Cybersecurity company Proofpoint warns that TA584, one of the most prominent cybercriminal threat actors tracked by researchers around the world, has tripled its malicious activity in one year while innovating its techniques as an initial access intermediary.

According to Proofpoint’s extensive research on the cybercrime group, in 2025 alone, TA584 expanded the volume of its campaigns as well as global segmentation to more consistently target specific geographies and languages, adopting ClickFix social engineering. Additionally, it also started distributing a new strain of malware, Tsundere Bot, along with already established payloads like XWorm.

High campaign turnover

Although TA584 has been tracked for several years, its previous campaigns followed relatively predictable patterns compared to the variety of techniques and sophisticated social engineering seen in the last year. Previous activity tended to follow longer-duration patterns, with reused infrastructure, honeypots, and delivery mechanisms. In contrast, it is now characterized by high turnover of email-focused campaigns and short operational lifecycles, targeting Europe and North America and using decoys and localized branding to increase success.

Regarding the adoption of the ClickFix social engineering technique, TA584 depends on users falling into the trap of dialog boxes with fake error messages that prompt them to copy, paste and execute malicious PowerShell commands on their own computer. These, in turn, launch intermediate remote PowerShell scripts that contain obfuscated code and trigger the download of the malware.

Additionally, the cybercrime group has added to its campaigns by distributing Tsundere Bot, a malware-as-a-service backdoor that employs blockchain-based C2 discovery and supports subsequent ransomware activities. According to third-party reports, it is used by multiple different threat actors and is also distributed through remote monitoring and management tools following web injections, as well as through fake video game installers.

“TA584 shows how cybercriminals can deploy creativity and innovate quickly to attack people more effectively. Their unique campaigns make static detections and reliance on Indicators of Compromise (IoC) ineffective defenses,” explains Selena Larson, Senior Threat Intelligence Analyst at Proofpoint. “By understanding the behavior of groups like TA584, organizations can better anticipate a changing threat landscape. Attackers learn from each other, so it is possible that this group’s high-volume, highly personalized and constantly evolving activity will be adopted by others in the future.”

Data Scope

Cybercrime has seen dramatic changes in behaviours, focus and malware use over the past year, with many priority groups falling off the radar of email as a threat vector. TA584, however, breaks this trend and has demonstrated consistent patterns since 2020, although recent activity indicates that attackers are trying to infect a broader spectrum of targets.

Cybercrime group TA584 has added to its campaigns the distribution of Tsundere Bot, a malware-as-a-service backdoor

Proofpoint considers it likely that TA584 will focus more on Europe and continue experimenting with different payloads, including remote access tools available for sale in criminal markets. Therefore, security experts recommend that organizations actively monitor TA584 techniques and implement preventative defensive measures, such as restricting the execution of PowerShell to users who do not need it for their job functions and blocking known hosts associated with these cybercriminals.

Defense recommendations made by Proofpoint

  • Restrict users from running PowerShell unless it is necessary for their job function.
  • Use application control policies (such as AppLocker or Windows Defender Application Control) to prevent tools like node.exe from running from non-standard, user-writable locations, such as “C:Users*AppDataLocal”.
  • Create detection rules for powershell(.)exe or cmd(.)exe that spawn a node(.)exe process, especially when node(.)exe is located in a user’s AppData or other non-standard locations.
  • Block or monitor Ethereum endpoints. The malware relies on a hashed list of public Ethereum RPC providers to obtain the address of their C2 server. Blocking (or monitoring) outbound traffic to these specific URLs in your network firewall or web proxy can prevent malware from receiving your instructions.
  • Inspect WebSockets traffic. The malware uses WebSockets (ws:// or wss://) for C2 communication. Implement network monitoring to detect and inspect WebSockets connections to unknown or uncategorized domains.
  • Consider disabling Windows+R via Group Policy for users who do not need it for their job role.
  • Organizations should train users to identify activity and report any suspicious activity to their security teams. This training is very specific, but can be integrated into an existing user training program.
Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.