ICIC
UN

TA551

Medium ConfidenceMedium Threat

Shathak • UNC2420 • Gold Cabin

TA551, also known as Shathak, is a financially motivated threat actor that operates as an initial access broker, distributing malware through malicious email campaigns. Active since at least 2016, the group uses thread-hijacking techniques and password-protected archives to evade detection. TA551 has distributed various malware families including IcedID, Ursnif, and Valak, often selling the resulting network access to ransomware operators.

Origin: Unknown
Sponsor: Cybercriminal (No State Sponsor)
Active: 2018 - Present
Victims: 5000+ organizations
Advanced
Active
Financial Gain
Risk Assessment
69
Composite Risk Score
Medium Risk
ARCS Compliance70
Escalation Risk72
Grievance Index60
Infrastructure Impact75
History & Evolution

TA551, also known as Shathak, is a financially motivated threat actor that operates as an initial access broker, distributing malware through malicious email campaigns. Active since at least 2016, the group uses thread-hijacking techniques and password-protected archives to evade detection. TA551 has distributed various malware families including IcedID, Ursnif, and Valak, often selling the resulting network access to ransomware operators.

Targeting

Target Sectors

All Sectors

Target Regions

GlobalUnited StatesEurope
Attribution & Affiliations

Attributed to Cybercriminal (No State Sponsor) (Unknown). Attribution confidence: Medium.

Intelligence Assessment
Medium
Threat Level
Moderately
Targeting
Moderately
Adaptability
Medium
Persistence
Continuous
Op Tempo
Active
Status

Future Outlook

TA551 is expected to continue operations targeting All Sectors.

Timeline of Key Events
2018
Major

First observed activity of TA551

2024
Moderate

Continued active operations