Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ TA2541

🌐TA2541

🌐 TA2541 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 28 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1018) ↗
14Use cases
0Articles
28Techniques
0IOCs

About this actor (MITRE)

[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)

Known aliases

TA2541

Top techniques

T1016.001 · Internet Connection DiscoveryT1027.002 · Software PackingT1027.013 · Encrypted/Encoded File

All other tracked techniques

T1027.015 · CompressionT1036.005 · Match Legitimate Resource Name or LocationT1047 · Windows Management InstrumentationT1053.005 · Scheduled TaskT1055 · Process InjectionT1055.012 · Process HollowingT1059.001 · PowerShellT1059.005 · Visual BasicT1082 · System Information DiscoveryT1105 · Ingress Tool TransferT1204.001 · Malicious LinkT1204.002 · Malicious FileT1218.005 · MshtaT1518.001 · Security Software DiscoveryT1547.001 · Registry Run Keys / Startup FolderT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1568 · Dynamic ResolutionT1573.002 · Asymmetric CryptographyT1583.001 · DomainsT1583.006 · Web ServicesT1588.001 · MalwareT1588.002 · ToolT1608.001 · Upload MalwareT1685 · Disable or Modify Tools

Detection use cases (14)

TA2541 commodity RAT injection chain — wscript/mshta spawning .NET LOLBins (RegSvcs/MSBuild/AddInProcess) used for process hollowing AI · profile SΣ TA2541 dynamic-DNS C2 beacon from injected .NET LOLBin (DuckDNS / no-ip / DDNS.net egress) AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host MITRE match Abnormal Security: malicious email opened MITRE match