Tracking a P2P network related to TA505

NCC Group details technical analysis linking P2P RAT binaries, a Necurs-style downloader and signed drivers to TA505 and the Grace (FlawedGrace) developer(s). The report describes installation and persistence behaviors, RC4/RC4-like decryption and XOR routines, driver-based process/service filtering and injection, the UDP peer-to-peer protocol and record file format used to exchange stolen data and updates, and provides IoCs (node IPs and SHA-1 hashes) with medium–high confidence attribution to TA505’s broader infostealer and ransomware operations.