Cybersecurity researchers have identified significant tactical overlaps between the threat actors behind the RomCom RAT (tracked as TA829) and a newly observed cluster distributing the TransferLoader malware (tracked as UNK_GreenSec). These groups share infrastructure, delivery methods, and phishing tactics, blurring the lines between cybercrime and state-aligned espionage.
Proofpoint researchers documented extensive parallels in their campaigns. Both use REM Proxy services hosted on compromised MikroTik routers for traffic relay. Both use identical email lures (job-seeking themes or complaints) with links to actor-controlled domains and spoofed cloud storage landing pages (OneDrive/Google Drive) and malicious PDF icons. And both have similar delivery chains, multi-step redirects via services like Rebrandly before payload deployment.
Relationship Hypotheses
Proofpoint proposed four theories about their connection:
1. Shared infrastructure from a third-party provider.
2. TA829 temporarily leasing infrastructure to UNK_GreenSec.
3. UNK_GreenSec as TA829’s usual infrastructure provider.
4. Both clusters being the same actor testing TransferLoader.
Technical Distinctions
• Payload Execution:
• TA829 uses SlipScreen loader for RomCom variants.
• UNK_GreenSec deploys TransferLoader, which employs:
• Dynamic API resolution via hashing.
• XOR-based string decryption.
• IPFS fallback C2 channels for resilience.
• Objectives: TA829 focuses on Ukraine-targeted espionage post-2022 invasion, while UNK_GreenSec prioritizes ransomware deployment (e.g., against U.S. law firms).
