Date: 01/30/2026
Severity: Medium
Summary
TA584 stands out in the cybercrime landscape, highlighting the limits of static detection against rapidly evolving threat actors. It operates as a major initial access broker, targeting organizations worldwide. In the second half of 2025, the group significantly modified its attack chains. These changes included adopting ClickFix social engineering, refining geographic and language targeting, and deploying a new malware named Tsundere Bot. TA584 also shows overlap with the threat actor tracked as Storm-0900.
Indicators of Compromise (IOC) List
Domains\URLs: | http://94.159.113.37/ssd.png |
IP Address : | 94.159.113.37 85.236.25.119 80.64.19.148 85.208.84.208 178.16.52.242 94.159.113.64 |
Hash : | bbedc389af45853493c95011d9857f47241a36f7f159305b097089866502ac99
441c49b6338ba25519fc2cf1f5cb31ba51b0ab919c463671ab5c7f34c5ce2d30
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http://94.159.113.37/ssd.png" or url like "http://94.159.113.37/ssd.png" or siteurl like "http://94.159.113.37/ssd.png" |
Detection Query 2 : | dstipaddress IN ("94.159.113.37","80.64.19.148","85.236.25.119","178.16.52.242","85.208.84.208","94.159.113.64") or srcipaddress IN ("94.159.113.37","80.64.19.148","85.236.25.119","178.16.52.242","85.208.84.208","94.159.113.64") |
Detection Query 3 : | sha256hash IN ("441c49b6338ba25519fc2cf1f5cb31ba51b0ab919c463671ab5c7f34c5ce2d30","bbedc389af45853493c95011d9857f47241a36f7f159305b097089866502ac99")
|
Reference:
https://www.proofpoint.com/us/blog/threat-insight/cant-stop-wont-stop-ta584-innovates-initial-access