TA829 Hackers Use New TTPs and Enhanced RomCom Backdoor to Evade Detection

The cybercriminal group TA829, also tracked under aliases like RomCom, Void Rabisu, and Tropical Scorpius, has been observed deploying sophisticated tactics, techniques, and procedures (TTPs) alongside an updated version of its infamous RomCom backdoor, now dubbed SingleCamper (aka SnipBot).

This group, known for blending financially motivated cybercrime with espionage campaigns often aligned with Russian state interests, has shown a marked evolution in its operations throughout 2024 and into 2025.

Their latest activities, resuming with increased frequency in February 2025 after a brief lull, reveal a strategic use of automated processes and infrastructure sourced from the criminal underground to evade detection.

Evolving Tactics in Cybercrime and Espionage

TA829’s phishing campaigns, characterized by plaintext emails sent via compromised MikroTik routers and freemail providers, spoof OneDrive or Google Drive links to initiate infection chains, leveraging Rebrandly redirectors to guide victims to deceptive landing pages.

A parallel discovery during TA829 tracking uncovered a strikingly similar campaign attributed to a separate cluster, UNK_GreenSec, which deploys a novel loader and backdoor named TransferLoader, often culminating in Morpheus ransomware infections.

Both groups exhibit overlapping TTPs, including the use of REM Proxy services on compromised routers for email delivery, similar lure themes around job applications, and intricate redirection chains to filter out researchers and sandboxes.

However, distinctions in targeting volume, payload delivery, and infrastructure maturity such as UNK_GreenSec’s use of Cloudflare for enhanced filtering suggest potential differences or a shared service provider.

Overlaps with UNK_GreenSec

TA829’s infection chain, featuring loaders like SlipScreen and RustyClaw, heavily utilizes Windows Registry for persistence and sandbox evasion, delivering either DustyHammock for lightweight backdoor operations or SingleCamper for more complex espionage tasks.

These tools, updated regularly with new crypters and written in languages like Rust and C++, demonstrate TA829’s commitment to staying ahead of static detection mechanisms.

Meanwhile, their adoption of zero-day exploits in espionage campaigns hints at possible state guidance or resource co-optation.

According to the Report, Proofpoint’s analysis raises intriguing hypotheses about the relationship between TA829 and UNK_GreenSec, ranging from shared infrastructure providers to the possibility of TransferLoader being a testbed for TA829’s arsenal.

The convergence of cybercrime and espionage in their operations blurs traditional attribution lines, reflecting a broader trend in the threat landscape where criminal and state-sponsored motives increasingly intersect.

As TA829 targets expanded in 2025 to include defense sectors alongside typical cybercrime victims, their use of ShadyHammock and enhanced SingleCamper variants with encrypted payloads and host-specific keys underscores a dual-purpose strategy for data theft and ransomware deployment.

This evolving threat demands continuous monitoring, as Proofpoint continues to track both clusters for further insights into their interconnected ecosystem and potential direct links.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates