TA 584, an initial access broker long associated with enabling ransomware operations, has markedly expanded its activity in 2025, tripling its monthly campaign volume from March to December, according to Proofpoint. The group also introduced a new malware strain named Tsundere Bot, signalling a move from off-the-shelf tools to bespoke tooling that complicates detection.
A key persistence trick involves inserting a null terminating string into a Registry entry name, making the malicious Run key effectively invisible to basic enumeration and enabling a boot-time execution chain from mshta to VBScript and then to a hidden PowerShell process. Rather than storing the payload on disk, the PowerShell script fetches it dynamically from an external IP address at each startup, resulting in a modular and highly resilient infection that is difficult to disrupt with standard cleanup.
According to Proofpoint, TA584’s activity is unique in the cybercrime landscape and suggests the actor is embedded in the Russian cybercriminal ecosystem. The report notes that defenders should monitor for subtle behavioural indicators, such as hidden PowerShell processes, rather than relying solely on static detections.