Contactez-nous Suivez-nous sur Twitter En francais English Language

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Threat actor TA547 uses suspected LLM-generated PowerShell script to target organisations – Proofpoint

April 2024 by Proofpoint, Inc.

Threat researchers at cybersecurity company Proofpoint, today publishes new techniques from threat actor TA547, who appeared to use a PowerShell script that researchers suspect was generated by a large language model (LLM) such as ChatGPT, Gemini, CoPilot, or other.

Key findings from the research include:

• The campaign has been attributed to TA547, a financially motivated cybercriminal threat actor considered to be an initial access broker (IAB) that targets various geographic regions including organisations in Spain, Switzerland, Austria, and the U.S.
• Proofpoint researchers have observed changes in TA547’s tactics – it targeted German organisations with an email campaign delivering Rhadamanthys malware, a previously unobserved information stealer.
• Emails sent from the threat actor impersonated the German retail company Metro purporting to relate to invoices. The emails targeted dozens of organisations across various industries in Germany.
• The second PowerShell script used to load Rhadamanthys contained interesting characteristics not commonly observed in code used by threat actors or legitimate programmers, suggesting TA547 used some type of LLM-enabled tool to write or rewrite the PowerShell, or copied the script from another source that had used it.

See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts