Home News TA575 Hackers Found Using Squid Game Baits to Drop Dridex Malware

TA575 Hackers Found Using Squid Game Baits to Drop Dridex Malware

Cybercrime group TA575 is distributing Dridex malware using the current rage -- Korean thriller drama, Squid Game.

Squid Game, Dridex malware

Threat actor TA575 is piggybacking on a popular Netflix web series, Squid Game, as bait to propagate the Dridex malware.

The threat group is sending out thousands of malicious emails to potential victims, enticing them through promises to be a part of the next season, early preview, and access to the show. The subject line read:

  • Squid Game is back, watch new season before anyone else.
  • Invite for Customer to access the new season.
  • Squid game new season commercials casting preview
  • Squid game scheduled season commercials talent cast schedule

The Game Revealed

Proofpoint, a cybersecurity company, first spotted thousands of emails aimed at industries based in the U.S.  The emails used convincing subject lines such as Squid Game is back, watch new season before anyone else, and talent cast schedule amongst many to bait the victim. As a next step, the victim is asked to fill out either an attached document to get early access to the show’s new season or a talent form to become part of the background casting. The attachments are Excel documents with macros which, if enabled, will download the Dridex banking trojan affiliate id “22203” from Discord URLs.


The Dridex Trojan

Dridex is a banking trojan commonly distributed through emails containing malicious Excel documents. Researchers have associated Dridex operations with other malware toolkits such as Ursnif, Emotet, TrickBot, and DoppelPaymer ransomware. The motive here is data theft and the installation of follow-on malware such as ransomware.

Per Red Canary 2021 Threat Detection Report, Dridex is ranked at #7 based on the number of customer organizations affected at 5.8%.

The banking trojan shares both code similarities and overlapping infrastructure with Gameover Zeus. The operators of Dridex are referred to by various names, including TA505 and INDRIK SPIDER.  “Dridex has consistently focused on getting into user mailboxes and ushering users into unwittingly executing malicious code on their endpoints,” the report states.

“While Dridex is a threat in and of itself, in 2020 we also observed multiple environments where Dridex led to the ransomware family DoppelPaymer—and we’ve observed the same pattern in early 2021. Similar to other “ransomware precursor” families in our top 10 such as TrickBot, Emotet, and Qbot, the threat of follow-on ransomware emphasizes the need for quick identification and remediation of Dridex in any environment,” the report adds.

The report suggests filtering emails at the mail gateway to mitigate the risk and prevent the spread of the malicious actor.

TA575’s Activity

The BlackBerry Research & Intelligence team has been tracking and monitoring Cobalt Strike team servers associated with the threat actor TA575, a financially motivated cybercrime group, and prolific Dridex affiliate. They are well-known for conducting mass spam campaigns that use malicious document lures to deliver malware such as Dridex, Qakbot, and WastedLocker.

Since February 2021, TA575 has deployed over 50 Cobalt Strike team servers. Per the intelligence team, the actor had been undetected as they use unique values in their configurations and fly under the radar. Cobalt Blue is becoming more popular with TA575, both for deployment of payloads and subsequent lateral movement in networks.


It is no surprise that Squid Game is being used as a rider to deliver the trojan. The popularity of the series with all generations makes it a convincing bait, which will easily trap unsuspecting users. It is an attractive lure because it is the most-watched show with the highest viewership for 2021. A Forbes report states that Squid Game is the #1 show in Netflix Originals history, in terms of household views, 142 million by last count. With a staggering viewership in millions and growing; the potential target pool available to the threat group to attack and interact is much larger than any available vulnerable group. The probability of an interaction with malicious content is more definitive than ever. Banking on the invitation, to participate in the upcoming season, TA575 is taking its chance with both Red and Blue. (The basic premise of the game to participate).