www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
Submission: On January 30 via api from TR — Scanned from DE
Submission: On January 30 via api from TR — Scanned from DE
Form analysis
3 forms found in the DOM/us
<form action="/us" data-region="us" data-language="en">
<input type="text" name="search_block_form" placeholder="Search">
<input type="submit">
</form>
<form id="mktoForm_10895" data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" novalidate="novalidate" style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoFieldWrap mk-form__checkbox-field">
<div class="blog-subscribe__select-box">Select</div><label for="blogInterest" id="LblblogInterest" class="mktoLabel mktoHasWidth mk-form__checkbox-label" style="width: 150px;">
<div class="mktoAsterix">*</div>Blog Interest:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 200px;"><input name="blogInterest" id="mktoCheckbox_185044_0" type="checkbox" value="All"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_0 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_0" id="LblmktoCheckbox_185044_0">All</label><input name="blogInterest" id="mktoCheckbox_185044_1" type="checkbox" value="Archiving and Compliance"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_1 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_1" id="LblmktoCheckbox_185044_1">Archiving and Compliance</label><input name="blogInterest" id="mktoCheckbox_185044_2" type="checkbox" value="CISO Perspectives"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_2 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_2" id="LblmktoCheckbox_185044_2">CISO Perspectives</label><input name="blogInterest" id="mktoCheckbox_185044_3" type="checkbox" value="Cloud Security"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_3 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_3" id="LblmktoCheckbox_185044_3">Cloud Security</label><input name="blogInterest" id="mktoCheckbox_185044_4" type="checkbox" value="Corporate News"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_4 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_4" id="LblmktoCheckbox_185044_4">Corporate News</label><input name="blogInterest" id="mktoCheckbox_185044_5" type="checkbox" value="Email and Cloud Threats"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_5 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_5" id="LblmktoCheckbox_185044_5">Email and Cloud Threats</label><input name="blogInterest" id="mktoCheckbox_185044_6" type="checkbox" value="Engineering Insights"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_6 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_6" id="LblmktoCheckbox_185044_6">Engineering Insights</label><input name="blogInterest" id="mktoCheckbox_185044_7" type="checkbox" value="Information Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_7 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_7" id="LblmktoCheckbox_185044_7">Information Protection</label><input name="blogInterest" id="mktoCheckbox_185044_8" type="checkbox" value="Insider Threat Management"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_8 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_8" id="LblmktoCheckbox_185044_8">Insider Threat Management</label><input name="blogInterest" id="mktoCheckbox_185044_9" type="checkbox" value="Remote Workforce Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_9 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_9" id="LblmktoCheckbox_185044_9">Remote Workforce Protection</label><input name="blogInterest" id="mktoCheckbox_185044_10" type="checkbox" value="Security Awareness Training"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_10 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_10" id="LblmktoCheckbox_185044_10">Security Awareness Training</label><input name="blogInterest" id="mktoCheckbox_185044_11" type="checkbox" value="Security Briefs"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_11 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_11" id="LblmktoCheckbox_185044_11">Security Briefs</label><input name="blogInterest" id="mktoCheckbox_185044_12" type="checkbox" value="Threat Insight"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_12 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_12" id="LblmktoCheckbox_185044_12">Threat Insight</label></div><span id="InstructblogInterest" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="10895" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds"><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor" value="95151942.1675077805">
</form>
<form data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>
Text Content
Skip to main content Products Solutions Partners Resources Company ContactLanguages Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Main Menu AEGIS THREAT PROTECTION PLATFORM Disarm BEC, phishing, ransomware, supply chain threats and more. SIGMA INFORMATION PROTECTION PLATFORM Defend your data from careless, compromised and malicious users. INTELLIGENT COMPLIANCE PLATFORM Reduce risk, control costs and improve data visibility to ensure compliance. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. NEW THREAT PROTECTION SOLUTION BUNDLES WITH FLEXIBLE DEPLOYMENT OPTIONS AI-powered protection against BEC, ransomware, phishing, supplier risk and more with inline+API or MX-based deployment Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach. CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done. COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution. PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. PREVENT LOSS FROM RANSOMWARE Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE Secure access to corporate resources and ensure business continuity for your remote workers. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. NEW PERIMETERS MAGAZINE Get the latest cybersecurity insights in your hands – featuring valuable knowledge from our own industry experts. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits SECURITY HUBS Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. PRIVACY AND TRUST Learn about how we handle data and make commitments to privacy and other regulations. ENVIRONMENTAL, SOCIAL, AND GOVERNANCE Learn about our people-centric principles and how we implement them to positively impact our global community. SUPPORT Access the full range of Proofpoint support services. Learn More English (Americas) English (Europe, Middle East, Africa) English (Asia-Pacific) Español Deutsch Français Italiano Português 日本語 한국어 Products Overview EMAIL SECURITY AND PROTECTION Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business ADVANCED THREAT PROTECTION Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence SECURITY AWARENESS TRAINING Assess Change Behavior Evaluate Overview INFORMATION PROTECTION Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover CLOUD SECURITY Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Overview COMPLIANCE AND ARCHIVING Automate Capture Patrol Track Archive Discover Supervision DIGITAL RISK PROTECTION Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview PREMIUM SECURITY SERVICES Technical Account Managers Proofpoint Threat Information Services Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Managed Services for Information Protection Insider Threat Management Services Compliance and Archiving Services Consultative Services Products Solutions Partners Resources Company English (Americas) English (Europe, Middle East, Africa) English (Asia-Pacific) Español Deutsch Français Italiano Português 日本語 한국어 Login Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Contact AEGIS THREAT PROTECTION PLATFORM Disarm BEC, phishing, ransomware, supply chain threats and more. SIGMA INFORMATION PROTECTION PLATFORM Defend your data from careless, compromised and malicious users. INTELLIGENT COMPLIANCE PLATFORM Reduce risk, control costs and improve data visibility to ensure compliance. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. Overview EMAIL SECURITY AND PROTECTION Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business ADVANCED THREAT PROTECTION Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence SECURITY AWARENESS TRAINING Assess Change Behavior Evaluate Overview INFORMATION PROTECTION Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover CLOUD SECURITY Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Overview COMPLIANCE AND ARCHIVING Automate Capture Patrol Track Archive Discover Supervision DIGITAL RISK PROTECTION Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview PREMIUM SECURITY SERVICES Technical Account Managers Proofpoint Threat Information Services Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Managed Services for Information Protection Insider Threat Management Services Compliance and Archiving Services Consultative Services NEW THREAT PROTECTION SOLUTION BUNDLES WITH FLEXIBLE DEPLOYMENT OPTIONS AI-powered protection against BEC, ransomware, phishing, supplier risk and more with inline+API or MX-based deployment Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach. CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done. COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution. PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. PREVENT LOSS FROM RANSOMWARE Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE Secure access to corporate resources and ensure business continuity for your remote workers. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. NEW PERIMETERS MAGAZINE Get the latest cybersecurity insights in your hands – featuring valuable knowledge from our own industry experts. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits SECURITY HUBS Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. PRIVACY AND TRUST Learn about how we handle data and make commitments to privacy and other regulations. ENVIRONMENTAL, SOCIAL, AND GOVERNANCE Learn about our people-centric principles and how we implement them to positively impact our global community. SUPPORT Access the full range of Proofpoint support services. Learn More Zeigen Sie weiterhin Inhalte für Ihren Standort an United StatesUnited KingdomFranceDeutschlandEspaña日本AustraliaItaliaFortsetzen Blog Threat Insight TA444: The APT Startup Aimed at Acquisition (of Your Funds) TA444: THE APT STARTUP AIMED AT ACQUISITION (OF YOUR FUNDS) Share with your network! January 25, 2023 Greg Lesnewich and the Proofpoint Threat Research Team KEY TAKEAWAYS * TA444 is a North Korea state-sponsored threat actor that tested numerous infection methods in 2022 with varying degrees of success. * TA444 is a unicorn among state-aligned actors as its primary operations are financially motivated, and their infection chains are often a microcosm of the cybercrime threat landscape at large. * While TA444 has been active in its current form of targeting cryptocurrencies since at least 2017, the group has adopted an upstart mentality during the latter stages of 2022. OVERVIEW In the world of tech startups, luminaries and charlatans alike boast of the value of rapid iteration, testing products on the fly, and failing forward. TA444, a North Korea-sponsored advanced persistent threat group, has taken these mantras to heart. TA444, which overlaps with public activity called APT38, Bluenoroff, BlackAlicanto, Stardust Chollima, and COPERNICIUM, is likely tasked with generating revenue for the North Korean regime. That tasking has historically involved the targeting of banks to ultimately funnel cash to the Hermit Kingdom or handlers abroad. More recently, TA444 has turned its attention, much like the tech industry, to cryptocurrency. While we do not know if the group has ping pong tables or kegs of some overrated IPA in its workspace, TA444 does mirror the startup culture in its devotion to the dollar and to the grind. FAIL FAST WITH FILE TYPE VARIATIONS Back in its infant interest with blockchain and cryptocurrency, TA444 had two main avenues of initial access: an LNK-oriented delivery chain and a chain beginning with documents using remote templates. These campaigns were typically referred to as DangerousPassword, CryptoCore, or SnatchCrypto. In 2022, TA444 continued to use both methods, but had also tried its hand at other file types for initial access. Despite having not heavily relied on macros in previous campaigns, TA444 seemed to mirror the cybercrime landscape in the summer and fall, attempting to find additional file types to stuff its payloads into. It is unclear if the threat actor had a hackathon to generate these ideas, but we believe some of the (dramatized) conversations may have sounded like this: MSI Installer files? Let’s give it a shot but try a few varieties and see what sticks! Virtual Hard Drive? TA580 used it to drop Bumblebee, why don’t we have a VHD chain? ISOs to bypass MoTW? If the market wants it, let’s give it to them! Compiled HTML? What are we, TA406? Eh, give it a try anyway! We can experiment all we want but we must keep up with our CageyChameleon and Astraeus quotas to meet our OKRs! Equally as surprising as the variance in delivery methods is the lack of a consistent payload at the end of the delivery chains. When other financially-oriented threat actors test delivery methods, they tend to load their traditional payloads; this is not the case with TA444. This suggests that there is an embedded, or at least a devoted, malware development element alongside TA444 operators. WHAT’S OUR GO-TO-MARKET? To convince victims to click on malicious links, TA444 has a complete marketing strategy to increase its chances of new ARR (Annual Recurring Revenue). It all starts with crafting lure content that may be of interest or necessity to the target. These can include analyses of cryptocurrency blockchains, job opportunities at prestigious firms, or salary adjustments. Figure 1. Example TA444 email lure using salary adjustment themes. TA444 has abused email marketing tools like SendInBlue and SendGrid to engage with its target audience. These serve as redirectors to either cloud-hosted files or connect the victim directly to TA444 infrastructure. Additionally, the use of such links removes some stigma from the user of clicking on an unknown link, as marketing links will not necessarily get called out by phishing training. Like other entities in the tech and cryptocurrency space, someone in TA444’s organization oversees socials. This is a very strong component of TA444’s practice, as the threat actor has continued to use LinkedIn to engage with victims prior to delivering links to malware. Proofpoint has observed this group demonstrating workable understandings of English, Spanish, Polish, and Japanese. TEST IN PROD In early December 2022, Proofpoint researchers observed a significant deviation from normal TA444 operations via a relatively basic credential harvesting campaign. A TA444 C2 domain sent OneDrive phishing emails rife with typos to a wide variety of targets in the United States and Canada, spanning several verticals including education, government, and healthcare, in addition to financial verticals. The lure emails enticed users to click a SendGrid URL which redirected to a credential harvesting page. The deviation in TA444’s targeting and volume of messages made us thoroughly analyze the campaign to both understand the activity, but also challenged our assumptions about the group. This spam wave alone nearly doubled the total volume of TA444 email messages we had observed in our data during 2022, so we were concerned about false positive detection, as well as understanding a potential change in TA444 objectives. The from header used the term Admin and the target domain name, but all used the same envelope-from email address (admin[@]sharedrive[.]ink) and subject (Invoice spelled with a lowercase L). Figure 2. TA444 phishing email that deviated from expected themes and targeting. The SendGrid URLs are used to redirect targets to the domain superiorexhbits[.]com which uses common phishing tactics such as loading the victim's iconography via the logo-rendering service ClearBit. This sprawling credential harvesting activity is a deviation from normal TA444 campaigns, which typically involve the direct deployment of malware. In fact, this same domain was observed serving a TA444 VHD containing Cur1Agent on the same day. Proofpoint attributed this campaign with moderate to moderately high confidence based on the exclusivity of TA444 infrastructure. Other domains hosted on that IP match previous TA444 typo squats. The emails also had valid DMARC and SPF records, indicating that the sender has control of that domain. Proofpoint cannot rule out that the TA444 server was compromised by another actor to send the phishing links. It is also possible that TA444, like other North Korean actors such as Andariel, has begun its own moonlighting operations. If this occurred, we would anticipate seeing tool and infrastructure re-use as well as continued deviation of targeting away from major cryptocurrency and financial institutions. THE CULTURE IS THE FOUNDATION While TA444 has experimented with new lines of production, their core families still carry the brunt of their infections. The CageyChameleon (aka CabbageRAT) family has expanded its functionality but still operates as a victim-profiling framework, exfiltrating running processes and host information while setting up the potential to launch subsequent tooling loaded from the command-and-control server. The lure LNKs used to initiate execution are still often titled Password.txt.lnk. Figure 3. Decrypted CageyChameleon data exfiltration. Similarly, TA444 has stayed the course with its infrastructure deployments and document content, effectively reusing lure iconography in second-stage macro-laden files and borrowing content directly from entities it is spoofing. First stage remote template files have adapted to not only download the second-stage macro (tracked as Astraeus by Proofpoint) but the first stage now contains an obfuscated Cardinal backdoor, as noted by PWC and Kaspersky. Figure 4. TA444 first-stage lure document themes. Security researchers have observed TA444 deploying an impressive set of post-exploitation backdoors in its history, including msoRAT, Cardinal (default.rdp), the Rantankba suite, CHEESETRAY, and DYEPACK, as well as passive backdoors, virtualized listeners, and browser extensions to facilitate theft. ATTRIBUTION Proofpoint clusters TA444 activities based on malware lineage, behavioral heuristics and traits of first-stage tooling meant to fool targeted users, distinctive infrastructure usage, and targeting of financial entities, along with other factors. Historic TA444 operations, such as the 2016 Bangladesh Bank heist and targeting of cryptocurrency entities, have been linked to the North Korean government by the United States. The United States Treasury Department levied sanctions against two coin mixing services, Tornado Cash and BlenderIO, for allowing TA444 operators to launder over $120 million of cryptocurrency stolen from intrusions into various bridge and exchange entities. The US Federal Bureau of Investigation attributed the heist of a major cryptocurrency bridge to APT38, a group which heavily overlaps with TA444, where funds were later mixed in BlenderIO. This attribution underlines how reliant TA444 is on the cryptocurrency ecosystem to steal funds, create an avenue to launder them, and cash out. Recent TA444 activity highlights how willing the adversary is to adapt their methods to continue to profit from its intrusions, and new services will like aide them in their efforts, even if unintentionally. CONCLUSION While we may poke fun at its broad campaigns and ease of clustering, TA444 is an astute and capable adversary that is willing and able to defraud victims for hundreds of millions of dollars. TA444 and related clusters are assessed to have stolen nearly $400 million dollars’ worth of cryptocurrency and related assets in 2021. In 2022, the group surpassed that value in a single heist worth over $500 million, gathering more than $1 billion during 2022. North Korea, like other cryptocurrency enthusiasts, has weathered the declining value of cryptocurrencies, but remains engaged in its efforts to use cryptocurrency as a vehicle to provide usable funds to the regime. ET SIGNATURES 2043279- ET MALWARE TA444 Related Domain in DNS Lookup (updatezone .org) 2043280- ET MALWARE TA444 Related Domain in DNS Lookup (autoprotect .com .de) 2043281- ET MALWARE TA444 Related Domain in DNS Lookup (autoprotect .gb .net) 2043282- ET MALWARE TA444 Related Domain in DNS Lookup (azure-security .online) 2043283- ET MALWARE TA444 Related Domain in DNS Lookup (azure-security .site) 2043284- ET MALWARE TA444 Related Domain in DNS Lookup (hoststudio .org) 2043285- ET MALWARE TA444 Related Domain in DNS Lookup (thecloudnet .org) 2037802- ET MALWARE TA444 Related Domain in DNS Lookup (documentworkspace .io) 2037803- ET MALWARE TA444 Related Domain in DNS Lookup (fclouddown .co) 2037804- ET MALWARE TA444 Related Domain in DNS Lookup (googlesheet .info) 2037883- ET MALWARE TA444 Related Domain in DNS Lookup (inst .shconstmarket .com) 2037884- ET MALWARE TA444 Related Domain in DNS Lookup (web .shconstmarket .com) 2037885- ET MALWARE TA444 Related Domain in DNS Lookup (wordonline .cloud) 2038542- ET MALWARE Observed DNS Query to TA444 Domain (cooporatestock .com) 2038543- ET MALWARE Observed DNS Query to TA444 Domain (finxiio .com) 2038544- ET MALWARE Observed DNS Query to TA444 Domain (1drvmicrosoft .com) 2038546- ET MALWARE Observed DNS Query to TA444 Domain (ledger-cloud .com) 2038547- ET MALWARE Observed DNS Query to TA444 Domain (globiscapital .co) 2038548- ET MALWARE Observed DNS Query to TA444 Domain (wpsonline .co) 2038709- ET MALWARE Observed DNS Query to TA444 Domain (wps .wpsonline .co) 2038710- ET MALWARE Observed DNS Query to TA444 Domain (documentshare .info) 2038711- ET MALWARE Observed DNS Query to TA444 Domain (unchained-capital .co) 2038712- ET MALWARE Observed DNS Query to TA444 Domain (cloud .globiscapital .co) 2038713- ET MALWARE Observed DNS Query to TA444 Domain (shconstmarket .com) 2038714- ET MALWARE Observed DNS Query to TA444 Domain (stablehouses .info) 2038715- ET MALWARE Observed DNS Query to TA444 Domain (edit .wpsonline .co) 2038716- ET MALWARE Observed DNS Query to TA444 Domain (bankofamerica .us .org) 2038717- ET MALWARE Observed DNS Query to TA444 Domain (salt1ending .com) 2038718- ET MALWARE Observed DNS Query to TA444 Domain (cloud .jbic .us) 2038720- ET MALWARE Observed DNS Query to TA444 Domain (share .anobaka .info) 2038721- ET MALWARE Observed DNS Query to TA444 Domain (vote .anobaka .info) 2038722- ET MALWARE Observed DNS Query to TA444 Domain (cloud .wpic .ink) 2038762- ET MALWARE Observed DNS Query to TA444 Domain (careersbankofamerica .us) 2038763- ET MALWARE Observed DNS Query to TA444 Domain (mufg .tokyo) 2038764- ET MALWARE Observed DNS Query to TA444 Domain (azure-protect .online) 2038785- ET MALWARE Observed DNS Query to TA444 Domain (azure-protection .cloud) 2038786- ET MALWARE Observed DNS Query to TA444 Domain (bankofamerica .nyc) 2038787- ET MALWARE Observed TA444 Domain (bankofamerica .nyc in TLS SNI) 2038788- ET MALWARE Observed TA444 Domain (azure-protection .cloud in TLS SNI) 2038789- ET MALWARE Observed TA444 Domain (careersbankofamerica .us in TLS SNI) 2038790- ET MALWARE Observed TA444 Domain (azure-protect .online in TLS SNI) 2038791- ET MALWARE Observed TA444 Domain (mufg .tokyo in TLS SNI) 2038845- ET MALWARE Observed DNS Query to TA444 Domain (cloud .tptf .ltd) 2038846- ET MALWARE Observed DNS Query to TA444 Domain (careers .bankofamerica .nyc) 2038847- ET MALWARE Observed DNS Query to TA444 Domain (bankofamerica .offerings .cloud) 2038848- ET MALWARE Observed DNS Query to TA444 Domain (bankofamerica .tel) 2038849- ET MALWARE Observed DNS Query to TA444 Domain (cloud .mufg .uk) 2038850- ET MALWARE Observed TA444 Domain (cloud .tptf .ltd in TLS SNI) 2038851- ET MALWARE Observed TA444 Domain (bankofamerica .tel in TLS SNI) 2038852- ET MALWARE Observed TA444 Domain (cloud .mufg .uk in TLS SNI) 2038853- ET MALWARE Observed TA444 Domain (bankofamerica .offerings .cloud in TLS SNI) 2038854- ET MALWARE Observed TA444 Domain (careers .bankofamerica .nyc in TLS SNI) 2038919- ET MALWARE Observed DNS Query to TA444 Domain (docuprivacy .com) 2038920- ET MALWARE Observed DNS Query to TA444 Domain (share .anobaka .info) 2038921- ET MALWARE Observed DNS Query to TA444 Domain (privacysign .org) 2038922- ET MALWARE Observed DNS Query to TA444 Domain (ms .onlineshares .cloud) 2038923- ET MALWARE Observed DNS Query to TA444 Domain (team .msteam .biz) 2038924- ET MALWARE Observed DNS Query to TA444 Domain (mizuhogroup .us) 2038925- ET MALWARE Observed DNS Query to TA444 Domain (docs .azurehosting .co) 2038926- ET MALWARE Observed DNS Query to TA444 Domain (tptf .fund) 2038927- ET MALWARE Observed DNS Query to TA444 Domain (perseus .bond) 2038928- ET MALWARE Observed DNS Query to TA444 Domain (smbcgroup .us) 2038929- ET MALWARE Observed DNS Query to TA444 Domain (tptf .cloud) 2038936- ET MALWARE Observed TA444 Domain (tptf .fund in TLS SNI) 2038937- ET MALWARE Observed TA444 Domain (docs .azurehosting .co in TLS SNI) 2038938- ET MALWARE Observed TA444 Domain (team .msteam .biz in TLS SNI) 2038939- ET MALWARE Observed TA444 Domain (share .anobaka .info in TLS SNI) 2038940- ET MALWARE Observed TA444 Domain (smbcgroup .us in TLS SNI) 2038941- ET MALWARE Observed TA444 Domain (perseus .bond in TLS SNI) 2038942- ET MALWARE Observed TA444 Domain (docuprivacy .com in TLS SNI) 2038943- ET MALWARE Observed TA444 Domain (privacysign .org in TLS SNI) 2038944- ET MALWARE Observed TA444 Domain (mizuhogroup .us in TLS SNI) 2038945- ET MALWARE Observed TA444 Domain (ms .onlineshares .cloud in TLS SNI) 2038946- ET MALWARE Observed TA444 Domain (tptf .cloud in TLS SNI) 2038987- ET MALWARE TA444 Related Domain in DNS Lookup (onlinecloud .cloud) 2039041- ET MALWARE TA444 Domain in DNS Lookup (mufg .ink) 2039042- ET MALWARE TA444 Domain in DNS Lookup (mufg .us .org) 2039043- ET MALWARE Observed TA444 Domain (mufg .ink in TLS SNI) 2039044- ET MALWARE Observed TA444 Domain (mufg .us .org in TLS SNI) 2039808- ET MALWARE TA444 Domain in DNS Lookup (gdocshare .one) 2039809- ET MALWARE Observed TA444 Domain (gdocshare .one in TLS SNI) 2039823- ET MALWARE TA444 Domain in DNS Lookup (sharedrive .ink) 2039824- ET MALWARE TA444 Domain in DNS Lookup (dnx .capital) 2039825- ET MALWARE Observed TA444 Domain (sharedrive .ink in TLS SNI) 2039826- ET MALWARE Observed TA444 Domain (dnx .capital in TLS SNI) Previous Blog Post Subscribe to the Proofpoint Blog * Business Email: Select * Blog Interest: AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight Submit ABOUT * Overview * Why Proofpoint * Careers * Leadership Team * News Center * Nexus Platform * Privacy and Trust THREAT CENTER * Threat Hub * Cybersecurity Awareness Hub * Ransomware Hub * Threat Glossary * Threat Blog * Daily Ruleset PRODUCTS * Email Security & Protection * Advanced Threat Protection * Security Awareness Training * Cloud Security * Archive & Compliance * Information Protection * Digital Risk Protection * Product Bundles RESOURCES * White Papers * Webinars * Data Sheets * Events * Customer Stories * Blog * Free Trial CONNECT * +1-408-517-4710 * Contact Us * Office Locations * Request a Demo SUPPORT * Support Login * Support Services * IP Address Blocked? * Facebook * Twitter * linkedin * Youtube * English (US) * English (UK) * English (AU) * Español * Deutsch * Français * Italiano * Português * 日本語 * 한국어 © 2023. All rights reserved. Terms and conditions Privacy Policy Sitemap