Full Report
Proofpoint has identified similarities between the tactics of a pro-Russian cyber espionage group and a cybercriminal gang
Analysis Summary
# Threat Actor: TA829
## Attribution & Identity
TA829 is identified as a **hybrid threat actor** that conducts both **cyber extortion** (financially motivated) and **pro-Russian cyber espionage** activities.
**Associated Groups/Clusters:** Proofpoint notes overlaps with RomCom, Void Rabisu, Storm-0978, CIGAR, Nebulous Mantis, and Tropical Scorpius. A newly identified cluster, **UNK_GreenSec**, exhibits significant operational similarities, suggesting a close link.
## Activity Summary
TA829 was initially tracked as a financially motivated group but shifted to conduct targeted espionage campaigns in Ukraine following the invasion, aligning with Russian state interests, alongside its traditional cyber extortion operations. The group was relatively quiet for the past year before resurfacing in February 2025 with new campaigns. Four recent campaigns displaying TA829 hallmarks but using a different payload (TransferLoader) were attributed to the new cluster **UNK_GreenSec**.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing campaigns used to deploy malware payloads.
- **Delivery Mechanisms:** Reliance on REM Proxy services deployed on compromised MikroTik routers for sending infrastructure.
- **Evasion/Automation:** Automated processes common to cybercriminals, such as regular updating of packers/loaders and using varied sending infrastructure/source addresses for each target.
- **Infrastructure Use:** Use of extensive redirection chains to evade researcher detection.
- **Advanced Capabilities (Espionage):** Deployment of higher-end capabilities, including the use of browser or operating-system **zero-day exploits** in dedicated espionage campaigns.
- **Phishing Lures (Shared with UNK_GreenSec):** Emails are plaintext, themed around job seeking or complaints against the target. Lures contain a link to an actor-controlled domain (sometimes in an attached PDF).
- **Phishing Execution Chain (Shared with UNK_GreenSec):** Real users are routed via redirectors to a landing page spoofing OneDrive or Google Drive, linking to a download site which drops a signed loader spoofing a PDF.
- [MITRE ATT&CK IDs not explicitly present in the text].
## Targeting
- Sectors: Not specified beyond general cyber extortion and espionage targets. UNK_GreenSec campaigns targeted a broader set of industries.
- Geography: Active in **Ukraine** for espionage campaigns aligned with Russian interests. UNK_GreenSec campaigns targeted broader geographies.
- Victims: No specific victim organizations named.
## Tools & Infrastructure
- **Malware Families Used:**
- **SingleCamper** (aka SnipBot): An updated version of the **RomCom** backdoor.
- **DustyHammock:** Lightweight malware.
- **TransferLoader:** Malware payload associated exclusively with the linked UNK_GreenSec cluster activity.
- **Infrastructure:**
- Reliance on **REM Proxy services** (likely rented) leveraged through compromised **MikroTik routers**.
- Use of a shared (hypothesized) **email builder utility** for bulk email creation via REM Proxy nodes.
## Implications
The observed operational overlap between TA829 (espionage/extortion) and UNK_GreenSec (criminal-like scale) blurs the lines between cybercrime and state-sponsored espionage. This convergence makes accurate attribution and clustering significantly more challenging, suggesting potential shared infrastructure, third-party providers, or operational testing between criminal and potentially state-aligned tooling/distribution methods.
## Mitigations
- Focus defenses on monitoring/blocking traffic originating from compromised MikroTik devices used as REM Proxy nodes.
- Be vigilant regarding phishing emails themed around job applications or complaints, especially those leading to redirects that spoof cloud storage sites (OneDrive/Google Drive).
- Defenses must account for sophisticated evasion techniques, including extensive redirection chains and varied sending infrastructure.