It has been discovered that the cyberespionage threat actor TA410 acts as an umbrella group to the other three independent sub-groups. Meanwhile, these groups are boasts of their own tools and tactics to target their victims.

The three subgroups

A recent report by ESET revealed that TA410 consists of the LookingFrog, JollyFrog, and FlowingFrog groups that seem to be operating independently. 
  • These groups are believed to be sharing intelligence requirements and an access team that runs their spear-phishing campaigns, along with a team that deploys network infrastructure. 
  • Each subgroup uses different toolsets. JollyFrog uses off-the-shelf malware including QuasarRAT and Korplug.
  • LookingFrog uses X4, a barebones implant with remote control features, and LookBack.
  • FlowingFrog uses a downloader, Tendyron, that's spread via Royal Road RTF weaponizer, used to download FlowCloud, and a second backdoor based on Gh0stRAT (aka Farfli).
Additionally, TA410 is known to use spear-phishing and exploiting vulnerable internet-facing apps such as Microsoft Exchange, SQL Servers, and SharePoint for gaining initial access.


The cyberespionage threat actor is known for targeting critical infrastructure sectors in the Middle East, Africa, and the U.S. Further, it uses a RAT with information-stealing capabilities.
  • The observed victims include a manufacturing entity in Japan, a mining business in India, a charity in Israel, and unnamed victims in the education and military verticals.
  • Additionally, TA410 shares behavioral, tooling overlaps with APT10 and has a history of targeting U.S.-based organizations in the utility sector, along with diplomatic entities from the Middle East and Africa.


The TA410 umbrella is targeting high-profile entities, including governments and universities around the world. Thus, organizations are recommended to have a layered security defense that involves IPS/IDS solutions, email gateways, and proper training for employees on how to respond to such threats.

Cyware Publisher