{ "id": "514232a4-255c-400b-99f3-ecf73e30da5c", "created_at": "2026-04-06T00:21:59.682816Z", "updated_at": "2026-04-10T13:12:51.126392Z", "deleted_at": null, "sha1_hash": "1005335d2b1f6beb11591d6d0d1ab9eaa0921a3c", "title": "RomCom and TransferLoader IoCs in the Spotlight", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 472580, "plain_text": "RomCom and TransferLoader IoCs in the Spotlight\r\nBy By WhoisXML API  (Sponsored Post)\r\nArchived: 2026-04-05 13:40:58 UTC\r\nProofpoint released “10 Things I Hate about Attribution: RomCom vs. TransferLoader” detailing connections\r\nbetween RomCom and TransferLoader. While the researchers said the backdoors were typically used by different\r\ngroups—RomCom by TA829 and TransferLoader by UNK_GreenSec, they did see similarities between the threat\r\nactors’ campaigns.\r\nWhoisXML API further analyzed the campaign infrastructures, specifically the domains used in the attacks, to\r\nspot even more similarities and uncover new artifacts. Our analysis comprises two parts.\r\nThe first part covered our search for typosquatting domains and unraveling similarities between them and the 109\r\ndomains identified as indicators of compromise (IoCs)—20 for RomCom and 89 for TransferLoader. Our search\r\nled to these findings:\r\nFour domain IoCs appeared in five typosquatting groups\r\nEach typosquatting group had 3—8 domains, including one IoC\r\nTyposquatting domain groups were spotted between 650 days before and one day after their current\r\nWHOIS record creation dates\r\nThe second part, meanwhile, covered our search for more insights on the 109 domains identified as IoCs along\r\nwith new connected artifacts. Our investigation led to these discoveries:\r\n19 domain IoCs were deemed likely to turn malicious upon registration 77-271 days prior to reporting date\r\n3,051 email-connected domains, 28 were malicious\r\n28 IP addresses, 27 were malicious\r\n17 IP-connected domains\r\n1,682 string-connected domains, 24 were malicious\r\nA sample of the additional artifacts obtained from our analysis is available for download from our website.\r\nPart 1: Uncovering Typosquatting Domains\r\nWe began our analysis by looking for domains that not only looked similar to those tagged as IoCs but were also\r\nregistered in bulk along with the IoCs on Typosquatting Data Feed. We discovered that four domains tagged as\r\nIoCs, all tied to TransferLoader, were part of five typosquatting groups. They were included in feed files from\r\nJune 2023 to April 2025.\r\nDOMAIN IoC MALWARE TYPOSQUATTING DATA FEED FILE DATE\r\n1day[.]live TransferLoader 23 June 2023\r\nhttps://circleid.com/posts/romcom-and-transferloader-iocs-in-the-spotlight\r\nPage 1 of 5\n\n1day[.]live TransferLoader 29 September 2023\r\n1drive[.]expert TransferLoader 14 February 2025\r\ndr365[.]live TransferLoader 21 February 2025\r\nlivestorage[.]click TransferLoader 15 April 2025\r\nUpon closer scrutiny, we discovered that each group of domains had 3-8 domains each with one being an IoC.\r\nTake a look at a sample typosquatting group below with the IoC 1day[.]live.\r\nNote similarities between the IoC (i.e., highlighted in yellow) and the seven look-alike domains in terms of\r\nregistrant country, registrar, and NS provider. All eight domains in the group also shared two IP addresses.\r\nAn even deeper dive into the typosquatting results showed a number of similarities between the 28 domains (i.e.,\r\nfour IoCs and 24 look-alikes). Note that the IoC 1day[.]live was mentioned twice because it was bulk-registered\r\nwith two groups—one on 23 June 2023 and the other on 29 September that same year.\r\nCREATION DATE REGISTRAR REGISTRANT COUNTRY\r\n23 June 2023 Google Canada\r\n29 September 2023 GoDaddy U.S.\r\nWe summed up details for the four domains tagged as IoCs and the five typosquatting groups they belonged to\r\nbelow.\r\n1day[.]live appeared in two groups. The first group comprising three domains was created on 23 June 2023\r\nin Canada under Google. All of their NSs were also provided by Google. The second group, meanwhile,\r\ncomprised eight domains created on 29 September 2023 in the U.S. under GoDaddy. All of their NSs were\r\nprovided by Domain Control. Interestingly, the domains in the second group also shared two IP addresses\r\n—3[.]33[.]130[.]190 and 15[.]197[.]148[.]33—for around 13 months (i.e., September 2023—October\r\n2024) based on the results of an additional DNS history lookup.\r\n1drive[.]expert appeared in a group comprising six domains created on 14 February 2025. While one\r\ndomain did not have a registrant country on record, the remaining five were split into two countries. Three\r\nwere registered in the U.S. and one in China. The six domains were also administered by three registrars—\r\nthree under Tucows, two under Alibaba, and one under Shanghai Fuhu Information Technology. Lastly,\r\nthey were split across three NS providers—three under System DNS, two under HiChina, and one under\r\nDNS.com. Note that two other look-alike domains shared the IoC’s registrant country, registrar, and NS\r\nproviders. Also, two look-alike domains shared the IoC’s IP address—52[.]72[.]49[.]79—for around five\r\nmonths (i.e., May—October 2021) according to an additional historical DNS lookup.\r\nhttps://circleid.com/posts/romcom-and-transferloader-iocs-in-the-spotlight\r\nPage 2 of 5\n\nDr365[.]live appeared in a group with four domains created on 21 February 2025. While one domain did\r\nnot have a registrant country on record, the remaining three domains were split among three countries. One\r\neach was registered in China, Iceland, and the U.S. The four domains were administered by three registrars\r\n—two by Spaceship and one each by Tucows and Snapnames 94. They were split across three NS\r\nproviders—two under Cloudflare and one each under Juming and System DNS.\r\nLivestorage[.]click appeared in a group comprising seven domains created on 15 April 2025 in three\r\ncountries. Four were registered in Japan, two in the U.S., and one in China. The seven domains were\r\nadministered by four registrars—four by GMO Internet Group and one each by DNSPod, Tucows, and\r\nWix. They were split across five NS providers—three under Onamae and one each under AfterNIC,\r\nDNSPod, System DNS, and Wix.\r\nIt is also worth noting that three typosquatting groups related to the IoCs 1drive[.]expert, dr365[.]live, and\r\nlivestorage[.]click shared the U.S. as registrant country, Tucows as registrar, and System DNS as NS provider,\r\nhinting at a shared infrastructure.\r\nFinally, we obtained the current WHOIS records of the four domains tagged as IoCs that appeared in\r\ntyposquatting data feed files via Bulk WHOIS API and found out that three of them—1drive[.]expert, dr365[.]live,\r\nand livestorage[.]click—appeared on the feed a day after their current WHOIS record creation date. 1day[.]live,\r\nmeanwhile, appeared 650 and 552 days before its current creation date.\r\nDOMAIN IoC TYPOSQUATTING DATE CURRENT WHOIS RECORD DATE\r\n1day[.]live 23 June 2023 3 April 2025\r\n1day[.]live 29 September 2023 3 April 2025\r\n1drive[.]expert 14 February 2025 13 February 2025\r\ndr365[.]live 21 February 2025 20 February 2025\r\nlivestorage[.]click 15 April 2025 14 April 2025\r\nPart 2: Discovering Connected Artifacts\r\nWe started our search for connected artifacts by querying the 109 domains tagged as IoCs on Bulk WHOIS API\r\nand found out that they all had current WHOIS records. Upon closer examination, we discovered that they were\r\nlikely fairly newly registered when they figured in attacks. Specifically, all of the 20 RomCom domains were\r\ncreated in 2025, specifically between 20 January and 11 June 2025. The 89 TransferLoader domains, meanwhile,\r\nwere created between 2024 and 2025, particularly between 2 October 2024 and 14 April 2025.\r\nhttps://circleid.com/posts/romcom-and-transferloader-iocs-in-the-spotlight\r\nPage 3 of 5\n\nThe 20 RomCom domains tagged as IoCs were split across two registrars—13 under Tucows and seven under\r\nWeb Commerce Communications. The 89 TransferLoader IoCs, meanwhile, were administered by five registrars\r\n—79 by Tucows, four by Web Commerce Communications, three by Hello Internet, two by Eranet International,\r\nand one by Mat Bao.\r\nWhile one RomCom IoC did not have a registrant country on record, the remaining 19 were registered in three\r\ncountries—14 in the U.S., three in Malaysia, and two in Germany. Fifteen TransferLoader IoCs did not have\r\nregistrant countries on record as well. The remaining 74 were registered in three countries—72 in the U.S. and one\r\neach in Hungary and Ukraine.\r\nhttps://circleid.com/posts/romcom-and-transferloader-iocs-in-the-spotlight\r\nPage 4 of 5\n\nWe then checked if any of the 109 domains tagged as IoCs appeared on First Watch Malicious Domains Data\r\nFeed. We discovered that 27 domains—24 for TransferLoader and three for RomCom—were deemed likely to\r\nturn malicious upon registration. Specifically, they appeared on the feeds 77—271 days prior to being reported as\r\nIoCs on 30 June 2025.\r\nThis post only contains a snapshot of the full research. Download the complete findings and a sample of the\r\nadditional artifacts on our website or contact us to discuss your intelligence needs for threat detection and\r\nresponse or other cybersecurity use cases.\r\nDisclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help\r\nprotect against potential dangers. Consequently, it is possible that some entities identified as “threats” or\r\n“malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly\r\nrecommend conducting supplementary investigations to corroborate the information provided herein.\r\nNORDVPN DISCOUNT - CircleID x NordVPN\r\nGet NordVPN  [74% +3 extra months, from $2.99/month]\r\nSource: https://circleid.com/posts/romcom-and-transferloader-iocs-in-the-spotlight\r\nhttps://circleid.com/posts/romcom-and-transferloader-iocs-in-the-spotlight\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://circleid.com/posts/romcom-and-transferloader-iocs-in-the-spotlight" ], "report_names": [ "romcom-and-transferloader-iocs-in-the-spotlight" ], "threat_actors": [ { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1cffd968-e48d-4167-9fd3-43ca4d996984", "created_at": "2026-02-04T02:00:03.71488Z", "updated_at": "2026-04-10T02:00:03.955323Z", "deleted_at": null, "main_name": "TA829", "aliases": [], "source_name": "MISPGALAXY:TA829", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434919, "ts_updated_at": 1775826771, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1005335d2b1f6beb11591d6d0d1ab9eaa0921a3c.pdf", "text": "https://archive.orkl.eu/1005335d2b1f6beb11591d6d0d1ab9eaa0921a3c.txt", "img": "https://archive.orkl.eu/1005335d2b1f6beb11591d6d0d1ab9eaa0921a3c.jpg" } }