Under Review ACTIVE

TA505

Also known as: GOLD TAHOE, Hive0065, SectorJ04

Affiliation Cybercriminal (Russian-speaking)

Motivation Financial

Status active

Country Russia

First Seen 2014

Last Seen 2025

Target Sectors Financial Services, Healthcare, Retail, Government, Education

Target Geographies Global, North America, Europe, Asia

Executive Summary

TA505 is one of the most prolific financially motivated threat actors, operating one of the largest malicious spam (malspam) distribution networks. Active since at least 2014, the group has distributed a succession of banking trojans and ransomware families including Dridex, Locky, and Cl0p. TA505’s operations are characterized by massive email volume (millions of messages per campaign) and rapid adoption of new malware families and distribution techniques.

The group’s ecosystem overlaps with FIN11 and the Cl0p ransomware operation, sharing infrastructure and tooling. TA505 has demonstrated adaptability by evolving from high-volume banking trojan distribution to targeted ransomware and data theft operations.

Notable Campaigns

2016-2017 — Locky Ransomware Distribution

TA505 was the primary distributor of Locky ransomware, sending millions of malspam emails daily at the campaign’s peak. Locky was one of the most widespread ransomware families of its era.

2018-2020 — FlawedAmmyy and FlawedGrace Campaigns

The group deployed FlawedAmmyy RAT (a backdoored version of the Ammyy Admin remote access tool) and its successor FlawedGrace against financial institutions and retail organizations.

2020-2025 — Cl0p Ransomware Operations

TA505 operators are linked to Cl0p ransomware deployment and the exploitation of file transfer appliances (Accellion, GoAnywhere, MOVEit), representing the group’s evolution toward targeted, high-impact extortion.

Technical Capabilities

TA505 operates large-scale email distribution infrastructure capable of sending millions of malspam emails per campaign. The group uses malicious Office documents with VBA macros, HTML smuggling, and password-protected archives to bypass email security controls.

The group rapidly adopts new malware families and distribution techniques. Tools include banking trojans (Dridex), RATs (FlawedAmmyy, FlawedGrace, ServHelper), and ransomware (Locky, Cl0p). The TeslaGun management panel provides a centralized interface for managing ServHelper infections.

Attribution

TA505 is tracked as a persistent threat cluster by Proofpoint, MITRE ATT&CK, and multiple security vendors. The group’s relationship with FIN11 and Cl0p is well-documented through shared infrastructure and operational patterns. CISA advisory AA23-158A covers Cl0p/TA505 operations.

MITRE ATT&CK Profile

Initial Access: High-volume spearphishing attachments (T1566.001) and exploitation of file transfer platforms (T1190).

Execution: Macro-based execution (T1059.005), HTML smuggling, and PowerShell (T1059.001).

Impact: Ransomware deployment (T1486) and data theft for extortion.

Sources & References

MITRE ATT&CK: TA505 — MITRE ATT&CK
CISA: Advisory AA23-158A - Cl0p/MOVEit — CISA, 2023-06-07
Proofpoint: TA505 Threat Reference — Proofpoint, 2023-01-15

Known Tools

Dridex Locky FlawedAmmyy FlawedGrace TeslaGun ServHelper Cl0p ransomware