Can’t Stop, Won’t Stop: TA584 Innovates Initial Access

Can’t Stop, Won’t Stop: TA584 Innovates Initial Access 🎙️ Selena Larson, Staff Threat Researcher, Proofpoint 📍 Presented at SANS CTI Summit 2026 TA584 is one of the most prominent cybercriminal threat actors tracked by Proofpoint threat researchers. In 2025, the actor demonstrated multiple attack chain changes including new, global targeting; ClickFix social engineering; and delivering new malware, Tsundere Bot. TA584 is a prominent initial access broker (IAB) that targets organizations globally. Campaigns typically target hundreds of organizations with tens of thousands of messages and impersonate a variety of organizations including those in healthcare, government, business services, nonprofits, software, and financial services, among others. Proofpoint assesses with high confidence TA584 infections can lead to ransomware. In this talk, we’ll dive into the history of this threat actor and cover the many notable changes demonstrated in 2025. We’ll discuss common lure themes, social engineering techniques, geographical expansion, and malware payloads. Viewers will come away with an understanding of how one major IAB operates, what cybercriminal techniques are popular on the landscape, and how to defend against them.