cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Trojan malware targeting defence, aerospace sectors

A cyber criminal group is seeking to compromise the defence and aerospace industries through the use of Trojan malware, new research has revealed.

user iconReporter
Wed, 16 Feb 2022
Trojan malware targeting defence, aerospace sectors
expand image

Researchers from cyber security company Proofpoint have identified a persistent cyber crime threat actor targeting aviation, aerospace, transportation, manufacturing, and defence industries.

The malicious actor, dubbed TA2541, is known to deploy remote access Trojans (RATs), including AsyncRAT and vjw0rm, which can be used to remotely control compromised infrastructure.

According to Proofpoint, which has tracked TA2541 since 2017, the actor has used consistent tactics, techniques and procedures (TTPs).


Proofpoint has urged entities, particularly those operating in at-risk industries to learn the TTPs to hunt and detect the threat.

TA2541 has used themes relating to aviation, transportation and travel.

When Proofpoint first commenced tracking TA2541, the group was sending macro-laden Microsoft Word attachments that downloaded the RAT payload.

However, TA2541 has since pivoted, and now frequently sends messages with links to cloud services such as Google Drive hosting the payload.

TA2541 was categorised as a cyber criminal threat actor in response to its use of specific commodity malware, broad targeting with high volume messages, and command and control infrastructure.

This is the first time Proofpoint has shared comprehensive details linking public and private data under one threat activity cluster.

“TA2541 remains a consistent, active cyber crime threat, especially to entities in its most frequently targeted sectors,” Proofpoint noted in a threat report.

“Proofpoint assesses with high confidence this threat actor will continue using the same TTPs observed in historic activity with minimal change to its lure themes, delivery, and installation.

“It is likely TA2541 will continue using AsyncRAT and vjw0rm in future campaigns and will likely use other commodity malware to support its objectives.”

[Related: Australia, UK, US team up to combat cyber threats]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.