Analysts found three cybercriminal sub-groups working for the TA410 gang

Cybersecurity Analysts Cybercriminal Sub Groups TA410 Hacker Gang JollyFrog FlowingFrog LookingFrog

Recent research conducted by cybersecurity analysts revealed that the TA410 threat gang controls an operation containing three sub-groups. Although the groups are under the same umbrella, they have different tactics, techniques, and procedures for striking their victims.

The three sub-groups working on the TA410 are JollyFrog, FlowingFrog, and LookingFrog. These three groups work separately but are controlled by the TA410.

However, the groups appear to be sharing intelligence requirements and access teams that operate a spear-phishing campaign and a team that launches network infrastructure. Moreover, each subgroup has a distinct set of toolsets used for their attacks.

The JollyFrog utilises off-the-shelf malware that includes Korplug and QuasarRAT. The LookingFrog exploits an X$ with a barebone implant and remote-control functionality. It also uses a tool called LookBack.

Among the three subgroups, FlowingFrog uses the most tools. Researchers highlighted that it utilises Tendyron, which the third group distributes through the Royal Road weaponised. It also downloads FlowCloud, and another backdoor based on Farfli (commonly known as Gh0stRAT).


TA410 gang is still the head of the threat attacks as it abuses several vulnerabilities.


In addition, the TA410 gang is also known by many to use spear-phishing tactics and abuse flaws on internet-facing applications such as SQL Servers, MS Exchange servers, and SharePoint to acquire initial access.

This cluster of cyber espionage threat groups is notorious for targeting critical infrastructure organisations in the United States, the Middle East, and Africa. Furthermore, it constantly utilises a remote access trojan (RAT) with information-stealing (infostealer) features.

Most of its victims include manufacturing entities, mining businesses, charity works, academic institutions, and the military sector.

TA410 also sports a behavioural, tooling similarity with the APT10 group and has a track record of compromising United States-based firms in the utility sector and diplomatic organisations from Africa and the Middle East.

The TA410 gang and its subgroups target big-time entities such as governments and academic institutions worldwide. Experts suggest that organisations employ a layered security defence that includes IDS/IPS solutions and email gateways. All entities should also consider training their personnel to respond to such threats.

About the author

Leave a Reply