Can’t stop, won’t stop: TA584 innovates initial access

Can’t stop, won’t stop: TA584 innovates initial access www.proofpoint.com/us/blog/t… Proofpoint reports sustained, high-volume activity from TA584, a prolific initial access broker targeting organizations globally. TA584 overlaps with a cluster Proofpoint tracks as Storm-0900. In the second half of 2025, TA584 materially adjusted its attack chains, including: • Adoption of ClickFix-style social engineering • More consistent targeting by geography and language • Delivery of a newer malware payload referred to as Tsundere Bot Proofpoint notes TA584’s operational tempo increased across 2025, with monthly campaigns tripling from March to December 2025. Active since at least November 2020, TA584 has used a range of delivery and filtering techniques to improve success rates and evade defences, including macro-enabled Excel lures, URL-based delivery with aggressive filtering, traffic distribution services (TDS), and geo-fenced landing pages.