WikiLoader (also tracked as WailingCrab) is a sophisticated multi-stage malware downloader developed by TA544 and first observed on December 27, 2022. It uses multiple evasion techniques including anti-sandbox checks, encoded strings, and — in later versions — the MQTT IoT messaging protocol for C2 communications, routing traffic through legitimate broker infrastructure to conceal the true command-and-control server. WikiLoader has been rented to other cybercriminal actors including TA551.

ta544-narwhal-spider

TA544 / Narwhal Spider

also known as: Narwhal Spider Bamboo Spider Storm-0302 Gold Essex Zeus Panda Hive0133

A financially motivated cybercriminal group with an unusually deep geographic specialization in Italian targets. Ursnif (Gozi) banking trojan campaigns targeting Italian organizations have been TA544's dominant activity since at least 2017, with 2021 alone generating nearly half a million malicious messages against Italy. The group developed WikiLoader — a sophisticated malware-as-a-service downloader first detected in December 2022 — then began renting it to other cybercriminal actors, and by late 2023 had started expanding beyond Italy toward the US, Canada, and broader Europe.

attributed origin Unknown

suspected sponsor None — financially motivated cybercriminal group

first observed February 2017 (Panda Banker campaigns targeting Italy)

primary motivation Financial — credential theft, banking fraud, malware-as-a-service

primary targets Italian financial, IT, manufacturing, energy, retail sectors; Japan

known campaigns 20+ in Italy (2021 alone); expanding globally

mitre att&ck group Not formally catalogued

target regions Italy (primary), Japan (secondary), US / Canada / Europe (expanding)

threat level HIGH

Overview

TA544 is a financially motivated cybercriminal group first tracked by Proofpoint in February 2017, when it began distributing Panda Banker malware in high-volume campaigns targeting Italian organizations. Over the years that followed, the group expanded its malware portfolio significantly — delivering more than six distinct payloads across multiple variants — while maintaining an unusually focused geographic specialization on Italy and Japan that distinguishes it from other financially motivated threat actors operating at comparable scale.

The group's defining operational characteristic is volume. Campaigns regularly reach hundreds of thousands of messages per day, and in 2021, Proofpoint observed nearly 20 notable campaigns distributing hundreds of thousands of messages targeting Italian organizations in a single eight-month window — a count that surpassed the total number of equivalent campaigns observed in all of 2020. In that same period, Ursnif became the most frequently observed malware targeting Italian organizations by campaign volume. TA544 accounts for a substantial portion of that activity, operating two distinct Ursnif affiliate IDs: affiliate 1000 for high-volume Japanese targeting and affiliate 4779 for moderate-volume Italian targeting across technology, manufacturing, and IT verticals.

In December 2022, TA544 introduced WikiLoader — a sophisticated, multi-stage malware downloader with advanced sandbox evasion, encoded strings, and an architecture designed to be rented selectively to other cybercriminal actors. WikiLoader is also tracked as WailingCrab by IBM X-Force, which identifies the operator as Hive0133, a cluster that overlaps significantly with TA544. By mid-2023, WikiLoader had been adopted by at least one other threat actor (TA551) and had evolved through three distinct versions, adding MQTT-based C2 communications that route through legitimate IoT broker infrastructure to conceal the true command-and-control server address. The development and monetization of WikiLoader represents a strategic expansion from end-user targeting to malware infrastructure provision — a capability tier typical of more sophisticated cybercriminal organizations.

Beginning in late 2023 and accelerating through 2024, TA544/Narwhal Spider began expanding its geographic targeting beyond Italy and Japan. A March 2024 campaign observed by BlueVoyant used AI-assisted translation to craft multilingual phishing lures in multiple languages, disguised as invoices from law firms, targeting organizations in the United States, Canada, and broader Europe. A summer 2024 WikiLoader campaign delivered via SEO poisoning spoofed Palo Alto Networks GlobalProtect VPN software and reached US higher education and transportation sectors in addition to Italian targets — demonstrating a meaningful shift in operational scope.

Target Profile

TA544's targeting is strongly geography-driven. Lures, geofencing, and payload selection are all tailored to target region, with Italy historically receiving the heaviest focus.

Italian financial sector: Web inject target lists from observed campaigns include login portals for UniCredit, ING, BNL, Banca Sella, and dozens of additional Italian banking and financial services sites. Ursnif's web injection and VNC-based credential theft capabilities are deployed specifically against this sector.
Italian IT, technology, and manufacturing: Ursnif affiliate 4779 targets IT, technology, and manufacturing verticals in Italy in moderate-volume campaigns. Italian-language lures impersonating courier services (BRT), energy companies, and the Italian Revenue Agency (Agenzia delle Entrate) are the primary delivery vehicles.
Italian retail and e-commerce: Web inject lists include eBay, PayPal, and major Italian retailers alongside financial institutions, indicating that credential theft extends beyond banking to commercial platform accounts.
Japan (secondary): Ursnif affiliate 1000 runs high-volume campaigns targeting Japan, using robust geofencing checks to verify victim location before delivering payload. These campaigns typically use a two-stage chain — URLZone downloads Ursnif — and employ the same steganographic delivery techniques used in Italian campaigns.
US, Canada, Europe (expanding): From late 2023 onward, TA544 has been observed targeting a broader international audience using AI-translated multilingual lures, SmartScreen vulnerability exploitation, SEO poisoning targeting GlobalProtect VPN users, and law firm invoice impersonation themes. Higher education and transportation are documented US targets.

Tactics, Techniques & Procedures

Documented TTPs based on Proofpoint research (2017–2023), BlueVoyant analysis (March 2024), IBM X-Force WailingCrab reporting (2023), and Unit 42 WikiLoader research (2024).

mitre id	technique	description
T1566.001	Spear-phishing Attachment	High-volume phishing campaigns delivering malicious Microsoft Excel (VBA macro, Excel 4/XLM macro), OneNote, and PDF attachments. Italian-language macros impersonate couriers, energy companies, tax authority, and law firms. TA544 continued using macro-enabled documents well after Microsoft began blocking macros by default, making this a persistent delivery vector.
T1566.002	Spear-phishing Link	PDF attachments containing malicious URLs lead to ZIP archives containing JavaScript files that download and execute WikiLoader or other payloads. Accounting themes and fake legal invoices ("Invoice_[number]_from_[law firm name].pdf") are used as lure content.
T1027.003	Steganography	TA544 embeds obfuscated PowerShell commands inside steganographic images of pop culture references, concealing the commands within Office document attachments. When the document macro is enabled, the hidden code extracts and executes PowerShell to download Ursnif or other payloads.
T1036	Masquerading / Lure Impersonation	Campaigns impersonate Italian courier BRT, energy companies, the Agenzia delle Entrate (Italian Revenue Agency), and law firms. Recent expansion campaigns use AI-translated lures in multiple languages to impersonate legal services organizations with authentic-looking invoice filenames.
T1614	System Location Discovery / Geofencing	Document macros generate and execute Excel 4/XLM macros written in Italian that check victim location via server-side IP filtering. If the victim falls outside the target geography, the malware C2 redirects to an adult website instead of delivering the payload — limiting live infrastructure exposure to intended targets only.
T1055	Process Injection	WikiLoader (WailingCrab) uses a multi-stage architecture including a loader, injector, downloader, and backdoor. The injector component injects the subsequent stage into a legitimate process, a technique used to evade endpoint detection.
T1095	Non-Application Layer Protocol (MQTT)	WikiLoader versions from mid-2023 onward use the MQTT IoT messaging protocol for C2 communications, routing through the legitimate public broker broker.emqx[.]io to conceal the true C2 server address. This protocol is rarely used by malware and significantly complicates network-based detection.
T1583.004	Compromised Infrastructure (WordPress)	WikiLoader C2 infrastructure relies almost exclusively on compromised legitimate WordPress sites as relay nodes, making blocklisting difficult without blocking legitimate domains. This pattern is consistent across both TA544-attributed and rented WikiLoader campaigns.
T1056.004	Web Inject Credential Interception	Ursnif (Gozi) deploys web injections — malicious code injected into the victim's browser — to intercept and steal credentials from targeted banking and retail sites, in addition to VNC-based session hijacking and proxy-based traffic redirection for real-time credential capture.
T1608.006	SEO Poisoning	A 2024 WikiLoader campaign used SEO poisoning to deliver malware via Google ads that redirected victims searching for GlobalProtect VPN software to a spoofed download page, installing a trojanized installer that side-loaded the WikiLoader backdoor via a renamed legitimate executable.

Known Campaigns

Selected confirmed operations representing the evolution of TA544's capabilities and geographic reach from 2017 through 2024.

Panda Banker — Initial Italy Targeting 2017

Proofpoint began tracking TA544 in February 2017 following the emergence of high-volume malicious email campaigns targeting Italian customers with Panda Banker malware. This marked the group's documented origin and established the Italy-focused financial targeting model that has defined TA544 activity ever since. Panda Banker is a Zeus-derived banking trojan designed to steal banking credentials and perform web injection attacks against financial institution portals.

Ursnif Surge — Italy Saturation Campaigns 2021

Between January and August 2021, Proofpoint observed nearly 20 notable TA544 campaigns distributing hundreds of thousands of messages targeting Italian organizations — surpassing the total volume of equivalent campaigns across all of 2020. In 2021 alone, close to half a million malicious messages were associated with this activity. Campaigns impersonated Italian courier BRT and energy companies, using malicious Excel attachments with Italian-language macros and server-side geofencing that redirected non-Italian IPs to an adult website. Web inject lists targeted UniCredit, ING, BNL, Banca Sella, eBay, PayPal, and dozens of additional portals. As many as 2,000 organizations were targeted in individual campaigns.

WikiLoader Introduction — Italian Revenue Agency Lure December 2022

On December 27, 2022, Proofpoint observed the first WikiLoader campaign — a high-volume attack targeting Italian companies using Excel attachments that spoofed the Italian Revenue Agency (Agenzia delle Entrate). Malicious VBA macros, if enabled, downloaded and executed the new unidentified downloader that Proofpoint eventually named WikiLoader. The loader ultimately installed Ursnif as a follow-on payload. This campaign marked TA544's pivot toward developing and deploying a dedicated malware-as-a-service downloader infrastructure rather than delivering payloads directly.

WikiLoader Evolution — Courier Spoof, MQTT C2, Accounting Themes February – July 2023

Three major WikiLoader campaigns between February and July 2023 demonstrated rapid, active development of the downloader. The February 8 campaign spoofed an Italian courier service using updated WikiLoader with more complex structures, additional sandbox evasion stalling mechanisms, and encoded strings. The July 11 campaign introduced accounting themes and PDF-based delivery (URLs leading to zipped JavaScript files), and added MQTT-based C2 communications routing through legitimate broker infrastructure. By this point, WikiLoader had also been adopted by TA551, confirming its transition to a rented malware-as-a-service model.

NaurLegal — Law Firm Invoice Impersonation, International Expansion March 2024

On March 7, 2024, BlueVoyant observed a near-instantaneous phishing onslaught attributed to Narwhal Spider (TA544/Storm-0302), using PDF files disguised as legal firm invoices with the naming convention "Invoice_[number]_from_[law firm name].pdf." Unlike prior Italy-focused campaigns, the NaurLegal operation used AI-assisted translation to craft multilingual lures and targeted organizations in the United States, Canada, and broader Europe — sectors that routinely handle legal invoices and would not flag them as anomalous. Infrastructure was deployed, campaigns were sent, and infrastructure was shut down rapidly in what BlueVoyant described as a "smash and grab" model. WikiLoader was the initial access payload, with IcedID assessed as a likely follow-on payload based on VirusTotal submissions.

GlobalProtect VPN SEO Poisoning — WikiLoader via Fake Software Summer 2024

Unit 42 researchers identified a WikiLoader campaign in early summer 2024 using SEO poisoning as the initial access vector. Google advertisements redirected victims searching for Palo Alto Networks GlobalProtect VPN software to a spoofed download page. The malicious installer included a renamed legitimate TD Ameritrade trading application used to side-load a malicious DLL, ultimately executing shellcode that downloaded and launched WikiLoader. Anti-analysis checks detected virtualized environments and halted execution. Targets included US higher education and transportation sectors in addition to Italian organizations — the broadest geographic targeting documented for TA544 to that point.

Tools & Malware

TA544 has delivered more than six unique malware payloads across its operational history. Current active tools include WikiLoader and Ursnif.

Ursnif / Gozi (affiliate IDs 1000 and 4779): A banking trojan that steals credentials and banking data through web injections, VNC connections, and proxy-based interception. TA544 operates two affiliate IDs: 1000 targets Japan in high volume (URLZone drops Ursnif), while 4779 targets Italian technology, manufacturing, and IT sectors at moderate volume, sometimes using steganographic delivery. The Ursnif source code was leaked in an earlier version, enabling wide adoption by cybercriminals. Ursnif shares code with Dreambot, Papras, ISFB, and snifula.
WikiLoader / WailingCrab: A sophisticated multi-stage malware downloader developed by TA544 and first observed December 2022. Comprises loader, injector, downloader, and backdoor components. Checks Wikipedia for the string "The Free" to verify non-sandbox execution. Uses compromised WordPress sites as C2 relays. Later versions use MQTT over the public broker broker.emqx[.]io to hide the true C2 address. Actively rented to other cybercriminal actors including TA551. Available for rent selectively on underground marketplaces.
URLZone: A banking trojan used as a first-stage payload in TA544's Japan campaigns (Ursnif affiliate 1000). URLZone downloads Ursnif as a secondary payload, forming a two-stage delivery chain. Also used in Italian campaigns in combination with Ursnif.
Panda Banker / Zeus Panda: A Zeus-derived banking trojan used in TA544's earliest documented campaigns targeting Italian customers in 2017. The group's original signature malware, now largely superseded by Ursnif in current operations.
Danabot: A banking malware and infostealer observed in WikiLoader delivery chains. IBM X-Force noted that Hive0133/TA544-linked WikiLoader campaigns have delivered Danabot in addition to Ursnif/Gozi.
IcedID (likely): VirusTotal submissions associated with the March 2024 NaurLegal campaign suggest IcedID as a likely follow-on payload to WikiLoader delivery, though this has not been definitively confirmed.
Remcos RAT / SystemBC: Follow-on payloads observed in WikiLoader-delivered intrusions during 2024 SmartScreen exploitation campaigns, indicating TA544's WikiLoader infrastructure is used as a flexible delivery platform for multiple downstream payloads by different operators.

Indicators of Compromise

Select behavioral and infrastructure IOCs from Proofpoint, BlueVoyant, and IBM X-Force reporting. Specific IP and hash IOCs rotate frequently given high-volume campaign infrastructure — behavioral patterns are more durable.

warning

TA544 operates high-volume, rapid-cycling campaigns. Specific file hashes and IP addresses rotate rapidly. Behavioral detection rules and pattern-based hunting are more operationally durable than hash or IP blocklists for this threat actor.

behavioral indicators — ta544 / narwhal spider

network — wikiloader HTTP GET to Wikipedia, checking response body for string "The Free" — WikiLoader sandbox/environment check (present in all documented WikiLoader versions)

network — wikiloader c2 MQTT connections to broker.emqx[.]io (legitimate public IoT broker) — WikiLoader v2+ C2 channel; legitimate host used to conceal true C2 address

network — wikiloader c2 Outbound connections to compromised WordPress sites — WikiLoader relay C2 infrastructure; used across all known WikiLoader versions

process — wikiloader wscript.exe spawning from Office applications or document directories — WikiLoader delivery via JavaScript files inside ZIP archives linked from PDF attachments

lure pattern — italy Italian-language phishing emails impersonating BRT courier, Agenzia delle Entrate, or energy companies; Excel/PDF attachments with VBA or XLM macros written in Italian

lure pattern — global PDF files named "Invoice_[number]_from_[law firm name].pdf" — NaurLegal campaign pattern; multilingual, AI-translated content

behavior — geofencing Non-target IPs redirected to adult website by malware C2 — server-side IP check; observable in sandbox analysis as HTTP redirect to non-malicious adult domain on geofencing failure

behavior — steganography Pop culture reference images embedded in Office documents contain obfuscated PowerShell — images appear legitimate visually but contain hidden malicious code activated by macro execution

note

WikiLoader's Wikipedia check is a particularly reliable network-layer detection point — an Office application or script interpreter making a request to Wikipedia and reading its body content is anomalous in most enterprise environments, regardless of the specific payload version.

Mitigation & Defense

Recommended controls for organizations in TA544's target profile, with priority on the group's documented delivery vectors and evasion techniques.

Disable macros organization-wide by default: TA544 has continued using macro-enabled Office documents as a primary delivery vector even as Microsoft moved to block macros by default. Ensure macro execution is disabled for all users who do not have a verified business need, and enforce this via Group Policy. Pay specific attention to Excel 4.0/XLM macro execution — TA544 has used legacy XLM macros specifically because they are distinct from VBA and may not be blocked by all configurations.
Block wscript.exe and cscript.exe execution from document directories: WikiLoader PDF delivery chains rely on users clicking links that download ZIPs containing JavaScript files executed by wscript.exe. Application whitelisting or attack surface reduction rules that prevent script interpreters from running in user document directories will break this delivery chain.
Block embedded external files in OneNote documents: TA544 and TA551 have both delivered WikiLoader via OneNote documents with embedded executables hidden behind "OPEN" button elements. Enterprise deployment should block external file execution from OneNote documents.
Monitor for Wikipedia DNS queries from non-browser processes: WikiLoader checks Wikipedia as an environment validation step in every documented version. An alert on DNS queries to wikipedia.org or HTTP requests to wikipedia.org originating from non-browser processes — particularly Office applications, script interpreters, or recently launched executables — is a high-fidelity WikiLoader detection indicator.
Alert on MQTT traffic from unexpected hosts: WikiLoader v2+ uses MQTT over broker.emqx[.]io for C2. MQTT traffic from user workstations is anomalous in most enterprise environments. Detection rules that alert on MQTT protocol usage (TCP port 1883 or 8883) from hosts that are not IoT infrastructure should be implemented.
Block macro-enabled documents from the internet: Configure email gateway and web proxy to block inbound Office files with macros (.xlsm, .xlam, .docm) that originate from external sources. TA544's delivery chain depends entirely on recipient opening and enabling macros in externally received Office documents.
Train Italian-speaking staff to recognize impersonation lures: TA544's Italian campaigns specifically impersonate BRT, Agenzia delle Entrate, and energy companies — institutions that Italian employees regularly receive legitimate communications from. Language-specific phishing awareness that names these impersonated organizations is more effective than generic training.
Verify software downloads against official domains: The 2024 GlobalProtect SEO poisoning campaign specifically targeted users searching for legitimate VPN software. Enforce a policy of downloading software only from officially bookmarked or IT-provisioned sources, and block Google Ads in corporate environments where ad-delivered malware is a documented risk.

Frequently Asked Questions

What is TA544 / Narwhal Spider?

TA544 (also known as Narwhal Spider, Bamboo Spider, and Storm-0302) is a financially motivated cybercriminal group tracked by Proofpoint since February 2017. The group is best known for high-volume Ursnif (Gozi) banking trojan campaigns targeting Italian organizations and for developing WikiLoader — a sophisticated malware downloader rented to other threat actors as a service. The group's geographic specialization in Italy, combined with its capacity to run campaigns at hundreds of thousands of messages per day, makes it among the most prolific cybercriminal actors targeting European financial services.

What is WikiLoader?

WikiLoader (also tracked as WailingCrab by IBM X-Force) is a sophisticated multi-stage malware downloader developed by TA544 and first observed on December 27, 2022. It uses multiple evasion techniques including anti-sandbox checks (verifying the Wikipedia response contains "The Free" before proceeding), encoded strings, process injection, and — in later versions — MQTT-based C2 communications routing through the legitimate public broker broker.emqx[.]io to conceal the true command-and-control server. WikiLoader has been rented to other cybercriminal actors including TA551, and has been used to deliver Ursnif, Danabot, Remcos RAT, SystemBC, and IcedID as downstream payloads.

What is Ursnif (Gozi)?

Ursnif (also known as Gozi, Dreambot, ISFB, and Papras) is a banking trojan capable of stealing credentials and banking information through web injections, VNC connections, and proxy-based session interception. TA544 operates two Ursnif affiliate IDs: affiliate 1000 for high-volume Japan targeting (delivered via URLZone as a first stage) and affiliate 4779 for moderate-volume Italian IT, manufacturing, and technology targeting. Web inject lists associated with TA544's Ursnif deployments include dozens of Italian banking, financial services, and retail portals.

How does TA544 use geofencing?

TA544 uses server-side geofencing to verify that victims are in the intended target geography before delivering malware. Document macros generate and execute Italian-language Excel 4/XLM macro code that triggers a server-side IP address check. If the victim's IP falls outside the target region, the malware C2 redirects the connection to an adult website instead of delivering the payload — limiting live malware infrastructure exposure to intended targets only.

Has TA544 expanded beyond Italy?

Yes. Historically specialized in Italian targets, TA544 began expanding geographically toward the end of 2023 and into 2024. A March 2024 campaign (NaurLegal) targeted organizations in the United States, Canada, and broader Europe using AI-translated multilingual phishing lures disguised as legal firm invoices. A summer 2024 WikiLoader campaign delivered via SEO poisoning targeted US higher education and transportation sectors alongside Italian organizations. BlueVoyant analysts noted the group is "well within range of targeting the US, specifically" as of 2024.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile