Ddos 
Proofpoint’s latest research exposes a pair of closely related threat actor clusters—TA829 and UNK_GreenSec. Described as “a cybercriminal actor that occasionally also conducts espionage aligned with Russian state interests,” TA829 is far from ordinary. The group’s activities exhibit the hallmarks of financially motivated crime—automated phishing campaigns, malware deployment, and infrastructure-for-hire—yet it simultaneously engages in targeted espionage against Ukrainian interests and defense contractors.
But something curious emerged in early 2025. A different set of campaigns, with similar infrastructure and tactics, began surfacing. These new operations, eventually attributed to a temporary actor cluster dubbed UNK_GreenSec, deployed a previously unseen loader known as TransferLoader, which in some cases dropped Morpheus ransomware—a rebranded variant of HellCat.
“Initially our researchers clustered this activity as part of TA829, but after further investigation into the infection chain, behaviors, and malware, Proofpoint researchers began tracking this activity as a separate cluster,” the report notes.
TA829’s toolset includes variants of RomCom malware, also known as SingleCamper (espionage-focused) and DustyHammock (financially motivated), both delivered via a stealthy loader family dubbed SlipScreen. These backdoors leverage advanced sandbox evasion, registry-based payload staging, COM hijacking, and zero-day exploits in some espionage-focused operations.
Its phishing campaigns, often spoofing OneDrive or Google Drive links, make use of compromised MikroTik routers and freemail services to distribute malicious payloads. The malware chain involves stages such as RustyClaw, MeltingClaw, and ShadyHammock, all interacting through encrypted registry entries and AES-secured communications.
In contrast, UNK_GreenSec campaigns also used job application-themed lures and spoofed cloud service pages, but deployed TransferLoader, a malware family “with many distinguishing characteristics,” including:
- Self-checks for specific filename patterns (e.g., containing “Resume” and “2025”).
- Custom encryption and obfuscation routines.
- Base32-encoded payloads decrypted using XOR-based keys.
- A dynamic infrastructure setup involving AWS S3, IPFS, and Cloudflare filtering.
These elements showed a high level of operational maturity, especially in filtering out security researchers and sandboxes.
“TransferLoader has been observed dropping Morpheus ransomware at the culmination of its infection chains,” researchers stated, confirming its use in ransomware-as-a-service (RaaS) campaigns.
The overlaps between TA829 and UNK_GreenSec are extensive: shared use of REM Proxy infrastructure, similar phishing lures, domain registration behaviors, and malware deployment via cloud spoofing. And yet, significant differences remain.
This has led Proofpoint to propose several competing hypotheses:
- TA829 and UNK_GreenSec buy infrastructure from the same provider.
- One group subcontracted the other to test new malware.
- Both groups could even be two arms of the same actor, diversifying payloads and goals.
“While there is not sufficient evidence to substantiate the exact nature of the relationship… there is very likely a link between the groups,” Proofpoint concludes.
Related Posts:
- TransferLoader Malware Unmasked: IPFS-Enabled Loader Deploys Ransomware and Backdoors with Obfuscation Precision
- Nebulous Mantis Cyber Espionage Group: RomCom RAT and Hybrid Tactics
- Bridewell Uncovers ‘Operation Deceptive Prospect’ Targeting UK Organizations via Feedback Portals
- RomCom Group’s Underground Ransomware Exploits Microsoft Zero-Day Flaw
- New RomCom Variant “SnipBot” Unveiled: A Sophisticated Malware Targeting Enterprise Networks
Donate