The cybersecurity landscape is witnessing a significant escalation in threats as TA829, a sophisticated threat actor group, has resurfaced with advanced tactics, techniques, and procedures (TTPs) alongside an upgraded version of their notorious RomCom backdoor. This group, known for its dual engagement in financially motivated cybercrime and state-aligned espionage, particularly following the invasion of Ukraine, exemplifies the evolving nature of modern cyber threats where the lines between cybercrime and espionage are increasingly blurred.
TA829: A Hybrid Threat Actor
TA829 operates at the intersection of cybercrime and espionage, leveraging services from the criminal underground and regularly updating its toolset, which is built upon the legacy RomCom backdoor. Following the 2022 invasion of Ukraine, TA829 expanded its operations to include targeted espionage campaigns aligned with Russian state interests, while maintaining its financially driven attacks. This duality is reflected in the group’s automated and scalable processes: frequent updates to packers and loaders, varied sending infrastructure, and extensive redirection chains that complicate detection and attribution.
Sophisticated Phishing Campaigns
Central to TA829’s strategy are highly targeted phishing campaigns that exploit compromised MikroTik routers functioning as REM Proxy services. These routers, typically hosting SSH services on port 51922, act as conduits for malicious traffic relayed through newly created accounts at freemail providers. The group’s email campaigns often feature plaintext messages with generic job-seeking or complaint themes, each containing unique links that guide recipients through complex redirection chains before delivering the malicious payload.
Enhanced Malware Arsenal
TA829’s arsenal includes several sophisticated malware variants, with the upgraded RomCom backdoor now manifesting as SingleCamper and DustyHammock. Proofpoint researchers have identified these variants as part of TA829’s regularly updated suite of tools, noting their integration into a unified infection management system. The malware demonstrates advanced evasion capabilities through registry-based operations and sophisticated anti-analysis techniques.
Infection Chain and Evasion Techniques
The infection process typically begins with phishing emails that spoof OneDrive or Google Drive interfaces, leading victims to unknowingly download the SlipScreen loader, which serves as the first stage of the infection chain. This loader, often signed with fraudulent certificates and disguised with PDF reader icons, implements multiple detection evasion mechanisms. Notably, the malware performs critical registry checks to ensure the targeted system contains at least 55 recent documents, effectively avoiding sandbox environments that typically lack such user activity traces.
Advanced Registry-Based Persistence Mechanism
A significant evolution in TA829’s upgraded RomCom backdoor is its sophisticated registry-based persistence mechanism. The SlipScreen loader decrypts and executes shellcode directly within its memory space, initiating communications with command and control servers only after successful environmental validation. Upon verification, the system downloads additional components, including RustyClaw or MeltingClaw loaders, which establish persistence through COM hijacking techniques.
This persistence mechanism involves manipulating specific registry keys, such as `SOFTWARE\Classes\CLSID\{2155fee3-2419-4373-b102-6843707eb41f}\InprocServer32`, allowing the malware to survive system reboots by executing during explorer.exe restarts. This technique effectively embeds the malware deep within the Windows operating system’s core processes, making detection and removal significantly more challenging for traditional security solutions. The registry-based approach also enables the malware to store encrypted payloads across multiple registry locations, further complicating forensic analysis efforts.
Convergence with UNK_GreenSec and TransferLoader
During a lull in TA829 activity in early 2025, Proofpoint identified a parallel set of campaigns attributed to UNK_GreenSec, a cluster that shares significant infrastructure and delivery TTPs with TA829. These campaigns, which targeted North America with thousands of phishing emails themed around job applications, introduced TransferLoader—a new loader designed for stealth and modular payload delivery.
TransferLoader employs advanced evasion techniques, including filename verification, custom encryption and encoding algorithms, and dynamic API resolution from 64-bit DLLs. The malware only executes if specific strings remain in the filename, thwarting many automated analysis tools.
TransferLoader campaigns utilize similar delivery infrastructure as TA829, including REM Proxy services on compromised MikroTik routers and Rebrandly redirectors. However, UNK_GreenSec has demonstrated more mature infrastructure protection, incorporating Cloudflare filtering and dynamic, server-side checks to block researchers and automated scanners. The final payloads are often delivered via IPFS webshares, and infections have resulted in the deployment of Metasploit and Morpheus ransomware, an updated HellCat variant.
The overlap in TTPs, infrastructure, and malware between TA829 and UNK_GreenSec complicates attribution. Hypotheses range from both clusters sourcing infrastructure from the same underground providers, to temporary service sharing, or even the possibility that TransferLoader represents a new malware family under development by TA829. The convergence of cybercrime and espionage activities, as exemplified by TA829, underscores the increasing difficulty in distinguishing between financially motivated and state-aligned threat actors in today’s threat landscape.
Indicators of Compromise (IOCs)
To assist organizations in identifying potential compromises, the following domains have been associated with TA829’s activities:
– 1drv[.]site
– 1drv[.]zone
– 1drvms[.]space
– 1drw[.]live
– 1share[.]limited
– file-cloud[.]company
– mspdf[.]live
– onedr[.]expert
– onefile[.]social
– pdf-share[.]pub
– share-doc[.]live
– 1drv-storage[.]pub
– 1drv365[.]live
Organizations are advised to monitor network traffic for connections to these domains and implement robust email filtering to detect and block phishing attempts. Regularly updating security protocols and educating employees about the latest phishing tactics are crucial steps in mitigating the risks posed by sophisticated threat actors like TA829.
