Full Report
Cybersecurity researchers have flagged the tactical similarities between the threat actors behind the RomCom RAT and a cluster that has been observed delivering a loader dubbed TransferLoader. Enterprise security firm Proofpoint is tracking the activity associated with TransferLoader to a group dubbed UNK_GreenSec and the RomCom RAT actors under the moniker TA829. The latter is also known by the
Analysis Summary
# Threat Actor: TA829 / UNK\_GreenSec
## Attribution & Identity
**TA829** is identified as a Russia-aligned hybrid threat group capable of conducting both espionage and financially motivated attacks.
**UNK\_GreenSec** is a separate cluster whose activity shows significant tactical overlap with TA829.
**Known Aliases for TA829:** CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu.
## Activity Summary
TA829 has been linked to the zero-day exploitation of security flaws in Mozilla Firefox and Microsoft Windows to deploy the **RomCom RAT**.
UNK\_GreenSec has been observed delivering the **TransferLoader** malware.
Proofpoint discovered tactical similarities (infrastructure, delivery tactics, landing pages, lure themes) between the two, suggesting they either share resources, one supplies services to the other, or they are fundamentally the same entity using TransferLoader as a new tool.
TA829 campaigns have also been linked to delivering malware like SlipScreen, MeltingClaw (aka DAMASCENED PEACOCK), RustyClaw, and potentially dropping backdoors such as ShadyHammock or DustyHammock, which can further deploy RomCom RAT (SingleCamper/SnipBot).
UNK\_GreenSec's observed activity included delivering **Morpheus ransomware** (a rebranded form of HellCat ransomware) against an unnamed American law firm earlier in the year.
## Tactics, Techniques & Procedures
- Exploitation of zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows.
- Use of **REM Proxy services** deployed on compromised MikroTik routers for upstream infrastructure relay and sending spam/phishing emails.
- Sophisticated email delivery leveraging freemail providers (Gmail, Ukr.net) via REM Proxy nodes, often using an email builder utility for mass creation.
- Phishing lures delivered via direct link or PDF attachment, leading to a series of **Rebrandly** redirections.
- Filtering out sandboxes or non-target machines during redirection.
- Infrastructure divergence post-redirection: UNK\_GreenSec uses a PHP endpoint and a dynamic landing page; TA829 redirects to OneDrive/Google Drive spoofs followed by a different infrastructure path.
- Use of **PLINK utility** (from Putty) to establish SSH tunnels.
- Hosting utilities and payloads on the **IPFS (InterPlanetary File System)** network.
- **Living-off-the-land (LOTL)** tactics.
- Encrypted Command-and-Control (C2) communications.
- **SlipScreen** malware performs a specific Registry check (`HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`) to ensure the target has at least 55 recent documents before loading shellcode into memory.
- [No specific MITRE ATT&CK IDs provided in the source text].
## Targeting
- Sectors: Global targets, including NATO-linked organizations (implied by related reporting), law firms (specific victim mentioned).
- Geography: Global.
- Victims: An unnamed American law firm was targeted in a TransferLoader campaign.
## Tools & Infrastructure
- **Malware families:** RomCom RAT (aka SingleCamper/SnipBot), TransferLoader, SlipScreen, MeltingClaw (aka DAMASCENED PEACOCK), RustyClaw, ShadyHammock, DustyHammock, Morpheus ransomware (HellCat).
- **Infrastructure:** Compromised **MikroTik routers** hosting **REM Proxy services**, **IPFS services** for hosting payloads/utilities, **Rebrandly** for link shorting, freemail providers (Gmail, Ukr.net) for initial email distribution.
- **Defanged Infrastructure:** C2 servers hosted behind REM Proxy/IPFS.
## Implications
The blurring lines between espionage and cybercrime are evident through TA829's dual capability. The convergence of tactics between TA829 and UNK\_GreenSec complicates attribution efforts significantly. The reliance on rented proxy infrastructure and bulletproof hosting suggests resilience against takedowns. The exploitation of critical software zero-days indicates high levels of sophistication and resources dedicated to targeted impact.
## Mitigations
- Monitor for and investigate unexpected SSH tunnel creation or usage of utilities like PLINK for C2 establishment.
- Enhance detection logic around access patterns originating from REM Proxy services or previously unseen freemail accounts.
- Review endpoint security for unusual memory injection or shellcode execution, particularly if preceded by filesystem activity checks (like the SlipScreen check on recent documents).
- Implement rigorous application controls to restrict the execution of unauthorized LOTL tools.
- Ensure prompt patching for firmware and operating systems, specifically targeting reported zero-days in Firefox and Microsoft Windows environments.