Listen to this Post
Introduction: Cybercrime Meets Espionage
In the ever-evolving realm of cybersecurity, the distinction between nation-state espionage and organized cybercrime is becoming increasingly blurred. A recent investigation by cybersecurity firm Proofpoint has shed light on an intricate network of threat actors—namely TA829 (aka RomCom RAT operators) and a newer group dubbed UNK_GreenSec—exposing how these entities use overlapping tactics, shared infrastructure, and advanced malware loaders like TransferLoader and SlipScreen. Their campaigns target everything from high-profile law firms to global political institutions, making them a rising concern in today’s digital warfare landscape.
the Threat Landscape
Cybersecurity analysts have detected alarming similarities between two threat actor groups: TA829 (known for distributing the RomCom Remote Access Trojan) and a lesser-known cluster called UNK_GreenSec, associated with the TransferLoader malware.
Proofpoint’s investigation revealed that both groups employ nearly identical infrastructure, phishing lures, landing pages, and distribution tactics. TA829, also known under aliases like Storm-0978, Void Rabisu, and UAC-0180, is a Russia-linked hybrid group capable of both cyber espionage and financially driven operations. Notably, they’ve exploited zero-day vulnerabilities in browsers like Mozilla Firefox and Microsoft Windows to deliver RomCom RAT.
UNK_GreenSec first appeared during an attack in February 2025 involving the Morpheus ransomware, targeting a U.S. law firm. This campaign introduced TransferLoader—a stealthy loader designed to drop ransomware and malware payloads while bypassing detection using encrypted communication and dynamic landing pages.
Both groups utilize REM Proxy services running on compromised MikroTik routers to obfuscate traffic, making their activities hard to trace. These proxies are likely rented, allowing mass phishing campaigns to be executed from fake Gmail and Ukr.net accounts, crafted through automated tools.
Victims are tricked via phishing emails containing links—either embedded or within PDFs—redirecting them through Rebrandly to spoofed Google Drive or OneDrive pages. After sandbox filtering, targets are either hit with TransferLoader (in UNK_GreenSec campaigns) or a first-stage loader called SlipScreen (in TA829 operations).
SlipScreen decrypts and loads shellcode directly into memory, but only if the host device passes a registry check confirming active use. It then downloads payloads like RustyClaw and MeltingClaw, which deploy backdoors such as ShadyHammock or DustyHammock—malware known for launching updated variants of RomCom RAT, such as SingleCamper (SnipBot).
UNK_GreenSec’s campaigns have used job-themed phishing lures to deliver TransferLoader, which acts as a silent enabler of secondary malware like Metasploit and Morpheus ransomware—a rebranded form of HellCat ransomware.
Interestingly, both actors host payloads on decentralized platforms like IPFS and employ tools like PuTTY’s PLINK for secure SSH tunnels. Despite their differences, the tactics are so similar that experts propose four possibilities:
- Both groups buy infrastructure from the same third party.
2. TA829 provides infrastructure to UNK_GreenSec.
- UNK_GreenSec is the provider, occasionally using its own services.
- Both are actually the same group, with TransferLoader being a new malware in TA829’s arsenal.
Proofpoint concludes that the line between cybercrime and espionage is fading, complicating efforts to accurately attribute these attacks.
What Undercode Say: 🔍 Deep Analysis of the Campaigns
Converging Tradecraft and Evolving Tactics
The convergence between TA829 and UNK_GreenSec shows a strategic shift from traditional hacker group structures. These actors now blur the lines between criminal activity and state-sponsored espionage, leveraging multi-tiered infrastructure and deceptive lures to bypass detection.
Malware Innovation and Modular Payloads
TransferLoader and SlipScreen represent a new generation of modular malware loaders. SlipScreen checks for document usage in Windows Registry to ensure victims are human-operated systems—not sandboxes—before proceeding. Such logic-based infection tactics indicate growing malware sophistication.
MeltingClaw and RustyClaw, operating as downloaders, can pull additional payloads including backdoors (ShadyHammock/DustyHammock), which in turn launch RomCom RAT variants. The chain of infections resembles an enterprise-grade APT operation rather than a simple cybercriminal campaign.
Proxy Infrastructure and IPFS Hosting
The extensive use of REM Proxy services to relay malicious traffic reflects a move toward decentralized infrastructure, reducing traceability. Hosting payloads on IPFS further complicates takedown efforts, as content is spread across distributed networks. These approaches highlight a major obstacle for defenders.
Espionage Meets Ransomware
The dual-use nature of these groups—targeting political entities with RomCom RAT while launching ransomware attacks on law firms—reflects a disturbing trend: espionage actors monetizing their infrastructure. Whether for profit or policy influence, this hybrid behavior is becoming more common.
Attribution Challenges
With near-identical lures, domain registration patterns, and infection chains, it becomes increasingly difficult to separate TA829 and UNK_GreenSec. The four scenarios proposed by Proofpoint all suggest at least some degree of collaboration or shared infrastructure, signaling a merger between APT and cybercrime ecosystems.
Final Insight
If TA829 and UNK_GreenSec are indeed the same entity—or closely cooperating—the implications are massive. It means one group can target government institutions and private enterprises, exploiting vulnerabilities and maximizing reach across both espionage and financial domains.
✅ Fact Checker Results
Both TA829 and UNK_GreenSec use REM Proxy infrastructure and phishing via freemail services.
TransferLoader and SlipScreen share hosting practices on IPFS and similar infection chains.
Proofpoint confirms strong links but cannot conclusively verify if both groups are the same.
🔮 Prediction: The Future of Threat Actor Collaboration
Expect to see a continued blending of nation-state APTs and criminal syndicates. Hybrid groups like TA829/UNK_GreenSec will grow in scale, deploying modular malware with decentralized infrastructure. Security researchers will struggle more with attribution as threat actors embrace shared toolkits and services. As ransomware and espionage increasingly intersect, the cybersecurity industry must prepare for more complex, cross-domain threats.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
