TA829 Hackers Employs New TTPs and Upgraded RomCom Backdoor to Evade Detections

The cybersecurity landscape faces a renewed threat as TA829, a sophisticated threat actor group, has emerged with enhanced tactics, techniques, and procedures (TTPs) alongside an upgraded version of the notorious RomCom backdoor.

This hybrid cybercriminal-espionage group has demonstrated remarkable adaptability, conducting both financially motivated attacks and state-aligned espionage operations, particularly following the invasion of Ukraine.

The actor’s unique positioning in the threat ecosystem represents a concerning evolution in modern cyber warfare, where traditional boundaries between cybercrime and espionage continue to blur.

TA829’s attack methodology centers on highly targeted phishing campaigns that leverage compromised MikroTik routers operating as REM Proxy services.

These compromised devices, typically hosting SSH services on port 51922, serve as upstream infrastructure for relaying malicious traffic through newly created accounts at freemail providers.

The group’s email campaigns feature plaintext messages with generic job-seeking or complaint themes, each containing unique links that route targets through elaborate redirection chains before delivering the malicious payload.

The group’s arsenal includes several sophisticated malware variants, with the upgraded RomCom backdoor now manifesting as SingleCamper and DustyHammock.

Proofpoint researchers identified these variants as part of TA829’s regularly updated suite of tools, noting their integration into a unified infection management system.

The malware demonstrates advanced evasion capabilities through registry-based operations and sophisticated anti-analysis techniques.

Following initial infection through phishing emails that spoof OneDrive or Google Drive interfaces, victims unknowingly download the SlipScreen loader, which serves as the first stage of the infection chain.

This loader, often signed with fraudulent certificates and disguised with PDF reader icons, implements multiple detection evasion mechanisms.

The malware performs critical registry checks to ensure the targeted system contains at least 55 recent documents, effectively avoiding sandbox environments that typically lack such user activity traces.

Advanced Registry-Based Persistence Mechanism

The most notable evolution in TA829’s upgraded RomCom backdoor lies in its sophisticated registry-based persistence mechanism.

The SlipScreen loader decrypts and executes shellcode directly within its memory space, initiating communications with command and control servers only after successful environmental validation.

Upon verification, the system downloads additional components including RustyClaw or MeltingClaw loaders, which establish persistence through COM hijacking techniques.

The persistence mechanism involves manipulating specific registry keys such as SOFTWAREClassesCLSID{2155fee3-2419-4373-b102-6843707eb41f}InprocServer32, allowing the malware to survive system reboots by executing during explorer.exe restarts.

This technique effectively embeds the malware deep within the Windows operating system’s core processes, making detection and removal significantly more challenging for traditional security solutions.

The registry-based approach also enables the malware to store encrypted payloads across multiple registry locations, further complicating forensic analysis efforts.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now