{ "id": "fc61c121-4d10-4d96-8ae9-d329d6b7e80c", "created_at": "2026-04-06T00:11:26.313656Z", "updated_at": "2026-04-10T13:12:39.204693Z", "deleted_at": null, "sha1_hash": "cca22a54236837206616d5d0a6f25388b23c25bd", "title": "10 Things I Hate About Attribution: RomCom vs. TransferLoader | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6333806, "plain_text": "10 Things I Hate About Attribution: RomCom vs. TransferLoader |\r\nProofpoint US\r\nPublished: 2025-06-27 · Archived: 2026-04-05 15:42:32 UTC\r\nJune 30, 2025 Greg Lesnewich, Selena Larson, Kelsey Merriman, David Galazin, and the Proofpoint Threat Research Team\r\nThreat Research would like to acknowledge and thank the Paranoids, Spur, and Pim Trouerbach for their collaboration to\r\nidentify, track, and disrupt this activity. \r\nKey takeaways \r\nTA829 conducts a mixture of espionage and cybercriminal operations, which rely on services sourced from the\r\ncriminal underground, and a regularly updated suite of tools built upon the legacy RomCom backdoor.  \r\nWhile tracking TA829, Proofpoint observed a highly similar email campaign and redirection infrastructure set-up.\r\nThis similar campaign deployed a new loader and backdoor dubbed TransferLoader, which Proofpoint currently\r\nattributes to a separate cybercriminal cluster called “UNK_GreenSec”, rather than TA829. \r\nThis blog will show how analysts explored the differences and overlaps between both sets of activity and leave an\r\nopen-ended question around the relationship between these two clusters within the larger criminal and espionage\r\necosystem. \r\nOverview \r\nMost of the time, delineating activities from distinct clusters and separating cybercrime from espionage can be done based\r\non differing tactics, techniques, and procedures (TTPs), tooling, volume/scale, and targeting. However, in the case of TA829\r\nand a cluster Proofpoint dubbed “UNK_GreenSec”, there is more ambiguity. TA829 is a cybercriminal actor that\r\noccasionally also conducts espionage aligned with Russian state interests, while UNK_GreenSec is an unusual\r\ncybercriminal cluster.  \r\nTA829 overlaps with activity tracked by third-parties as RomCom, Void Rabisu, Storm-0978, CIGAR, Nebulous Mantis,\r\nTropical Scorpius. The UNK_GreenSec cybercriminal cluster does not appear to align with publicly reported activity sets.  \r\nWhile hunting for TA829, Proofpoint observed another actor using an unusual amount of similar infrastructure, delivery\r\ntactics, landing pages, and email lure themes. Initially our researchers clustered this activity as part of TA829, but after\r\nfurther investigation into the infection chain, behaviors, and malware, Proofpoint researchers began tracking this activity as\r\na separate cluster. This report will detail that collision by highlighting overlaps in the activity and malware across both\r\nactors. Additionally, we will explore our hypotheses for why and how these shared traits exist, ranging from both groups\r\nusing a shared infrastructure and delivery provider to a more direct relationship between the two clusters.   \r\nProofpoint researchers observed similarities in the activity described in this report with historical TA505 activity including\r\nlures, URL shorteners, domain patterns, domain registration, and infrastructure. However, we are not attributing to TA505 at\r\nthis time as we are unable to say with high confidence whether TA505 is definitively associated, or whether the actor is\r\nusing strikingly similar TTPs. \r\nIntroduction \r\nTA829 is a unique actor in the threat landscape; its behavior classifies it as a financially-motivated actor but one that also\r\nregularly conducts espionage campaigns using the same custom tool suite. Following the invasion of Ukraine, TA829 began\r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 1 of 31\n\nconducting targeted espionage campaigns in Ukraine, in alignment with Russian state interests, in addition to its normal\r\ntempo of financially-motivated campaigns. \r\nTA829 activity is unusual in the world of espionage. The actor's automated and scaled processes, such as the regular\r\nupdating of packers and loaders, the use of varied sending infrastructure and source addresses for each target, and the use of\r\nextensive redirection chains to detect and evade researchers, are more typical of cybercriminals compared to espionage.\r\nTA829 conducts regular phishing campaigns to deploy variants of its SingleCamper (aka SnipBot, updated version of\r\nRomCom backdoor) malware or its lighter weight DustyHammock malware. TA829’s higher-end capabilities, such as the\r\nuse of browser or operating-system zero-day exploits, appear reserved for use in dedicated espionage campaigns. It is\r\nunclear if the actor’s capabilities are co-opted for the espionage campaigns, or if there is some other form of guidance or\r\ntasking from the Russian government.  \r\nTA829’s phishing campaigns across both espionage and broad cybercriminal operations have been relatively static since last\r\nyear. Proofpoint observed a small number of campaigns attributed to TA829 throughout 2024, with the group last seen in\r\nOctober. However, TA829 returned to the landscape in February 2025 with its typical TTPs and a more frequent operational\r\ntempo. The activity includes using plaintext emails sent from compromised MikroTik routers via freemail providers,\r\nspoofing of OneDrive or Google Drive links to initiate the infection chains, and leveraging Rebrandly redirectors to\r\ndistinctive landing pages. TA829 likely acquires services and infrastructure from members of the criminal underground,\r\nincluding obfuscation services and domain registrations. Despite integration into the underground economy and buying\r\nsome of its capabilities, the actor also continues to develop custom tooling for its infection chains.  \r\nDuring a lull in TA829 operations in February 2025, a similar set of campaigns also began with the aim of deploying a\r\npreviously unobserved malware payload. These campaigns featured the hallmark characteristics of TA829 activity, but\r\ncontained notable differences, including message volumes in the thousands targeting a broader set of industries and\r\ngeographies, lure themes that consistently referenced job applications and hiring, and the unique payload that came to be\r\nknown as TransferLoader. Proofpoint researchers observed four campaigns delivering TransferLoader in the first two weeks\r\nof February 2025. These campaigns, attributed to the temporary cluster named UNK_GreenSec, targeted North America and\r\nranged from a few hundred messages to over two thousand. TransferLoader has been observed dropping Morpheus\r\nransomware at the culmination of its infection chains. \r\nComparing the campaigns \r\nThere are many similarities in the infection chains of UNK_GreenSec and TA829. The following diagram illustrates overlap\r\nin delivery infrastructure, and where the infection chains diverge for payload delivery and malware installation.  \r\nIllustration highlighting delivery and installation for the UNK_GreenSec and TA829. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 2 of 31\n\nDelivery \r\nBoth actors rely on REM Proxy services, deployed on compromised MikroTik routers, as part of their upstream sending\r\ninfrastructure. Compromised routers typically have port 51922 open hosting an SSH service. Proofpoint does not currently\r\nhave visibility into the method used to compromise these devices, and what the REM Proxy payloads are. REM Proxy\r\ndevices are likely rented to users to relay traffic. In observed campaigns, both TA829 and UNK_GreenSec use the service to\r\nrelay traffic to new accounts at freemail providers to then send to targets. REM Proxy services have also been used by\r\nTA829 to initiate similar campaigns via compromised email accounts.  \r\nTwo examples of freemail providers being abused to send emails from REM Proxy nodes. (UNK_GreenSec campaign (top);\r\nTA829 campaign (bottom). \r\nThe format of the sender addresses is standard across the providers: typically containing a first and last name, and usually\r\nfollowed by two to six digits (some UNK_GreenSec campaigns did not use digits in the sender addresses). Proofpoint\r\nhypothesizes that the actors share an email builder utility that allows the bulk creation and sending of these emails via REM\r\nProxy nodes.  \r\nThe emails in both campaigns are comprised of plaintext message bodies that contain a link to an actor-controlled domain,\r\neither directly in the body or in an attached PDF, as shown below. The messages are themed around job seeking or\r\ncomplaints against the targeted entity, and the content is generic enough to be re-used across the campaign, but with a\r\nunique link for each target. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 3 of 31\n\nEmail lure used by TA829 in February 2025. \r\nEmail lure used by UNK_GreenSec in February 2025. \r\nUpon opening the link, a series of redirectors routes real users to a landing page that spoofs OneDrive or Google Drive. Both\r\nactors use similar domain registration, relying on Rebrandly services and hosting. Campaigns that deployed TransferLoader\r\nused more elaborate protections to filter out research devices and sandboxes and used Cloudflare services to filter traffic.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 4 of 31\n\nTA829 previously used Rebrandly redirectors with one-time links on the landing pages, but in March 2025, the actor\r\nadopted filtering practices previously used in UNK_GreenSec campaigns.  \r\nIn all campaigns for both activity sets, the landing pages display a link to a download site, which in turn drops a signed\r\nloader that spoofs a PDF. At this point, the similarities end as the JavaScript and first-stage malware are distinct between\r\neach cluster, and the infection chains continue to diverge ending with different payloads. Based on Proofpoint data and\r\npublications from Unit42, Talos, and Zscaler, TA829 and UNK_GreenSec have both deployed Putty’s PLINK utility to set\r\nup SSH tunnels, and both used IPFS services to host those utilities in follow-on activity. \r\nThe following table details similarities and differences in the threat actor clusters: \r\nBoth actors  TA829  UNK_GreenSec \r\nTargeted addresses  Individual users  Generic addresses \r\nVolume  300 messages or fewer \r\nHundreds to thousands of\r\nmessages \r\nLure themes \r\nJob application \r\n \r\nResume \r\nHarassment \r\n \r\nSecurity breaches \r\nMedication complaints \r\nJob complaints \r\nEmail senders \r\nGeneric email addresses\r\nfrom freemail providers  \r\nCompromised senders \r\nDifferent aliases per message \r\nAlternates between single\r\nalias and multiple aliases \r\nUpstream\r\ninfrastructure \r\nREM Proxy nodes\r\n(Compromised MikroTik\r\nrouters) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 5 of 31\n\nEmail body \r\nSubjects and emails are\r\nsimilar in patterns,\r\nstructure, and content \r\nNeither use HTML in the\r\nmessage body \r\nBoth use a URL in the\r\nmessage body \r\nUses only URLs in the email\r\nbody \r\nUses PDF attachments in\r\naddition to URLs in the\r\nemail body \r\nFilenames \r\nOften references the\r\ncurrent date \r\nConsistent with campaign\r\ntheme \r\nMore varied themes and\r\nfilename patterns \r\nResume-themed filename \r\nOften contains “resume”\r\nand “2025”  \r\nDomain usage \r\nOperationalized 1-3 days after\r\nregistering \r\nOperationalized day after\r\nor same day as registered \r\nRedirector usage  Rebrandly  Unitag  Bitly \r\nHTML landing \r\nUse similar landing pages\r\nthat spoof OneDrive \r\nContains links to a hosting\r\nservice to deliver the payload \r\nRedirects to a PHP\r\nbackend to deliver the\r\npayload \r\nFiltering \r\nVaried, introduced improved\r\nfiltering after UNK_GreenSec\r\ncampaigns \r\nUses Cloudflare \u0026 server-side filtering \r\nPayloads \r\nMalware payload spoofs\r\nPDF reader \r\nSigned executables \r\n \r\nMalware checks own\r\nfilename \r\nFirst stage uses shellcode to\r\ncheck registry for recent\r\ndocuments and download next\r\nstage \r\nFirst stage loads embedded\r\npayload from encrypted\r\nPE section \r\nFollow-on (per\r\nProofpoint visibility\r\nand external reporting) \r\nHosted on IPFS \r\nPLINK \r\nMetasploit \r\nMorpheus ransomware \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 6 of 31\n\nComparison of UNK_GreenSec and TA829 campaigns and infection chains. \r\nTA829: RSVP and Check Out Our Registry \r\nIf a user clicks the link in a TA829 email, they are routed through a TA829 first stage redirector domain, then a Rebrandly\r\nredirector, onto a landing page that spoofs either Google Drive or OneDrive. If the user clicks the download button, an\r\nexecutable is dropped from another domain. Previously, TA829 relied on TempSH to host the first stage executable but has\r\nsince relied on compromised domains or MediaFire services to host the payload. This downloaded executable initiates the\r\ninfection chain. \r\nTA829 OneDrive themed landing page (left). TA829 Google Drive themed landing page (right). \r\nThe TA829 infection chain relies heavily on registry in its operations as noted by Cisco Talos and Palo Alto’s Unit42; it is\r\nused for storing additional payloads, persistence, and validating the loader is not running in a sandbox. The first stage loader\r\nis a family Proofpoint tracks as SlipScreen. It is invalidly signed and uses a PDF reader icon to convince the target to\r\nexecute it. We have observed SlipScreen variants written in Rust and other variants in C++, and its crypter is updated for\r\neach campaign, making static detection difficult.  \r\nSlipScreen decrypts and loads shellcode into its own memory space and initiate communications with the command and\r\ncontrol (C2) server after an initial registry check is made to ensure the targeted computer has at least 55 recent documents\r\naccording to the Windows Registry (to avoid sandbox detection).  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 7 of 31\n\nSlipScreen shellcode registry checks. \r\nTA829 will either deliver an updated version of the RustyClaw loader or an updated version of the MeltingClaw loader (aka\r\nDAMASCENED PEACOCK); both will be downloaded and run in the same process address space, and can lead to either\r\nDustyHammock or SingleCamper backdoors.  \r\nInitial analysis suggested these different malware families were used exclusively for either espionage (SingleCamper) or\r\ncybercrime (DustyHammock); however, later campaigns have shown both infection chains used in financially-motivated\r\nintrusions. SingleCamper campaigns observed in 2025 have similarities to DustyHammock campaigns, which obscures the\r\nassessment of campaign objectives.  \r\nAs part of the infection chain leading to DustyHammock, the RustyClaw DLL first executes within the SlipScreen process\r\nspace, and then sets a registry key to store the path to the next-stage payload. The RustyClaw DLL will then beacon to the\r\nC2 server to download the DustyHammock backdoor to that file location and restart the explorer.exe process. The set\r\nregistry key will execute the DustyHammock backdoor as part of its restart, via COM hijacking.   \r\nExample keys used in COM hijacking: \r\nSOFTWARE\\Classes\\CLSID\\{2155fee3-2419-4373-b102-6843707eb41f}\\InprocServer32 \r\nSOFTWARE\\Classes\\CLSID\\{30d49246-d217-465f-b00b-ac9ddd652eb7}\\InprocServer32 \r\nSOFTWARE\\Classes\\CLSID\\{f82b4ef1-93a9-4dde-8015-f7950a1a6e31}\\InprocServer32 \r\nDustyHammock is a minimalist backdoor that can run commands via cmd.exe, as well as download and execute additional\r\nfiles. The beacon structure of the DustyHammock communications is highly similar to that of SingleCamper, which suggests\r\nthat both variants can be administered from the same panel. ProDaft’s reporting on the group showed the various bot IDs\r\nfrom DustyHammock (RUSTY, GAGA1) and SingleCamper (VIVAT, CMPN) infections, providing further evidence that\r\nTA829 uses a unified infection management tool.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 8 of 31\n\nComparing beacon structure of DustyHammock (top) and SingleCamper (bottom). \r\nProofpoint also observed DustyHammock (internal DLL name mmngr.dll) execute commands from a C2 that followed the\r\nbeacon structure and automated reconnaissance commands Talos described as used by SingleCamper. Proofpoint observed a\r\nvariant of DustyHammock deploy a network reconnaissance DLL written in Rust (internal name extra.dll, spoofed\r\nDataFileSystemDiagnostic) to gather victim information, which effectively operated as a wrapper for Window functions\r\nipconfig, systeminfo, and tasklist. It is possible TA829 operators were testing a plug-in variant. \r\nDustyHammock network traffic running shell commands. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 9 of 31\n\nIn April 2025, TA829 shifted to using the ShadyHammock and SingleCamper tool suite in its financially motivated\r\ncampaigns. TA829 campaigns also began to target organizations in defense and other related industries typically more\r\nindicative of espionage, alongside the sectors typically targeted in the group's cybercriminal operations. The\r\nShadyHammock infection chain also implements more protections than the DustyHammock infection chains by encrypting\r\nfollow-on payloads with keys derived from information about the victim host. \r\nThe SingleCamper infection chain uses multiple DLLs all built from the same base harness. The files have the same start up,\r\nusing the same API-hashing algorithm, string decryption routine, and function to query WMI for information about the host.\r\nDLLs built from this harness will use WMI queries to gather the host’s ProcesserID and Serial Number. Some samples of an\r\nolder variant of SlipScreen from August 2024 also share this API-hashing function. These items are concatenated and\r\nhashed, and that 16-byte hash is used as key material for decrypting additional stages, as well as to validate communications\r\nbetween the C2 and the loader. \r\nConsistent API-hashing algorithm in TA829 DLLs. \r\nThe first of these DLLs, MeltingClaw, will send a POST request to the C2 server with the string\r\n“get_module_test_msg_module” and the 16-byte hash appended to the request. The C2 responds with a padded, encrypted\r\ndata blob (keyed to the 16-byte host hash), which is packed to remove the padding, split into chunks, and then written to\r\nmultiple locations in the registry.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 10 of 31\n\nMeltingClaw HTTP packets requesting encrypted SingleCamper payload. \r\nThis data is then packed into the registry across four registry keys: \r\nHKEY_CURRENT_USER\\Control Panel\\Cursors\\BackupData\\Binary \r\nHKEY_CURRENT_USER\\Control Panel\\Colors\\FontColor\\Binary \r\nHKEY_CURRENT_USER\\Environment\\Cache\\Binary \r\nHKEY_CURRENT_USER\\Keyboard Layout\\Preload\\OldConfig\\Binary \r\nMeltingClaw then sends a second request with the string “get_module_test_load_module” and the aforementioned\r\nhash value; the C2 returns the ShadyHammock DLL in plaintext and MeltingClaw writes it to disk, then sets up\r\nCOM hijacking to have the DLL executed after explorer.exe is restarted. \r\nThe ShadyHammock DLL (internal DLL name: loader_moder.dll) reads and decrypts the registry contents, and uses a\r\nshellcode loader to deploy a newer version of SingleCamper backdoor into memory (internal DLL\r\nname message_module.dll). The backdoor sets the mutex Global\\srvmutex and conducts host reconnaissance prior to\r\nconnecting to the same C2 server to check in.  \r\nThe backdoor enters a beacon-sleep loop to connect to the C2. The server sends back a consistent response instructing the\r\nbackdoor to continue sleeping until an operator issues a command, which the backdoor would then implement. If the\r\nresponse is less than 16 bytes or the outbound request fails, the backdoor increments a failure counter; once 30 failures are\r\nreached, the backdoor cleans up portions of the infection chain and deletes itself.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 11 of 31\n\nSingleCamper heartbeat beacon. \r\nThe SingleCamper backdoor has an extensive set of commands that can be passed back from the C2, as noted by both Talos\r\nand Unit42.  Both SingleCamper and DustyHammock are used as main footholds in the targeted host to further compromise\r\nof the victim networks by downloading additional tooling from InterPlanetary File System (IPFS) or issuing reconnaissance\r\ncommands. This can facilitate data theft and deployments of ransomware, both of which have their uses in espionage and\r\ncriminal campaigns.  \r\nUNK_GreenSec Deploying TransferLoader \r\nWhile monitoring for TA829 campaigns, we observed a different downloader being distributed by a highly similar infection\r\nchain in February 2025. This downloader became known as TransferLoader, and was documented by ZScaler. Campaigns\r\ndistributing TransferLoader generally begin with emails regarding a fake candidate pursuing a role at the recipient’s\r\ncompany. Like TA829 campaigns, the senders are generic, fake individuals rather than real, compromised users. The email\r\nbodies commonly contain either a link, or a PDF with a link, to what the sender claims to be a resume or portfolio, hosted on\r\nan actor-controlled server.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 12 of 31\n\nUNK_GreenSec email lure leading to TransferLoader. \r\nExample of PDF content with a link leading to TransferLoader. \r\nClicking on the link initiates the Rebrandly redirection chain observed in both UNK_GreenSec and TA829 campaigns. Once\r\nthe download button is clicked, a signed executable is downloaded from an IPFS webshare. Like SlipScreen, the\r\nTransferLoader executable has a PDF icon and filename consistent with the job-seeking theme.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 13 of 31\n\nUNK_GreenSec landing page. \r\nThe primary objectives of TransferLoader are to evade detection and load additional payloads. The malware contains many\r\ndistinguishing characteristics, such as verifying filenames from XOR-encoded strings, custom implementations of\r\nencryption and encoding algorithms, dynamically resolved API hashes from 64bit DLLs, encrypted data stored in file\r\nsections with distinct names, infection chains, and follow-on payloads. \r\nThe strings are XOR-encrypted to assist obfuscation. At runtime, stack strings are resolved and XORed with an 8-byte key\r\nfollowing the strings. In this first stage, the decrypted strings contain important variables, such as the filename used in the\r\nfilename check, a custom alphabet to be used in Base32 decoding, the AES key used in a custom AES implementation, and\r\nthe name of the section that houses encrypted data.   \r\nTransferLoader first checks if the filename has been changed. Most filenames observed in 2025 have contained the strings\r\n“Resume”, or “Professional”, and “2025”. It is common for filenames to be changed by cybersecurity analysts, automation\r\ntools, and detection tools during the analysis process for multiple reasons. The malware will only run if the strings expected\r\nremain in the filename. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 14 of 31\n\nTransferLoader checking its own filename. \r\nThe malware dynamically resolves API hashes from 64bit DLLs, a technique used by malware that aids in evading\r\ndetection. Instead of storing API function names (like LoadLibraryA or GetProcAddress) as readable strings, the malware\r\nstores a 64-bit hash of the function name. At runtime, it scans loaded modules (like kernel32.dll), hashes each exported\r\nfunction name, and compares the result to the stored hash. When a match is found, it resolves the actual address of the API\r\nfunction without ever exposing the function name in clear text. This method obscures which APIs the malware uses, making\r\nstatic analysis and signature-based detection harder. TransferLoader first loads and checks two APIs. If successful, it\r\ncontinues resolving the rest. \r\nNext, the malware uses an XOR decrypted string to locate the name of the section that holds the encrypted data for the next\r\nstage. Recurring section names observed in early 2025 include “.green”, “.secenc”, and “.dbg”. Once located, the encrypted\r\ndata is decoded using Base32 and a custom alphabet found in the XOR-decrypted strings. The Base32-decoded data is then\r\ndecrypted using a custom AES implementation using a key also found in the XOR-decrypted strings to decrypt the next\r\nstage, often resulting in a downloader or backdoor module described by Zscaler. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 15 of 31\n\nExample TransferLoader PCAP. \r\nProofpoint researchers observed TransferLoader dropping Metasploit, with third-party researchers reporting TransferLoader\r\ninfections leading to Morpheus ransomware, which is likely an updated version of HellCat ransomware.  \r\nIn June 2025, UNK_GreenSec activity resumed with new versions of TransferLoader and an updated but similar infection\r\nchain. In the new campaigns, REM Proxy nodes send messages through a freemail provider. The messages contain links to\r\nAWS S3 buckets that redirect to either a compromised WordPress site or an actor-controlled fake hiring domain. Both\r\ndomains then redirect to a familiar OneDrive-esque landing page, rather than send emails with links to actor-controlled\r\ndomains that use Rebrandly redirectors prior to the OneDrive spoofing landing page. \r\nComparing the infrastructure \r\nUNK_GreenSec campaigns were initially more mature in their infrastructure protection habits. Unlike the TA829\r\ncampaigns, the TransferLoader campaigns’ JavaScript components redirected users to a different PHP endpoint on the same\r\nserver, which allows the operator to conduct further server-side filtering. UNK_GreenSec used a dynamic landing page,\r\noften irrelevant to the OneDrive spoof, and redirected users to the final payload that was stored on an IPFS webshare.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 16 of 31\n\nUNK_GreenSec download JavaScript. \r\nAdditionally, the TransferLoader campaigns introduced Cloudflare checks to prevent automated link following from finding\r\nthe download pages. TA829 campaigns eventually adopted this practice. TA829 landing pages will return a static splash\r\npage if the link has already been used, presumably by the victim.  \r\nThe JavaScript on the landing page for TA829 campaigns has been consistent since the middle of 2024 and redirects users\r\nfurther to either third-party hosting sites, such as MediaFire or Temp.Sh, or to compromised domains to host the first-stage\r\npayload.  \r\nTA829 download JavaScript. \r\nThe first-stage redirection domains for both actors were registered via Tucows and hosted on dedicated Rebrandly\r\ninfrastructure. Both actors use NGINX technology for the landing page. TA829’s C2 domains are fronted by CloudFlare, but\r\nthe backend is typically be hosted on ShockHosting or Aeza International ASNs, using OpenResty technology. Late-stage\r\nTA829 components follow the aforementioned HTTP-based beaconing and command execution structure. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 17 of 31\n\nUNK_GreenSec landing pages and C2 infrastructure are typically directly hosted on Aeza servers and will be registered via\r\nthe WebNic registrar. The UNK_GreenSec landing pages and the C2s use nginx running on Ubuntu. TransferLoader traffic\r\nuses custom HTTP headers as well as a TCP-based protocol to communicate with its C2 servers. While these differences\r\nmay be subtle, they can potentially help differentiate the infrastructure from one actor to the other.  \r\nBoth actors  TA829  UNK_GreenSec \r\nFirst stage domains \r\nTucows registrar \r\nRebrandly hosting \r\nLanding page domains \r\nNginx servers \r\nCloudFlare proxied \r\nTucows registrar \r\nShockhosting hosting \r\nWebNic registrar \r\nAeza hosting \r\nPayload hosting \r\nCompromised domains \r\nTemp.SH \r\nMediaFire \r\nIPFS \r\nC2 infrastructure \r\nWebNic registrar \r\nAeza hosting \r\nHTTP-based protocol \r\nShockhosting hosting \r\nOpenResty \r\nHTTP and TCP-based protocols \r\nNginx on Ubuntu \r\nCompeting hypotheses \r\nThe investigation of both sets of activity raises questions of whether these actors are related or the overlap is coincidental.\r\nThese include similarties in TTPs, infrastructure, and malware. The timing of UNK_GreenSec activity during a TA829 break\r\nand the connection to Morpheus and HellCat ransomware further reinforce the possibility of a relationship between\r\nUNK_GreenSec and TA829. \r\nThe data points in totality lead to the following potential hypotheses:  \r\nTA829 and UNK_GreenSec buy distribution and infrastructure from the same third-party provider; \r\nTA829 procures and distributes its own infrastructure, and provided those services temporarily to UNK_GreenSec; \r\nUNK_GreenSec is the infrastructure and distribution provider, that normally sells to TA829 operators, and\r\ntemporarily used those services to deploy its own malware, TransferLoader; \r\nThe two clusters are the same actor, and TransferLoader is a new family in testing phase from TA829. \r\nConclusion \r\nHistorically, cybercrime and espionage operations have remained relatively distinct with divergent motivations. While there\r\nwere some notable exceptions – such as like cybercriminal malware used for espionage like DanaBot and Sunseed, and\r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 18 of 31\n\ncriminal operators working for government sponsors – overall the objectives could largely be starkly defined and attributed.\r\n(One country that has always found itself outside of this dichotomy is North Korea, where threat actors conduct both\r\nespionage and crime to steal money on behalf of the regime.) \r\nIn the current threat landscape, the points at which cybercrime and espionage activity overlap continue to increase, removing\r\nthe distinctive barriers that separate criminal and state actors. Campaigns, indicators, and threat actor behaviors have\r\nconverged, making attribution and clustering within the ecosystem more challenging. \r\nWhile there is not sufficient evidence to substantiate the exact nature of the relationship between TA829 and\r\nUNK_GreenSec, there is very likely a link between the groups. Proofpoint will continue to track both activity sets separately\r\nand investigate further developments and overlaps in both groups’ TTPs. \r\nIndicators of compromise \r\nIndicator  Type  Context \r\nFirst\r\nSeen \r\n1drv[.]site  Domain \r\nTA829 first\r\nstage domain  \r\nOctober\r\n2024 \r\n1drv[.]zone  Domain \r\nTA829 first\r\nstage domain  \r\nOctober\r\n2024 \r\n1drvms[.]space  Domain \r\nTA829 first\r\nstage domain  \r\nOctober\r\n2024 \r\n1drw[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\n1share[.]limited  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\nfile-cloud[.]company  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\nfile-share[.]works  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\nhealthfy[.]bio  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 19 of 31\n\nmspdf[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\nonedr[.]expert  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\nonefile[.]social  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\npdf-share[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\nshare-doc[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\n1drv-storage[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\n1drv365[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\n1drvfiles[.]online  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\n365drv[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\ndrive-share[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\nmy1drv[.]online  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\nmyonedrive365[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 20 of 31\n\nondrve[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\npdf-storage[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\nsharepdf[.]limited  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025 \r\nstoragedrive[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025  \r\nd1rv[.]social  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025  \r\ndr365[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025  \r\nmy-356drv[.]online  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025  \r\n1drive-work[.]online  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025  \r\nshare-pdf[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025  \r\n1drvcloud[.]online  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025  \r\nfile-acess[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025  \r\n1drv-team[.]works  Domain \r\nTA829 first\r\nstage domain  \r\nFebruary\r\n2025  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 21 of 31\n\nworkspace-doc[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\nondv[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\nmy1drv[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\ngdrive-share[.]online  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\n1dv365[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\n365msdrv[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\ncloud-pdf[.]online  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\ndrivestorage[.]online  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\n1drv365[.]online  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\nmy-drive365[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\ngdl-cloud[.]works  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\ngdrvdocs[.]online  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 22 of 31\n\ndvfilesync[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\nstorage-hub[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\ndata-dv[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\ngworkspace[.]social  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\ndiskstorage[.]click  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\n365work[.]chat  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\nonedrweb[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\npdfshare[.]click  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\ndocumentapproved[.]click  Domain \r\nTA829 first\r\nstage domain  \r\nMarch\r\n2025 \r\ncloudly[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\ndrsync[.]click  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\ndrshare[.]online  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 23 of 31\n\ndrivenc[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\ndrivehub[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\n1day[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\nonestorelink[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\n1dcloud[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\ndrivepoint[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\nsite-staff[.]sale  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\ndriveshare[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\ncloudlive[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\ndvcloud[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\ndrivepublic[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\nsharedrive[.]pub  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 24 of 31\n\ndrivehost[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\nonlinedrive[.]click  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\nlivestorage[.]click  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\nmydrv1[.]live  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\n1dv[.]online  Domain \r\nTA829 first\r\nstage domain  \r\nApril\r\n2025  \r\n1drv.eu[.]com  Domain \r\nTA829 landing\r\npage  \r\nOctober\r\n2024 \r\nms.share-onedr[.]com  Domain \r\nTA829 landing\r\npage  \r\nFebruary\r\n2025 \r\ndatadrv1[.]com  Domain \r\nTA829 landing\r\npage  \r\nFebruary\r\n2025 \r\nonelivedrv[.]com  Domain \r\nTA829 landing\r\npage  \r\nMarch\r\n2025 \r\nclouderive[.]com  Domain \r\nTA829 landing\r\npage  \r\nApril\r\n2025 \r\ncloud1dv[.]com  Domain \r\nTA829 landing\r\npage  \r\nApril\r\n2025 \r\n1dvstorage[.]com  Domain \r\nTA829 landing\r\npage  \r\nApril\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 25 of 31\n\njournalctl[.]website  Domain  TA829 C2 \r\nOctober\r\n2024 \r\ndrivedefend[.]com  Domain \r\nTA829\r\nDustyHammock\r\nC2 \r\nFebruary\r\n2025 \r\nconsvcprivacy[.]com  Domain \r\nTA829\r\nDustyHammock\r\nC2 \r\nFebruary\r\n2025 \r\nopendnsapi[.]net  Domain \r\nTA829\r\nDustyHammock\r\nC2 \r\nMarch\r\n2025 \r\nmngersrv[.]com  Domain \r\nTA829\r\nDustyHammock\r\nC2 \r\nMarch\r\n2025 \r\nsupportcausems[.]com  Domain \r\nTA829\r\nSingleCamper\r\nC2 \r\nFebruary\r\n2025 \r\ndeliverycitylife[.]com  Domain \r\nTA829\r\nSingleCamper\r\nC2 \r\nApril\r\n2025 \r\nmsvhost[.]com   Domain \r\nTA829\r\nSingleCamper\r\nC2 \r\nApril\r\n2025 \r\nlauradream[.]com  Domain \r\nTA829\r\nSingleCamper\r\nC2 \r\nApril\r\n2025 \r\n1drive[.]bio  Domain \r\nUNK_GreenSec\r\nfirst stage\r\nDomain \r\nFebruary\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 26 of 31\n\n1drive[.]expert  Domain \r\nUNK_GreenSec\r\nfirst stage\r\ndomain \r\nFebruary\r\n2025 \r\n1drive[.]pub  Domain \r\nUNK_GreenSec\r\nfirst stage\r\ndomain \r\nFebruary\r\n2025 \r\n1drive[.]social  Domain \r\nUNK_GreenSec\r\nfirst stage\r\ndomain \r\nFebruary\r\n2025 \r\n1drive[.]works  Domain \r\nUNK_GreenSec\r\nfirst stage\r\ndomain \r\nFebruary\r\n2025 \r\n1drivecloud[.]click  Domain \r\nUNK_GreenSec\r\nfirst stage\r\ndomain \r\nFebruary\r\n2025 \r\n1drivecloud[.]live  Domain \r\nUNK_GreenSec\r\nfirst stage\r\ndomain \r\nFebruary\r\n2025 \r\n1drivems[.]expert  Domain \r\nUNK_GreenSec\r\nfirst stage\r\ndomain \r\nFebruary\r\n2025 \r\n1drivems[.]works  Domain \r\nUNK_GreenSec\r\nfirst stage\r\ndomain \r\nFebruary\r\n2025 \r\nonedrivecloud[.]click  Domain \r\nUNK_GreenSec\r\nfirst stage\r\ndomain \r\nFebruary\r\n2025 \r\nonedrivecloud[.]expert  Domain  UNK_GreenSec\r\nfirst stage\r\nFebruary\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 27 of 31\n\ndomain \r\nonedrivecloud[.]live  Domain \r\nUNK_GreenSec\r\nfirst stage\r\ndomain \r\nFebruary\r\n2025 \r\nonedrivecloud[.]net  Domain \r\nUNK_GreenSec\r\nfirst stage\r\ndomain \r\nFebruary\r\n2025 \r\nonedrivems[.]works  Domain \r\nUNK_GreenSec\r\nfirst stage\r\ndomain \r\nFebruary\r\n2025 \r\nonedrivems[.]cloud  Domain \r\nUNK_GreenSec\r\nlanding page \r\nFebruary\r\n2025 \r\n1drv[.]world  Domain \r\nUNK_GreenSec\r\nlanding page \r\nFebruary\r\n2025 \r\n1drv[.]me  Domain \r\nUNK_GreenSec\r\nlanding page \r\nJune\r\n2025 \r\n1drv[.]biz  Domain \r\nUNK_GreenSec\r\nlanding page \r\nJune\r\n2025 \r\ntemptransfer[.]live  Domain \r\nTransferLoader\r\nC2 \r\nFebruary\r\n2025 \r\ncdngateway[.]us  Domain \r\nTransferLoader\r\nC2 \r\nJune\r\n2025 \r\nMalware Indicators  \r\nGMC CONSTRUCTION AND TRADING COMPANY LIMITED \r\nSHA1: c8cbb1eaae2fd97fa811ece21655e2cb96510255 \r\nCertificate \r\nSlipScreen code\r\nsigning\r\ncertificate \r\nApril\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 28 of 31\n\nTC SOYUZPLIT LLC \r\nSHA1: d8b04523d86270ce8bf8a834d7da22829f1a8d16 \r\nCertificate \r\nSlipScreen code\r\nsigning\r\ncertificate \r\nMarch\r\n2025 \r\nAPPRAISAL PHARMACEUTICALS (OPC) PRIVATE LIMITED \r\nSHA1: 5238c4815c13f9d26ad6fa46aec6cc55671cb16e \r\nCertificate \r\nSlipScreen code\r\nsigning\r\ncertificate \r\nFebruary\r\n2025 \r\nGuangzhou VW Science and Technology Ltd. Co \r\nSHA1: 24bd135b92a95c0e7f9967f6372bbe4bc99d9f84 \r\nCertificate \r\nSlipScreen code\r\nsigning\r\ncertificate \r\nFebruary\r\n2025 \r\nFUTURICO LLC \r\nSHA1: cff9e5fee264dd58dbd6a3165322807248d3a1b2 \r\nCertificate \r\nSlipScreen code\r\nsigning\r\ncertificate \r\nOctober\r\n2024 \r\n1c6a5476d485d311be1e07c2e0d2ae322214caa5d4f84398d4169d499105b01a  SHA256  MeltingClaw \r\nApril\r\n2025 \r\nfba9f2c351e898bfc61c8b1181020212ccb9e55041c4dd433ca2867dbf796469  SHA256  MeltingClaw \r\nApril\r\n2025 \r\n3a234b49b834849689da477f77ca6363b40ee83e58213ee51b1ec248da90a543  SHA256  ShadyHammock \r\nApril\r\n2025 \r\ne7917ff12114be5c79ca9bd0082eb628192c2ebfbee7aad2ae626ea208ee37cf  SHA256  ShadyHammock \r\nApril\r\n2025 \r\n6d5226cba687d99ce14eda8de290edd470e79436625618559c8db1458a53666c  SHA256  DustyHammock  N/A \r\n7e51eb44cfd945f4a155707f773fae3207ebfb59d45ea866ba69bd9bc28dfc32  SHA256  DustyHammock  N/A \r\nf5f2761278163a1a813356666cb305fe37806f5f633b2a5475997f10d24fb3d4  SHA256  DustyHammock  N/A \r\ncd526475391c375e8e40f0146146672928db9bbf210acb41e0fd41381cd5eb9a  SHA256  DustyHammock  N/A \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 29 of 31\n\n54a94c7ec259104478b40fd0e6325d1f5364351e6ce1adfd79369d6438ed6ed9  SHA256  SingleCamper  N/A \r\n8f3b065e6aa6bc220867cdcb1c250c69b2d46422c51f66f25091f6cab5d043de  SHA256  SingleCamper  N/A \r\n7fc65b23e0a85f548e4268b77b66a3c9f3d08b9c1817c99bc1336d51d36e1ec6  SHA256  SingleCamper  N/A \r\n07b9e353239c4c057115e8871adc3cfb42467998c6b737b28435ecc9405001c9  SHA256  SingleCamper  N/A \r\nNEXTGENSOFTWARE COMPANY LIMITED  Certificate \r\nSlipScreen code\r\nsigning\r\ncertificate \r\nFebruary\r\n2025 \r\nSHA1: 2b301191aa9e1d2c8e3eefd38b6eb1952b1fce88  Certificate \r\nSlipScreen code\r\nsigning\r\ncertificate \r\nFebruary\r\n2025 \r\nCommon Brothers LTD \r\nSHA1: d890d4b40ce56f90b9ea168bf6d7bf5043a47319 \r\nCertificate \r\nSlipScreen code\r\nsigning\r\ncertificate \r\nJune\r\n2025 \r\n00385cae3630694eb70e2b82d5baa6130c503126c17db3fc63376c7d28c04145  SHA256  TransferLoader \r\nFebruary\r\n2025 \r\n33971df8f5c34c3c79f64e2e28e300260499285bd37f77295ba88897728ace4b  SHA256  TransferLoader \r\nJune\r\n2025 \r\nET Rules \r\n2862007 - TA829 CnC Check-in - RDPE1 Variant \r\n2862008 - TA829 CnC Check-in - RUSTY Variant \r\n2862009 - TA829 CnC Check-in - VIVAT Variant \r\n2862010 - TA829 CnC Check-in - CMPN1 Variant \r\n2862011 - TA829 CnC Check-in - GAGA1 Variant \r\n2862012 - TA829 Requesting Next Stage \r\n2862013 - TA829 Requesting Next Stage \r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 30 of 31\n\n2862005 - TA829 CnC Check-in With Unknown Identifier String \r\n2063154 - TransferLoader User-Agent Observed (Microsoft Edge/1.0) \r\n2063155 - TransferLoader Custom HTTP Header and Values Observed (X-Custom-Header) \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nhttps://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader" ], "report_names": [ "10-things-i-hate-about-attribution-romcom-vs-transferloader" ], "threat_actors": [ { "id": "a602818a-34da-445f-9bac-715cc9b47a3d", "created_at": "2025-07-12T02:04:58.190857Z", "updated_at": "2026-04-10T02:00:03.850831Z", "deleted_at": null, "main_name": "GOLD PUMPKIN", "aliases": [ "HellCat" ], "source_name": "Secureworks:GOLD PUMPKIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1cffd968-e48d-4167-9fd3-43ca4d996984", "created_at": "2026-02-04T02:00:03.71488Z", "updated_at": "2026-04-10T02:00:03.955323Z", "deleted_at": null, "main_name": "TA829", "aliases": [], "source_name": "MISPGALAXY:TA829", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434286, "ts_updated_at": 1775826759, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cca22a54236837206616d5d0a6f25388b23c25bd.pdf", "text": "https://archive.orkl.eu/cca22a54236837206616d5d0a6f25388b23c25bd.txt", "img": "https://archive.orkl.eu/cca22a54236837206616d5d0a6f25388b23c25bd.jpg" } }