Major Overlaps in Cybercrime and State-Sponsored Espionage
Summary:
TA829 is a financially motivated cybercriminal group that also conducts espionage aligned with Russian interests, using a mix of phishing campaigns, automation, and custom tooling based on the legacy RomCom backdoor to target victims. It typically sends plaintext phishing emails via freemail accounts or compromised MikroTik routers, using OneDrive or Google Drive lures with redirect chains to drop malware like SingleCamper and DustyHammock, both used for persistence, data theft, and further intrusions. These campaigns often leverage services from the criminal underground for obfuscation and infrastructure while maintaining the ability to develop and update custom loaders like SlipScreen, RustyClaw, and MeltingClaw, which perform sandbox checks and use registry-based persistence. TA829’s infection chains can involve COM hijacking and dynamic payload loading, with the malware using encrypted registry storage and custom hashing to evade detection and control subsequent stages of compromise.
Proofpoint identified a separate actor, “UNK_GreenSec,” operating during a lull in TA829’s campaigns, using highly similar phishing, redirect, and delivery tactics but deploying a different malware called TransferLoader. UNK_GreenSec campaigns often involve high-volume phishing emails themed around job applications and resume lures, with links or PDFs leading to OneDrive-spoofing landing pages and payloads hosted on IPFS, eventually dropping TransferLoader, which can lead to Metasploit use and Morpheus ransomware deployment. TransferLoader employs advanced evasion, including filename validation, XOR-encrypted strings, custom AES encryption, and dynamic API resolution, further complicating detection efforts. UNK_GreenSec also demonstrated more mature filtering and protection practices, including Cloudflare and server-side filtering, which TA829 later adopted.
Both actors heavily rely on compromised MikroTik routers as REM Proxy nodes, Rebrandly redirectors, and overlapping domain registration patterns, making differentiation challenging. However, differences exist: TA829 typically runs lower-volume, targeted campaigns, while UNK_GreenSec campaigns have broader, high-volume targeting across multiple industries, often leveraging resume-themed lures with varied filenames and extensive use of PDF attachments. TA829 uses malware like SlipScreen and SingleCamper for espionage and financially motivated campaigns, while UNK_GreenSec focuses on delivering TransferLoader, which in turn has led to ransomware infections.
Security Officer Comments:
Proofpoint’s analysis raises questions about potential relationships between the actors: they could be purchasing infrastructure from the same criminal suppliers, TA829 may have temporarily provided infrastructure to UNK_GreenSec, or UNK_GreenSec might be the infrastructure supplier conducting its own operations. Alternatively, UNK_GreenSec could be TA829 testing a new malware family under a different operational cluster. This blending of espionage and cybercriminal activity reflects a growing trend where state-aligned and financially motivated operations converge, complicating attribution and tracking. While definitive links remain unconfirmed, Proofpoint will continue monitoring these clusters due to the shared infrastructure, overlapping TTPs, and similarities in payload delivery methods observed across their campaigns.
Suggested Corrections:
Link(s):
https://www.proofpoint.com/us/blog/...te-about-attribution-romcom-vs-transferloader
TA829 is a financially motivated cybercriminal group that also conducts espionage aligned with Russian interests, using a mix of phishing campaigns, automation, and custom tooling based on the legacy RomCom backdoor to target victims. It typically sends plaintext phishing emails via freemail accounts or compromised MikroTik routers, using OneDrive or Google Drive lures with redirect chains to drop malware like SingleCamper and DustyHammock, both used for persistence, data theft, and further intrusions. These campaigns often leverage services from the criminal underground for obfuscation and infrastructure while maintaining the ability to develop and update custom loaders like SlipScreen, RustyClaw, and MeltingClaw, which perform sandbox checks and use registry-based persistence. TA829’s infection chains can involve COM hijacking and dynamic payload loading, with the malware using encrypted registry storage and custom hashing to evade detection and control subsequent stages of compromise.
Proofpoint identified a separate actor, “UNK_GreenSec,” operating during a lull in TA829’s campaigns, using highly similar phishing, redirect, and delivery tactics but deploying a different malware called TransferLoader. UNK_GreenSec campaigns often involve high-volume phishing emails themed around job applications and resume lures, with links or PDFs leading to OneDrive-spoofing landing pages and payloads hosted on IPFS, eventually dropping TransferLoader, which can lead to Metasploit use and Morpheus ransomware deployment. TransferLoader employs advanced evasion, including filename validation, XOR-encrypted strings, custom AES encryption, and dynamic API resolution, further complicating detection efforts. UNK_GreenSec also demonstrated more mature filtering and protection practices, including Cloudflare and server-side filtering, which TA829 later adopted.
Both actors heavily rely on compromised MikroTik routers as REM Proxy nodes, Rebrandly redirectors, and overlapping domain registration patterns, making differentiation challenging. However, differences exist: TA829 typically runs lower-volume, targeted campaigns, while UNK_GreenSec campaigns have broader, high-volume targeting across multiple industries, often leveraging resume-themed lures with varied filenames and extensive use of PDF attachments. TA829 uses malware like SlipScreen and SingleCamper for espionage and financially motivated campaigns, while UNK_GreenSec focuses on delivering TransferLoader, which in turn has led to ransomware infections.
Security Officer Comments:
Proofpoint’s analysis raises questions about potential relationships between the actors: they could be purchasing infrastructure from the same criminal suppliers, TA829 may have temporarily provided infrastructure to UNK_GreenSec, or UNK_GreenSec might be the infrastructure supplier conducting its own operations. Alternatively, UNK_GreenSec could be TA829 testing a new malware family under a different operational cluster. This blending of espionage and cybercriminal activity reflects a growing trend where state-aligned and financially motivated operations converge, complicating attribution and tracking. While definitive links remain unconfirmed, Proofpoint will continue monitoring these clusters due to the shared infrastructure, overlapping TTPs, and similarities in payload delivery methods observed across their campaigns.
Suggested Corrections:
- Enable advanced phishing defenses and block suspicious resume/job emails with OneDrive/Google Drive lures.
- Deploy EDR to detect registry tampering, COM hijacking, and suspicious loaders like SlipScreen and TransferLoader.
- Monitor and block IPFS, Rebrandly, and cloud file-sharing traffic not explicitly required.
- Harden MFA and disable legacy authentication to prevent account takeover.
- Track and block C2 indicators tied to TA829 and UNK_GreenSec infrastructure in your threat feeds.
Link(s):
https://www.proofpoint.com/us/blog/...te-about-attribution-romcom-vs-transferloader