initial access

TA584 is using Tsundere Bot and XWorm in phishing campaigns that tripled in late 2025. The chain uses geofenced URLs, redirect systems, CAPTCHA and PowerShell in memory loaders that complicate detection.