Analyzing the Connection Between Cyber Threat Actors: TA829 and UNK_GreenSec
Cybersecurity analysts are spotlighting the tactical similarities shared by the threat groups behind RomCom RAT and a loader identified as TransferLoader. This intriguing overlap presents a nuanced understanding of contemporary cyber threats.
Identifying the Groups
Enterprise security firm Proofpoint has been monitoring activity associated with TransferLoader, tying it to a group known as UNK_GreenSec. On the other hand, the actors behind RomCom RAT fall under the moniker TA829, which is also associated with various aliases, including CIGAR, Nebulous Mantis, and Tropical Scorpius.
The investigation into TA829’s activities uncovered UNK_GreenSec, revealing a strikingly high degree of shared infrastructure, delivery tactics, landing pages, and email lure themes. This correlation pinpoints how both groups may be leveraging similar methodologies to execute their campaigns.
Understanding TA829’s Methodology
TA829 distinguishes itself in the cyber threat landscape. This group engages in both espionage activities and financially motivated attacks. Aligned with interests in Russia, TA829 has been linked to incidents involving zero-day exploits targeting vulnerabilities in well-known platforms, including Mozilla Firefox and Microsoft Windows. Their strategies include delivering RomCom RAT to a wide array of global targets.
Recent findings from PRODAFT highlight TA829’s utilization of bulletproof hosting services, living-off-the-land (LOTL) tactics, and encrypted command-and-control (C2) communications designed to elude detection.
TransferLoader: A New Player in Cybercrime
TransferLoader first gained attention from Zscaler ThreatLabz, specifically in connection with a campaign that aimed at delivering Morpheus ransomware to an unnamed American law firm in February 2025. This connection illustrates how new malware strains are often recycled through established channels.
Both TA829 and UNK_GreenSec have been reported to rely on REM Proxy services, using compromised MikroTik routers within their infrastructure. While the initial breach methods remain unknown, it’s clear that both groups utilize these services to mask their activities effectively.
Email Phishing Techniques
The tactics employed by both groups extend to email phishing, utilizing cleverly disguised messages to lure victims. An analysis showed that similar formatting patterns exist in the sender addresses, indicating potential use of an email builder utility that allows for mass creation and sending of phishing emails through REM Proxy networks.
These emails typically contain links embedded either directly in the message or within PDF attachments. When clicked, victims are directed through a series of redirections via Rebrandly, leading to deceptive pages masquerading as Google Drive or Microsoft OneDrive.
Dissecting the Attack Chains
At this point, the attack chains diverge. For UNK_GreenSec, the redirected infrastructure leads to TransferLoader, while TA829 sends victims towards a malware strain known as SlipScreen. An important discovery mentioned by Proofpoint highlights how both groups make use of SSH tunneling through Putty’s PLINK utility and rely on IPFS services in their subsequent actions.
SlipScreen functions as a first-stage loader, designed to decrypt and execute shellcode directly in memory after ensuring the targeted machine meets certain criteria. It then delivers follow-on payloads like MeltingClaw or RustyClaw, which can subsequently deploy various backdoors, including ShadyHammock or DustyHammock.
Code built into DustyHammock enables reconnaissance capabilities on infected systems, demonstrating a sophisticated level of operational planning.
The Nature of TransferLoader Campaigns
TransferLoader’s campaigns often present themselves through messages that masquerade as job opportunities, enticing victims to click links that claim to lead to a PDF resume. However, in reality, these links funnel users to download TransferLoader from IPFS shares.
The objectives of TransferLoader are focused on stealth, maximizing the chance to deploy additional malicious software like Metasploit and the rebranded Morpheus ransomware.
Differences in Operational Techniques
An interesting point of differentiation between the two groups is seen in their JavaScript components. TransferLoader’s campaigns redirect users to a different PHP endpoint on the same server, allowing the operators room for server-side filtering—an important tactic in the exposure-sensitive environment of cybercrime.
Potential Relationships Between Groups
The overlapping tradecraft displayed by TA829 and UNK_GreenSec raises several possibilities about their relationship:
- Both groups might be using the same third-party provider for distribution and infrastructure.
- TA829 may independently distribute infrastructure and provide services to UNK_GreenSec.
- UNK_GreenSec could be supplying infrastructure to TA829 but opted to use it for its own purposes temporarily.
- There exists a possibility that TA829 and UNK_GreenSec are one entity, with TransferLoader being a new addition to their arsenal.
Proofpoint concludes that the growing intersection of cybercrime and espionage complicates the ability to delineate between criminal and state-sponsored activities, which makes attributing threats increasingly challenging. As analysts continue to monitor these groups, the potential for new developments in tactics and partnerships looms large.
