TA551, Shathak
Description
(Palo Alto) TA551 (also known as Shathak) is an email-based malware distribution campaign that often targets English-speaking victims. The campaign discussed in this blog has targeted German, Italian and Japanese speakers. TA551 has historically pushed different families of information-stealing malware like Ursnif and Valak. After mid-July 2020, this campaign has exclusively pushed IcedID malware, another information stealer.
Names
| Name | Name-Giver |
|---|---|
| TA551 | Proofpoint |
| Gold Cabin | SecureWorks |
| Shathak | ? |
| Monster Libra | Palo Alto |
| G0127 | MITRE |
Country
Motivation
- Financial gain
First Seen
2016
Tools
Operations
- 2021-10: TA551 Uses ‘SLIVER’ Red Team Tool in New Activity https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity
- 2021-01: From IcedID to Domain Compromise https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise
Information
- https://unit42.paloaltonetworks.com/ta551-shathak-icedid/
- https://unit42.paloaltonetworks.com/valak-evolution/
- https://github.com/pan-unit42/iocs/tree/master/TA551
Mitre Attack
Playbook
Other Information
Uuid
269da320-1b20-4721-9bd6-17e0a355fe7d
Last Card Change
2025-08-16