{
	"id": "f7456390-e2a0-49b7-b2dc-406077f583a0",
	"created_at": "2026-04-06T00:07:33.567185Z",
	"updated_at": "2026-04-10T13:12:08.864599Z",
	"deleted_at": null,
	"sha1_hash": "3572a02db8bcc3666f64a1c9d6ca8ccfabd2740b",
	"title": "Malware Brief: A malware foursome working together",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38758,
	"plain_text": "Malware Brief: A malware foursome working together\r\nBy Barracuda Networks\r\nPublished: 2025-07-21 · Archived: 2026-04-05 22:33:54 UTC\r\nIn today’s Malware Brief we’ll take a quick look at four different examples of malware that have all emerged at\r\nabout the same time. They demonstrate the complex chain of threats being used together, sometimes by different\r\ngroups for disparate purposes.\r\nIn this case, all four — RomCom RAT, TransferLoader, MeltingClaw and DustyHammock — were identified in\r\nthe early 2020s following the Russian invasion of Ukraine. They were, and are, extensively used by Russian-speaking groups against Ukrainian, Polish and some Russian targets.\r\nRomCom RAT\r\nType: Remote Access Trojan (RAT)\r\nDistribution: Phishing campaigns, compromised URLs, fake software downloads\r\nVariant: SingleCamper\r\nFirst identified: 2022\r\nCommon targets: Primarily deployed against targets in Ukraine\r\nKnown operators: TA829, UAT-5647\r\nRomCom RAT is used by threat actors to create a backdoor for remotely controlling endpoint computers. The\r\nRussian-linked TA829 group uses this and other tools for intelligence-gathering as well as financial fraud. This\r\ngroup typically exploits vulnerabilities in Mozilla Firefox and Microsoft Windows to spread RomCom RAT.\r\nOnce a system is compromised with RomCom RAT, the threat actor typically inserts a stealthy loader such as\r\nTransferLoader or SlipScreen into it. These are then used to load ransomware into the target system.\r\nIt was initially used primarily against Ukrainian and Polish targets by Russian-speaking groups, prior being\r\nadapted to financial crimes.\r\nTransferLoader\r\nType: Malware loader\r\nDistribution: job-application-themed phishing campaigns, RAT compromise\r\nFirst identified: February 2025\r\nhttps://blog.barracuda.com/2025/07/21/malware-brief-foursome-working-together\r\nPage 1 of 2\n\nKnown operator: UNK_GreenSec, RomCom\r\nTransderLoader combines a downloader, a backdoor, and a backdoor loader to enable threat actors to make\r\nchanges to compromised systems and insert ransomware or other malware.\r\nIt was first discovered when it was used to load Morpheus ransomware into an American law firm’s system. It has\r\nsince been used to drop malware such as MeltingClaw and DustyHammer.\r\nTransferLoader has been designed for stealth, using a variety of techniques to avoid detection. When executing\r\ndownloaded malicious code, it masks its activity by opening decoy PDF files.\r\nMeltingClaw\r\nType: Downloader\r\nVariant: RustyClaw\r\nFirst identified: 2024\r\nKnown operators/creators: RomCom — aka Storm-0978, UAC-0180, Void Rabisu, UNC2596, and Tropical\r\nScorpius\r\nAdvanced spear-phishing campaigns have been used to deliver the downloaders MeltingClaw and its cousin\r\nRustyClaw. These then download and install the backdoors DustyHammock or ShadyHammock.\r\nThese stealthy backdoors allow for long-term access to target systems, finding and exfiltrating data or performing\r\nother malicious tasks. It was used for espionage and sabotage against systems in Ukraine during the Russian\r\ninvasion.\r\nDustyHammock\r\nType: Backdoor\r\nVariant: ShadyHammock\r\nFirst identified: 2024\r\nDustyHammock is designed to communicate with a command-and-control server, perform initial reconnaissance\r\non targeted systems, and allow threat actors to run arbitrary commands and download and place malicious files.\r\nMeant to enable long-term access while evading detection, DustyHammock has been used for data exfiltration and\r\nespionage, as well as for sabotage.\r\nSource: https://blog.barracuda.com/2025/07/21/malware-brief-foursome-working-together\r\nhttps://blog.barracuda.com/2025/07/21/malware-brief-foursome-working-together\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.barracuda.com/2025/07/21/malware-brief-foursome-working-together"
	],
	"report_names": [
		"malware-brief-foursome-working-together"
	],
	"threat_actors": [
		{
			"id": "fecc0d5a-3654-425d-9290-b6d0b4105463",
			"created_at": "2023-10-17T02:00:08.330061Z",
			"updated_at": "2026-04-10T02:00:03.37711Z",
			"deleted_at": null,
			"main_name": "Void Rabisu",
			"aliases": [
				"Tropical Scorpius"
			],
			"source_name": "MISPGALAXY:Void Rabisu",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "555e2cac-931d-4ad4-8eaa-64df6451059d",
			"created_at": "2023-01-06T13:46:39.48103Z",
			"updated_at": "2026-04-10T02:00:03.342729Z",
			"deleted_at": null,
			"main_name": "RomCom",
			"aliases": [
				"UAT-5647",
				"Storm-0978"
			],
			"source_name": "MISPGALAXY:RomCom",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d58052ba-978b-4775-985a-26ed8e64f98c",
			"created_at": "2023-09-07T02:02:48.069895Z",
			"updated_at": "2026-04-10T02:00:04.946879Z",
			"deleted_at": null,
			"main_name": "Tropical Scorpius",
			"aliases": [
				"DEV-0978",
				"RomCom",
				"Storm-0671",
				"Storm-0978",
				"TA829",
				"Tropical Scorpius",
				"UAC-0180",
				"UNC2596",
				"Void Rabisu"
			],
			"source_name": "ETDA:Tropical Scorpius",
			"tools": [
				"COLDDRAW",
				"Cuba",
				"Industrial Spy",
				"PEAPOD",
				"ROMCOM",
				"ROMCOM RAT",
				"SingleCamper",
				"SnipBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4f56bb34-098d-43f6-a0e8-99616116c3ea",
			"created_at": "2024-06-19T02:03:08.048835Z",
			"updated_at": "2026-04-10T02:00:03.870819Z",
			"deleted_at": null,
			"main_name": "GOLD FLAMINGO",
			"aliases": [
				"REF9019 ",
				"Tropical Scorpius ",
				"UAC-0132 ",
				"UAC0132 ",
				"UNC2596 ",
				"Void Rabisu "
			],
			"source_name": "Secureworks:GOLD FLAMINGO",
			"tools": [
				"Chanitor",
				"Cobalt Strike",
				"Cuba",
				"Meterpreter",
				"Mimikatz",
				"ROMCOM RAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1cffd968-e48d-4167-9fd3-43ca4d996984",
			"created_at": "2026-02-04T02:00:03.71488Z",
			"updated_at": "2026-04-10T02:00:03.955323Z",
			"deleted_at": null,
			"main_name": "TA829",
			"aliases": [],
			"source_name": "MISPGALAXY:TA829",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434053,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3572a02db8bcc3666f64a1c9d6ca8ccfabd2740b.pdf",
		"text": "https://archive.orkl.eu/3572a02db8bcc3666f64a1c9d6ca8ccfabd2740b.txt",
		"img": "https://archive.orkl.eu/3572a02db8bcc3666f64a1c9d6ca8ccfabd2740b.jpg"
	}
}