ICIC
RU

TA505

High ConfidenceHigh Threat

Evil Corp • GOLD TAHOE • Hive0065 • Graceful Spider

TA505 is one of the most prolific financially motivated threat actors, active since at least 2014. The group is responsible for distributing massive volumes of malicious spam carrying banking trojans like Dridex and ransomware including Locky and Clop. TA505 operates as both a direct threat and an access broker, selling network access to other criminal groups. Their operations have affected thousands of organizations worldwide, causing billions of dollars in damages through ransomware, banking fraud, and data theft.

Origin: Russia
Sponsor: Cybercriminal (No State Sponsor)
Active: 2014 - Present
Victims: 10000+ organizations
Advanced
Active
Financial Gain
Risk Assessment
84
Composite Risk Score
High Risk
ARCS Compliance88
Escalation Risk85
Grievance Index72
Infrastructure Impact90
History & Evolution

TA505 is one of the most prolific financially motivated threat actors, active since at least 2014. The group is responsible for distributing massive volumes of malicious spam carrying banking trojans like Dridex and ransomware including Locky and Clop. TA505 operates as both a direct threat and an access broker, selling network access to other criminal groups. Their operations have affected thousands of organizations worldwide, causing billions of dollars in damages through ransomware, banking fraud, and data theft.

Targeting

Target Sectors

Financial ServicesHealthcareRetailManufacturingAll Sectors

Target Regions

Global
Attribution & Affiliations

Attributed to Cybercriminal (No State Sponsor) (Russia). Attribution confidence: High.

Intelligence Assessment
High
Threat Level
Moderately
Targeting
Moderately
Adaptability
High
Persistence
Continuous
Op Tempo
Active
Status

Future Outlook

TA505 is expected to continue operations targeting Financial Services sectors.

Timeline of Key Events
2014
Major

First observed activity of TA505

2024
Moderate

Continued active operations