← threatfilter.dev / all groups / TA2541
TA2541
Overview
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.
Capabilities
- Custom malware/implant development — ATT&CK: 7 attributed custom malware families
TTPs — 28 techniques across 8 tactics
Resource Development
-
T1583.001Domains -
T1583.006Web Services -
T1588.001Malware -
T1588.002Tool -
T1608.001Upload Malware
Initial Access
-
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.005Visual Basic -
T1204.001Malicious Link -
T1204.002Malicious File
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1027.002Software Packing -
T1027.013Encrypted/Encoded File -
T1027.015Compression -
T1036.005Match Legitimate Resource Name or Location -
T1055Process Injection -
T1055.012Process Hollowing -
T1218.005Mshta
Defense Impairment
-
T1685Disable or Modify Tools
Discovery
-
T1016.001Internet Connection Discovery -
T1082System Information Discovery -
T1518.001Security Software Discovery
Command and Control
-
T1105Ingress Tool Transfer -
T1568Dynamic Resolution -
T1573.002Asymmetric Cryptography
Tools & malware (9)
Snip3 · Revenge RAT · jRAT · WarzoneRAT · Imminent Monitor · AsyncRAT · NETWIRE · Agent Tesla · njRAT
Reporting (2)
- Charting TA2541's Flight — Larson, S. and Wise, J
- Operation Layover: How we tracked an attack on the aviation industry to five years of compromise — Ventura, V