Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ TA577

🌐TA577

🌐 TA577 is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 6 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1037) ↗
14Use cases
0Articles
6Techniques
0IOCs

About this actor (MITRE)

[TA577](https://attack.mitre.org/groups/G1037) is an initial access broker (IAB) that has distributed [QakBot](https://attack.mitre.org/software/S0650) and [Pikabot](https://attack.mitre.org/software/S1145), and was among the first observed groups distributing [Latrodectus](https://attack.mitre.org/software/S1160) in 2023.(Citation: Latrodectus APR 2024)

Known aliases

TA577

Top techniques

T1027.009 · Embedded PayloadsT1059.003 · Windows Command ShellT1059.007 · JavaScript

All other tracked techniques

T1204.001 · Malicious LinkT1566.002 · Spearphishing LinkT1586.002 · Email Accounts

Detection use cases (14)

TA577 NTLM hash theft via zipped .url + outbound SMB to attacker server (Feb-Mar 2024 campaign) AI · profile S TA577 Pikabot/Latrodectus delivery chain: JS host -> curl.exe -> msiexec/rundll32 with remote URL AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match Package-manager install hook spawns interpreter that beacons to non-registry host within 120s MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Click on URL whose host doesn't match the sender domain MITRE match Phishing-link click correlated to endpoint execution MITRE match