TA829 and UNK_GreenSec suspected of shared malware campaigns

Researchers have identified overlapping tactics and infrastructure between two threat groups behind recent phishing and ransomware attacks.

What happened

Security researchers have observed overlaps between two cyber threat actors: TA829 (also known by aliases including RomCom, Storm-0978, and Void Rabisu) and a lesser-known cluster called UNK_GreenSec. The analysis found that both groups are using similar phishing infrastructure, email lure techniques, and malware delivery paths. While TA829 is known for its hybrid activity in espionage and financial crime, UNK_GreenSec has recently been tied to a malware loader named TransferLoader.

Findings suggest that the two groups may be collaborating, sourcing tools from the same provider, or potentially operating as a single entity.

Going deeper

TA829 and UNK_GreenSec campaigns both rely on compromised MikroTik routers running REM Proxy services to send phishing emails from freemail accounts like Gmail and ukr.net. The phishing messages either include a direct malicious link or embed it within a PDF, redirecting targets through services like Rebrandly before landing on spoofed Microsoft or Google Drive pages.

At that point, the attack paths diverge: TA829 delivers a loader called SlipScreen, while UNK_GreenSec drops TransferLoader. SlipScreen checks Windows Registry values to avoid sandbox detection before executing memory-based shellcode and fetching malware such as MeltingClaw and backdoors like DustyHammock or ShadyHammock. TransferLoader, meanwhile, is used to deliver tools like Metasploit and Morpheus ransomware.

Both actors have used IPFS hosting and tools like PuTTY’s PLINK for encrypted tunneling. Notably, both employ tactics to bypass detection, including live system checks and server-side filtering.

What was said

Researchers show the structural similarities in email address formats, proxy routing methods, payload delivery techniques, and staging infrastructure. “Campaigns, indicators, and threat actor behaviors have converged,” said the team, noting that the line between criminal and espionage-related activity continues to blur.

The groups’ relationship remains unclear, though Proofpoint laid out four possible scenarios: shared third-party infrastructure, subcontracting between groups, a temporary overlap in tooling, or that TA829 and UNK_GreenSec are effectively the same operation.

The big picture

While direct links between TA829 and UNK_GreenSec remain unclear, the use of similar tools points to a growing underground market for modular and reusable hacking resources that can be adopted by different groups.

FAQs

What is REM Proxy, and why is it used by threat actors?

REM Proxy is a network of compromised devices, often routers, that relay traffic on behalf of attackers. It allows threat actors to obscure the origin of phishing or malware delivery, making detection and takedown harder.

What is IPFS, and why are attackers using it?

The InterPlanetary File System (IPFS) is a decentralized file-sharing network. Attackers use it to host malware payloads since files hosted on IPFS are resistant to traditional takedown methods.

How does SlipScreen detect whether it’s running in a real environment?

SlipScreen checks the Windows Registry to count how many recent documents a user has opened. A high number suggests it’s a real user, while low activity may indicate a sandbox or testing environment.

Why would threat actors use similar email formats or spoofed domains?

Using email builder utilities or templates, attackers can automate the creation of sender addresses and phishing messages at scale, helping them launch broad campaigns that appear credible to targets.

What are the risks of treating espionage and cybercrime as separate threats?

Blurring the distinction between state-sponsored and financially motivated hacking complicates response strategies. Shared tools and infrastructure mean an attack attributed to crime could also have geopolitical implications.