Researchers at Proofpoint have identified the TA505 threat group targeting a range of industries in the past month after being on hiatus. The group is known for evolving and using new Tactics, Techniques, and Procedures (TTPs), which makes them difficult to track. TA505 is behind some of the biggest spam campaigns, including the Dridex banking trojan. Proofpoint has also tracked the threat group distributing Locky and Jaff ransomware, the Trickbot banking trojan, and others “in very high volumes,” Proofpoint says. The newest campaign includes new and updated tools such as an updated KiXtart loader, the MirrorBlast loader that downloads Rebol script stagers, a retooled FlawedGrace RAT, and updated malicious Excel documents. The new wave of attacks started slower in September 2021 and increased towards the end of the month. The attacks resemble what the group was doing in 2019 and 2020, using email lures to distribute malicious Excel documents that once downloaded with macros enabled, deliver the FlawedGrace RAT. The group has begun using more specific lures in October 2021 to target certain industries. They have also expanded their target countries, including the U.S. and Canada as before, and now adding Germany and Austria. New to this campaign, TA505 is using more intermediary loaders before the final delivery of FlawedGrace, which serve the same purpose as the Get2 downloader that TA505 has been using since 2019 to deliver their payloads.