEMURLOOT web shell (masquerading as the legitimate human.aspx file) to steal data from underlying databases. LEMURLOOT authenticated via a hardcoded password and enabled file downloads, Azure system settings extraction, and user account manipulation. The campaign affected hundreds of organizations and thousands of downstream entities in supply chain-style propagation. Multiple US federal agencies were confirmed as victims. Clop claimed to have exfiltrated data from "hundreds of companies" and began publishing victim names on June 14, 2023. This campaign is considered the largest single file transfer exploitation event in history by victim count, with estimates ranging from 2,500 to over 60 million individuals affected across victim organizations.

Cleo Software Zero-Day Campaign 2024–2025

In late 2024, TA505 exploited vulnerabilities in Cleo's LexiCom, VLTrader, and Harmony managed file transfer products — first CVE-2024-50623 (unrestricted file upload/download enabling remote code execution) and subsequently CVE-2024-55956, a separate unauthenticated file write vulnerability that allowed execution of arbitrary PowerShell and Bash commands via Cleo's Autorun directory feature. Cleo's initial patch for CVE-2024-50623 was found to be ineffective, with fully patched systems remaining exploitable. Clop deployed a Java-based post-exploitation framework tracked as Malichus by Huntress and Cleopatra by Arctic Wolf. On December 24, 2024, Clop announced 66 companies had 48 hours to negotiate before public disclosure. By February 2025, 182 victim organizations had been named on the Clop leak site. The campaign was ongoing as of mid-2025. Clop became the most active ransomware group globally in Q4 2024 and Q1 2025 as a result of this campaign.

Tools & Malware

TA505 maintains an unusually broad and continuously updated malware arsenal, reflecting sustained investment in tooling development across more than a decade of operation. Proofpoint has documented the group as a trendsetter in criminal malware distribution — tools introduced or scaled by TA505 frequently become industry-wide threats.

Clop (Cl0p): TA505's flagship ransomware, first observed February 2019. Evolved from the CryptoMix family. Uses AES encryption, deploys digitally signed binaries, and explicitly avoids execution on Russian/CIS-language systems. Shifted from double-extortion (encrypt + leak) to pure data theft and extortion from approximately 2021 onward. Victim data published on Tor-hosted Cl0p^_-LEAKS site. The RaaS model allows affiliates to deploy Clop in exchange for a revenue share.
Dridex: A banking trojan used as TA505's primary credential-theft payload through 2014–2018. Distributed through Necurs botnet at volumes reaching tens of millions of daily messages. Targeted online banking credentials and payment card data.
Locky: Ransomware introduced by TA505 in 2016 that defined a new era of mass-distributed ransomware. Distributed through Necurs at unprecedented scale. Largely superseded by Clop in TA505's toolkit but remained in use through 2017–2018.
FlawedAmmyy RAT: A remote access trojan built from leaked source code of the legitimate Ammyy Admin remote desktop application. Used for data theft, command execution, and hands-on-keyboard operator activity during targeted intrusions. Provides persistent remote access for reconnaissance, lateral movement, and data staging.
FlawedGrace (GraceWire): A second RAT derived from the same Ammyy Admin source code lineage as FlawedAmmyy. Used alongside FlawedAmmyy in targeted campaigns and downloaded by TrueBot as a second-stage payload during later Clop deployment chains.
ServHelper: A backdoor with multiple variants providing persistent access and payload delivery. Service-based persistence mechanism survives reboots and user logoffs. Excel 4.0 macro variants used signed payloads to evade detection. Used for credential harvesting and staging additional payloads.
Get2: A downloader used in the Clop initial access chain, retrieving SDBot, FlawedAmmyy, FlawedGrace, and Cobalt Strike from C2 infrastructure. Typically deployed via macro-enabled Office document.
SDBBot: A RAT deployed post-compromise via SDBot for hands-on-keyboard operations including reconnaissance and lateral movement.
TrueBot: A first-stage downloader module used in collaboration with the Silence hacking group, capable of system information collection, screenshot capture, and downloading FlawedGrace or Cobalt Strike beacons. Associated with Clop deployment chains from 2022 onward.
DEWMODE: PHP-based web shell deployed on compromised Accellion FTA servers during the 2020–2021 campaign. Interacted with the underlying MySQL database to enable data extraction from the appliance.
LEMURLOOT: C#-based web shell deployed on MOVEit Transfer servers during the 2023 campaign. Masqueraded as the legitimate human.aspx file. Authenticated via hardcoded password; enabled file downloads, Azure settings extraction, and user account manipulation.
Malichus / Cleopatra: Java-based post-exploitation framework and RAT deployed in Cleo software attacks (2024–2025). Provided reconnaissance capability, arbitrary command execution, and data exfiltration from compromised Cleo environments.
Cobalt Strike: Commercial penetration testing tool widely abused by TA505 for post-compromise network access expansion, particularly after gaining access to Active Directory environments.

Indicators of Compromise

Key indicators from TA505 and Clop campaigns. Given the group's decade-long operational history and frequent infrastructure rotation, IOC currency must be verified before operational use.

warning

TA505 rotates infrastructure frequently and adapts tooling across campaign generations. IOCs from earlier campaigns (Necurs era, Accellion, GoAnywhere) should be treated as burned. For current Clop/Cleo-era indicators, refer to CISA Advisory AA23-158A, vendor-published Cleo CVE advisories, and live threat intelligence feeds. The CISA advisory provides the most comprehensive IOC set for the MOVEit campaign.

indicators of compromise — key technical identifiers

web shell (moveit) LEMURLOOT — human2.aspx (masquerading as human.aspx)

web shell (accellion) DEWMODE — PHP web shell interacting with MySQL database

framework (cleo) Malichus / Cleopatra — Java-based post-exploitation RAT

ransom note filenames ClopReadMe.txt; README_README.txt; Cl0pReadMe.txt

file extension (encrypted) .clop; .CIOP; .C_L_O_P (and variations)

leak site (tor) CL0P^_-LEAKS (Tor-hosted data extortion portal)

cve (moveit) CVE-2023-34362 — SQL injection in MOVEit Transfer web application

cve (goanywhere) CVE-2023-0669 — Remote code injection in GoAnywhere MFT

cve (accellion) CVE-2021-27101 / 27102 / 27103 / 27104 — Accellion FTA

cve (cleo) CVE-2024-50623 / CVE-2024-55956 — Cleo LexiCom/VLTrader/Harmony

lemurloot auth header X-siLock-Comment (HTTP request header used for LEMURLOOT authentication)

evasion behavior CIS/Russian keyboard layout check at execution — self-terminates and deletes if detected

cleo autorun abuse Malicious files written to Cleo Autorun directory for unauthenticated PowerShell/Bash execution (CVE-2024-55956)

cisa advisory AA23-158A — comprehensive IOC set for MOVEit campaign including C2 IPs and LEMURLOOT signatures

Mitigation & Defense

Recommended controls and practices for organizations seeking to reduce exposure to TA505 and Clop ransomware operations, informed by documented TTPs across all campaign generations.

Patch File Transfer Software Immediately: TA505's strategy centers on zero-day exploitation of managed file transfer products. Treat patches for Cleo, MOVEit Transfer, GoAnywhere MFT, and similar products as emergency priority. Apply patches within hours of release, not days — TA505's exploitation windows can be measured in days before patches are widely deployed.
Move File Transfer Systems Behind Firewalls: Internet-exposed Cleo instances were the attack surface for the 2024–2025 campaign. Any managed file transfer product that does not require public internet exposure should be placed behind a firewall or VPN. Huntress specifically advised this as an interim mitigation during the Cleo campaign while patches were being developed.
Disable Unnecessary Autorun and Macro Features: CVE-2024-55956 was exploited via Cleo's Autorun directory feature. Disable Autorun where not operationally required. Similarly, disable Office macro execution in environments where macros are not needed — the Necurs-era campaigns and early Clop chains relied entirely on macro-enabled documents for initial payload delivery.
Deploy Web Application Firewalls and Inspect MFT Traffic: LEMURLOOT was identifiable by the X-siLock-Comment HTTP header. Web application firewall (WAF) rules targeting anomalous HTTP headers on MFT endpoints can detect web shell command-and-control traffic. Monitor for unusual HTTP request patterns on file transfer server applications.
Protect and Monitor Volume Shadow Copies: Clop deletes Volume Shadow Copies as a standard pre-encryption step. Monitor for VSS deletion events (vssadmin delete shadows, wmic shadowcopy delete) as a high-fidelity ransomware pre-cursor indicator requiring immediate response.
Block RDP Exposure: TA505 uses compromised RDP credentials for direct network access in some intrusion chains. Disallow any RDP connections directly to the internet. Require VPN or jump server for all RDP access. Enforce MFA on all remote access mechanisms.
Validate Signed Binaries Carefully: Clop uses digitally signed binaries to appear legitimate. Security tools should be configured to validate certificate chain integrity rather than accepting signatures uncritically. Monitor for signed binaries in unexpected paths or with certificates from unfamiliar issuers.
Immutable Offline Backups: Clop attempts to destroy or encrypt backup infrastructure. Maintain offline, immutable backups of critical data that cannot be reached by malware on the network. Test restoration procedures regularly — backup existence without tested recovery is insufficient.
Email Security and Macro Controls: Although TA505's current primary vector is file transfer exploitation, phishing and malspam remain part of the operational toolkit. Deploy advanced email security with sandboxing for attachments, disable macro execution from internet-sourced Office documents, and train users on recognizing invoice and document lure themes.
Monitor for TrueBot, FlawedGrace, and Cobalt Strike: These tools signal active TA505 intrusion and typically appear before Clop deployment. TrueBot C2 callbacks, FlawedGrace process injection, and Cobalt Strike beaconing are all actionable pre-ransomware indicators. Integrate behavioral signatures for these tools into EDR and SIEM platforms.

analyst note

The relationship between TA505 and FIN11 is a point of ongoing analytical debate. Some vendors treat them as synonymous designations for the same group; others track FIN11 as a distinct but overlapping subset of TA505 that operates the Clop RaaS. MITRE ATT&CK assigns G0092 to TA505 with Hive0065, Spandex Tempest, and CHIMBORAZO listed as associated names. The Canadian Centre for Cyber Security lists FIN11, GRACEFUL SPIDER, Lace Tempest, DEV-0950, GOLD TAHOE, GOLD EVERGREEN, and several others as TA505 aliases. The practical implication for defenders is that any detection of Clop, TrueBot, FlawedGrace, LEMURLOOT, or DEWMODE should be treated as a high-confidence TA505 indicator regardless of which vendor designation is used. Despite the 2021 Ukrainian arrests, TA505 has maintained full operational continuity, suggesting sufficient organizational depth to absorb law enforcement actions without disruption.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile