10 Things I Hate About Attribution: RomCom vs. TransferLoader
Threat Research would like to acknowledge and thank the Paranoids, Spur, and Pim Trouerbach for their collaboration to identify, track, and disrupt this activity.
Key takeaways
TA829 conducts a mixture of espionage and cybercriminal operations, which rely on services sourced from the criminal underground, and a regularly updated suite of tools built upon the legacy RomCom backdoor.
While tracking TA829, Proofpoint observed a highly similar email campaign and redirection infrastructure set-up. This similar campaign deployed a new loader and backdoor dubbed TransferLoader, which Proofpoint currently attributes to a separate cybercriminal cluster called “UNK_GreenSec”, rather than TA829.
This blog will show how analysts explored the differences and overlaps between both sets of activity and leave an open-ended question around the relationship between these two clusters within the larger criminal and espionage ecosystem.
Overview
Most of the time, delineating activities from distinct clusters and separating cybercrime from espionage can be done based on differing tactics, techniques, and procedures (TTPs), tooling, volume/scale, and targeting. However, in the case of TA829 and a cluster Proofpoint dubbed “UNK_GreenSec”, there is more ambiguity. TA829 is a cybercriminal actor that occasionally also conducts espionage aligned with Russian state interests, while UNK_GreenSec is an unusual cybercriminal cluster.
TA829 overlaps with activity tracked by third-parties as RomCom, Void Rabisu, Storm-0978, CIGAR, Nebulous Mantis, Tropical Scorpius. The UNK_GreenSec cybercriminal cluster does not appear to align with publicly reported activity sets.
While hunting for TA829, Proofpoint observed another actor using an unusual amount of similar infrastructure, delivery tactics, landing pages, and email lure themes. Initially our researchers clustered this activity as part of TA829, but after further investigation into the infection chain, behaviors, and malware, Proofpoint researchers began tracking this activity as a separate cluster. This report will detail that collision by highlighting overlaps in the activity and malware across both actors. Additionally, we will explore our hypotheses for why and how these shared traits exist, ranging from both groups using a shared infrastructure and delivery provider to a more direct relationship between the two clusters.
Proofpoint researchers observed similarities in the activity described in this report with historical TA505 activity including lures, URL shorteners, domain patterns, domain registration, and infrastructure. However, we are not attributing to TA505 at this time as we are unable to say with high confidence whether TA505 is definitively associated, or whether the actor is using strikingly similar TTPs.
Introduction
TA829 is a unique actor in the threat landscape; its behavior classifies it as a financially-motivated actor but one that also regularly conducts espionage campaigns using the same custom tool suite. Following the invasion of Ukraine, TA829 began conducting targeted espionage campaigns in Ukraine, in alignment with Russian state interests, in addition to its normal tempo of financially-motivated campaigns.
TA829 activity is unusual in the world of espionage. The actor’s automated and scaled processes, such as the regular updating of packers and loaders, the use of varied sending infrastructure and source addresses for each target, and the use of extensive redirection chains to detect and evade researchers, are more typical of cybercriminals compared to espionage. TA829 conducts regular phishing campaigns to deploy variants of its SingleCamper (aka SnipBot, updated version of RomCom backdoor) malware or its lighter weight DustyHammock malware. TA829’s higher-end capabilities, such as the use of browser or operating-system zero-day exploits, appear reserved for use in dedicated espionage campaigns. It is unclear if the actor’s capabilities are co-opted for the espionage campaigns, or if there is some other form of guidance or tasking from the Russian government.
TA829’s phishing campaigns across both espionage and broad cybercriminal operations have been relatively static since last year. Proofpoint observed a small number of campaigns attributed to TA829 throughout 2024, with the group last seen in October. However, TA829 returned to the landscape in February 2025 with its typical TTPs and a more frequent operational tempo. The activity includes using plaintext emails sent from compromised MikroTik routers via freemail providers, spoofing of OneDrive or Google Drive links to initiate the infection chains, and leveraging Rebrandly redirectors to distinctive landing pages. TA829 likely acquires services and infrastructure from members of the criminal underground, including obfuscation services and domain registrations. Despite integration into the underground economy and buying some of its capabilities, the actor also continues to develop custom tooling for its infection chains.
During a lull in TA829 operations in February 2025, a similar set of campaigns also began with the aim of deploying a previously unobserved malware payload. These campaigns featured the hallmark characteristics of TA829 activity, but contained notable differences, including message volumes in the thousands targeting a broader set of industries and geographies, lure themes that consistently referenced job applications and hiring, and the unique payload that came to be known as TransferLoader. Proofpoint researchers observed four campaigns delivering TransferLoader in the first two weeks of February 2025. These campaigns, attributed to the temporary cluster named UNK_GreenSec, targeted North America and ranged from a few hundred messages to over two thousand. TransferLoader has been observed dropping Morpheus ransomware at the culmination of its infection chains.
Comparing the campaigns
There are many similarities in the infection chains of UNK_GreenSec and TA829. The following diagram illustrates overlap in delivery infrastructure, and where the infection chains diverge for payload delivery and malware installation.
Illustration highlighting delivery and installation for the UNK_GreenSec and TA829.
Delivery
Both actors rely on REM Proxy services, deployed on compromised MikroTik routers, as part of their upstream sending infrastructure. Compromised routers typically have port 51922 open hosting an SSH service. Proofpoint does not currently have visibility into the method used to compromise these devices, and what the REM Proxy payloads are. REM Proxy devices are likely rented to users to relay traffic. In observed campaigns, both TA829 and UNK_GreenSec use the service to relay traffic to new accounts at freemail providers to then send to targets. REM Proxy services have also been used by TA829 to initiate similar campaigns via compromised email accounts.
Two examples of freemail providers being abused to send emails from REM Proxy nodes. (UNK_GreenSec campaign (top); TA829 campaign (bottom).
The format of the sender addresses is standard across the providers: typically containing a first and last name, and usually followed by two to six digits (some UNK_GreenSec campaigns did not use digits in the sender addresses). Proofpoint hypothesizes that the actors share an email builder utility that allows the bulk creation and sending of these emails via REM Proxy nodes.
The emails in both campaigns are comprised of plaintext message bodies that contain a link to an actor-controlled domain, either directly in the body or in an attached PDF, as shown below. The messages are themed around job seeking or complaints against the targeted entity, and the content is generic enough to be re-used across the campaign, but with a unique link for each target.
Email lure used by TA829 in February 2025.
Email lure used by UNK_GreenSec in February 2025.
Upon opening the link, a series of redirectors routes real users to a landing page that spoofs OneDrive or Google Drive. Both actors use similar domain registration, relying on Rebrandly services and hosting. Campaigns that deployed TransferLoader used more elaborate protections to filter out research devices and sandboxes and used Cloudflare services to filter traffic. TA829 previously used Rebrandly redirectors with one-time links on the landing pages, but in March 2025, the actor adopted filtering practices previously used in UNK_GreenSec campaigns.
In all campaigns for both activity sets, the landing pages display a link to a download site, which in turn drops a signed loader that spoofs a PDF. At this point, the similarities end as the JavaScript and first-stage malware are distinct between each cluster, and the infection chains continue to diverge ending with different payloads. Based on Proofpoint data and publications from Unit42, Talos, and Zscaler, TA829 and UNK_GreenSec have both deployed Putty’s PLINK utility to set up SSH tunnels, and both used IPFS services to host those utilities in follow-on activity.
The following table details similarities and differences in the threat actor clusters:
Both actors
TA829
UNK_GreenSec
Targeted addresses
Individual users
Generic addresses
Volume
300 messages or fewer
Hundreds to thousands of messages
Lure themes
Job application
Resume
Harassment
Security breaches
Medication complaints
Job complaints
Email senders
Generic email addresses from freemail providers
Compromised senders
Different aliases per message
Alternates between single alias and multiple aliases
Upstream infrastructure
REM Proxy nodes (Compromised MikroTik routers)
Email body
Subjects and emails are similar in patterns, structure, and content
Neither use HTML in the message body
Both use a URL in the message body
Uses only URLs in the email body
Uses PDF attachments in addition to URLs in the email body
Filenames
Often references the current date
Consistent with campaign theme
More varied themes and filename patterns
Resume-themed filename
Often contains “resume” and “2025”
Domain usage
Operationalized 1-3 days after registering
Operationalized day after or same day as registered
Redirector usage
Rebrandly
Unitag
Bitly
HTML landing
Use similar landing pages that spoof OneDrive
Contains links to a hosting service to deliver the payload
Redirects to a PHP backend to deliver the payload
Filtering
Varied, introduced improved filtering after UNK_GreenSec campaigns
Uses Cloudflare & server-side filtering
Payloads
Malware payload spoofs PDF reader
Signed executables
Malware checks own filename
First stage uses shellcode to check registry for recent documents and download next stage
First stage loads embedded payload from encrypted PE section
Follow-on (per Proofpoint visibility and external reporting)
Hosted on IPFS
PLINK
Metasploit
Morpheus ransomware
Comparison of UNK_GreenSec and TA829 campaigns and infection chains.
TA829: RSVP and Check Out Our Registry
If a user clicks the link in a TA829 email, they are routed through a TA829 first stage redirector domain, then a Rebrandly redirector, onto a landing page that spoofs either Google Drive or OneDrive. If the user clicks the download button, an executable is dropped from another domain. Previously, TA829 relied on TempSH to host the first stage executable but has since relied on compromised domains or MediaFire services to host the payload. This downloaded executable initiates the infection chain.
TA829 OneDrive themed landing page (left). TA829 Google Drive themed landing page (right).
The TA829 infection chain relies heavily on registry in its operations as noted by Cisco Talos and Palo Alto’s Unit42; it is used for storing additional payloads, persistence, and validating the loader is not running in a sandbox. The first stage loader is a family Proofpoint tracks as SlipScreen. It is invalidly signed and uses a PDF reader icon to convince the target to execute it. We have observed SlipScreen variants written in Rust and other variants in C++, and its crypter is updated for each campaign, making static detection difficult.
SlipScreen decrypts and loads shellcode into its own memory space and initiate communications with the command and control (C2) server after an initial registry check is made to ensure the targeted computer has at least 55 recent documents according to the Windows Registry (to avoid sandbox detection).
SlipScreen shellcode registry checks.
TA829 will either deliver an updated version of the RustyClaw loader or an updated version of the MeltingClaw loader (aka DAMASCENED PEACOCK); both will be downloaded and run in the same process address space, and can lead to either DustyHammock or SingleCamper backdoors.
Initial analysis suggested these different malware families were used exclusively for either espionage (SingleCamper) or cybercrime (DustyHammock); however, later campaigns have shown both infection chains used in financially-motivated intrusions. SingleCamper campaigns observed in 2025 have similarities to DustyHammock campaigns, which obscures the assessment of campaign objectives.
As part of the infection chain leading to DustyHammock, the RustyClaw DLL first executes within the SlipScreen process space, and then sets a registry key to store the path to the next-stage payload. The RustyClaw DLL will then beacon to the C2 server to download the DustyHammock backdoor to that file location and restart the explorer.exe process. The set registry key will execute the DustyHammock backdoor as part of its restart, via COM hijacking.
Example keys used in COM hijacking:
SOFTWAREClassesCLSID{2155fee3-2419-4373-b102-6843707eb41f}InprocServer32
SOFTWAREClassesCLSID{30d49246-d217-465f-b00b-ac9ddd652eb7}InprocServer32
SOFTWAREClassesCLSID{f82b4ef1-93a9-4dde-8015-f7950a1a6e31}InprocServer32
DustyHammock is a minimalist backdoor that can run commands via cmd.exe, as well as download and execute additional files. The beacon structure of the DustyHammock communications is highly similar to that of SingleCamper, which suggests that both variants can be administered from the same panel. ProDaft’s reporting on the group showed the various bot IDs from DustyHammock (RUSTY, GAGA1) and SingleCamper (VIVAT, CMPN) infections, providing further evidence that TA829 uses a unified infection management tool.
Comparing beacon structure of DustyHammock (top) and SingleCamper (bottom).
Proofpoint also observed DustyHammock (internal DLL name mmngr.dll) execute commands from a C2 that followed the beacon structure and automated reconnaissance commands Talos described as used by SingleCamper. Proofpoint observed a variant of DustyHammock deploy a network reconnaissance DLL written in Rust (internal name extra.dll, spoofed DataFileSystemDiagnostic) to gather victim information, which effectively operated as a wrapper for Window functions ipconfig, systeminfo, and tasklist. It is possible TA829 operators were testing a plug-in variant.
DustyHammock network traffic running shell commands.
In April 2025, TA829 shifted to using the ShadyHammock and SingleCamper tool suite in its financially motivated campaigns. TA829 campaigns also began to target organizations in defense and other related industries typically more indicative of espionage, alongside the sectors typically targeted in the group’s cybercriminal operations. The ShadyHammock infection chain also implements more protections than the DustyHammock infection chains by encrypting follow-on payloads with keys derived from information about the victim host.
The SingleCamper infection chain uses multiple DLLs all built from the same base harness. The files have the same start up, using the same API-hashing algorithm, string decryption routine, and function to query WMI for information about the host. DLLs built from this harness will use WMI queries to gather the host’s ProcesserID and Serial Number. Some samples of an older variant of SlipScreen from August 2024 also share this API-hashing function. These items are concatenated and hashed, and that 16-byte hash is used as key material for decrypting additional stages, as well as to validate communications between the C2 and the loader.
Consistent API-hashing algorithm in TA829 DLLs.
The first of these DLLs, MeltingClaw, will send a POST request to the C2 server with the string “get_module_test_msg_module” and the 16-byte hash appended to the request. The C2 responds with a padded, encrypted data blob (keyed to the 16-byte host hash), which is packed to remove the padding, split into chunks, and then written to multiple locations in the registry.
MeltingClaw HTTP packets requesting encrypted SingleCamper payload.
This data is then packed into the registry across four registry keys:
HKEY_CURRENT_USERControl PanelCursorsBackupDataBinary
HKEY_CURRENT_USERControl PanelColorsFontColorBinary
HKEY_CURRENT_USEREnvironmentCacheBinary
HKEY_CURRENT_USERKeyboard LayoutPreloadOldConfigBinary
MeltingClaw then sends a second request with the string “get_module_test_load_module” and the aforementioned hash value; the C2 returns the ShadyHammock DLL in plaintext and MeltingClaw writes it to disk, then sets up COM hijacking to have the DLL executed after explorer.exe is restarted.
The ShadyHammock DLL (internal DLL name: loader_moder.dll) reads and decrypts the registry contents, and uses a shellcode loader to deploy a newer version of SingleCamper backdoor into memory (internal DLL name message_module.dll). The backdoor sets the mutex Globalsrvmutex and conducts host reconnaissance prior to connecting to the same C2 server to check in.
The backdoor enters a beacon-sleep loop to connect to the C2. The server sends back a consistent response instructing the backdoor to continue sleeping until an operator issues a command, which the backdoor would then implement. If the response is less than 16 bytes or the outbound request fails, the backdoor increments a failure counter; once 30 failures are reached, the backdoor cleans up portions of the infection chain and deletes itself.
SingleCamper heartbeat beacon.
The SingleCamper backdoor has an extensive set of commands that can be passed back from the C2, as noted by both Talos and Unit42. Both SingleCamper and DustyHammock are used as main footholds in the targeted host to further compromise of the victim networks by downloading additional tooling from InterPlanetary File System (IPFS) or issuing reconnaissance commands. This can facilitate data theft and deployments of ransomware, both of which have their uses in espionage and criminal campaigns.
UNK_GreenSec Deploying TransferLoader
While monitoring for TA829 campaigns, we observed a different downloader being distributed by a highly similar infection chain in February 2025. This downloader became known as TransferLoader, and was documented by ZScaler. Campaigns distributing TransferLoader generally begin with emails regarding a fake candidate pursuing a role at the recipient’s company. Like TA829 campaigns, the senders are generic, fake individuals rather than real, compromised users. The email bodies commonly contain either a link, or a PDF with a link, to what the sender claims to be a resume or portfolio, hosted on an actor-controlled server.
UNK_GreenSec email lure leading to TransferLoader.
Example of PDF content with a link leading to TransferLoader.
Clicking on the link initiates the Rebrandly redirection chain observed in both UNK_GreenSec and TA829 campaigns. Once the download button is clicked, a signed executable is downloaded from an IPFS webshare. Like SlipScreen, the TransferLoader executable has a PDF icon and filename consistent with the job-seeking theme.
UNK_GreenSec landing page.
The primary objectives of TransferLoader are to evade detection and load additional payloads. The malware contains many distinguishing characteristics, such as verifying filenames from XOR-encoded strings, custom implementations of encryption and encoding algorithms, dynamically resolved API hashes from 64bit DLLs, encrypted data stored in file sections with distinct names, infection chains, and follow-on payloads.
The strings are XOR-encrypted to assist obfuscation. At runtime, stack strings are resolved and XORed with an 8-byte key following the strings. In this first stage, the decrypted strings contain important variables, such as the filename used in the filename check, a custom alphabet to be used in Base32 decoding, the AES key used in a custom AES implementation, and the name of the section that houses encrypted data.
TransferLoader first checks if the filename has been changed. Most filenames observed in 2025 have contained the strings “Resume”, or “Professional”, and “2025”. It is common for filenames to be changed by cybersecurity analysts, automation tools, and detection tools during the analysis process for multiple reasons. The malware will only run if the strings expected remain in the filename.
TransferLoader checking its own filename.
The malware dynamically resolves API hashes from 64bit DLLs, a technique used by malware that aids in evading detection. Instead of storing API function names (like LoadLibraryA or GetProcAddress) as readable strings, the malware stores a 64-bit hash of the function name. At runtime, it scans loaded modules (like kernel32.dll), hashes each exported function name, and compares the result to the stored hash. When a match is found, it resolves the actual address of the API function without ever exposing the function name in clear text. This method obscures which APIs the malware uses, making static analysis and signature-based detection harder. TransferLoader first loads and checks two APIs. If successful, it continues resolving the rest.
Next, the malware uses an XOR decrypted string to locate the name of the section that holds the encrypted data for the next stage. Recurring section names observed in early 2025 include “.green”, “.secenc”, and “.dbg”. Once located, the encrypted data is decoded using Base32 and a custom alphabet found in the XOR-decrypted strings. The Base32-decoded data is then decrypted using a custom AES implementation using a key also found in the XOR-decrypted strings to decrypt the next stage, often resulting in a downloader or backdoor module described by Zscaler.
Example TransferLoader PCAP.
Proofpoint researchers observed TransferLoader dropping Metasploit, with third-party researchers reporting TransferLoader infections leading to Morpheus ransomware, which is likely an updated version of HellCat ransomware.
In June 2025, UNK_GreenSec activity resumed with new versions of TransferLoader and an updated but similar infection chain. In the new campaigns, REM Proxy nodes send messages through a freemail provider. The messages contain links to AWS S3 buckets that redirect to either a compromised WordPress site or an actor-controlled fake hiring domain. Both domains then redirect to a familiar OneDrive-esque landing page, rather than send emails with links to actor-controlled domains that use Rebrandly redirectors prior to the OneDrive spoofing landing page.
Comparing the infrastructure
UNK_GreenSec campaigns were initially more mature in their infrastructure protection habits. Unlike the TA829 campaigns, the TransferLoader campaigns’ JavaScript components redirected users to a different PHP endpoint on the same server, which allows the operator to conduct further server-side filtering. UNK_GreenSec used a dynamic landing page, often irrelevant to the OneDrive spoof, and redirected users to the final payload that was stored on an IPFS webshare.
UNK_GreenSec download JavaScript.
Additionally, the TransferLoader campaigns introduced Cloudflare checks to prevent automated link following from finding the download pages. TA829 campaigns eventually adopted this practice. TA829 landing pages will return a static splash page if the link has already been used, presumably by the victim.
The JavaScript on the landing page for TA829 campaigns has been consistent since the middle of 2024 and redirects users further to either third-party hosting sites, such as MediaFire or Temp.Sh, or to compromised domains to host the first-stage payload.
TA829 download JavaScript.
The first-stage redirection domains for both actors were registered via Tucows and hosted on dedicated Rebrandly infrastructure. Both actors use NGINX technology for the landing page. TA829’s C2 domains are fronted by CloudFlare, but the backend is typically be hosted on ShockHosting or Aeza International ASNs, using OpenResty technology. Late-stage TA829 components follow the aforementioned HTTP-based beaconing and command execution structure.
UNK_GreenSec landing pages and C2 infrastructure are typically directly hosted on Aeza servers and will be registered via the WebNic registrar. The UNK_GreenSec landing pages and the C2s use nginx running on Ubuntu. TransferLoader traffic uses custom HTTP headers as well as a TCP-based protocol to communicate with its C2 servers. While these differences may be subtle, they can potentially help differentiate the infrastructure from one actor to the other.
Both actors
TA829
UNK_GreenSec
First stage domains
Tucows registrar
Rebrandly hosting
Landing page domains
Nginx servers
CloudFlare proxied
Tucows registrar
Shockhosting hosting
WebNic registrar
Aeza hosting
Payload hosting
Compromised domains
Temp.SH
MediaFire
IPFS
C2 infrastructure
WebNic registrar
Aeza hosting
HTTP-based protocol
Shockhosting hosting
OpenResty
HTTP and TCP-based protocols
Nginx on Ubuntu
Competing hypotheses
The investigation of both sets of activity raises questions of whether these actors are related or the overlap is coincidental. These include similarties in TTPs, infrastructure, and malware. The timing of UNK_GreenSec activity during a TA829 break and the connection to Morpheus and HellCat ransomware further reinforce the possibility of a relationship between UNK_GreenSec and TA829.
The data points in totality lead to the following potential hypotheses:
TA829 and UNK_GreenSec buy distribution and infrastructure from the same third-party provider;
TA829 procures and distributes its own infrastructure, and provided those services temporarily to UNK_GreenSec;
UNK_GreenSec is the infrastructure and distribution provider, that normally sells to TA829 operators, and temporarily used those services to deploy its own malware, TransferLoader;
The two clusters are the same actor, and TransferLoader is a new family in testing phase from TA829.
Conclusion
Historically, cybercrime and espionage operations have remained relatively distinct with divergent motivations. While there were some notable exceptions – such as like cybercriminal malware used for espionage like DanaBot and Sunseed, and criminal operators working for government sponsors – overall the objectives could largely be starkly defined and attributed. (One country that has always found itself outside of this dichotomy is North Korea, where threat actors conduct both espionage and crime to steal money on behalf of the regime.)
In the current threat landscape, the points at which cybercrime and espionage activity overlap continue to increase, removing the distinctive barriers that separate criminal and state actors. Campaigns, indicators, and threat actor behaviors have converged, making attribution and clustering within the ecosystem more challenging.
While there is not sufficient evidence to substantiate the exact nature of the relationship between TA829 and UNK_GreenSec, there is very likely a link between the groups. Proofpoint will continue to track both activity sets separately and investigate further developments and overlaps in both groups’ TTPs.
Indicators of compromise
Indicator
Type
Context
First Seen
1drv[.]site
Domain
TA829 first stage domain
October 2024
1drv[.]zone
Domain
TA829 first stage domain
October 2024
1drvms[.]space
Domain
TA829 first stage domain
October 2024
1drw[.]live
Domain
TA829 first stage domain
February 2025
1share[.]limited
Domain
TA829 first stage domain
February 2025
file-cloud[.]company
Domain
TA829 first stage domain
February 2025
file-share[.]works
Domain
TA829 first stage domain
February 2025
healthfy[.]bio
Domain
TA829 first stage domain
February 2025
mspdf[.]live
Domain
TA829 first stage domain
February 2025
onedr[.]expert
Domain
TA829 first stage domain
February 2025
onefile[.]social
Domain
TA829 first stage domain
February 2025
pdf-share[.]pub
Domain
TA829 first stage domain
February 2025
share-doc[.]live
Domain
TA829 first stage domain
February 2025
1drv-storage[.]pub
Domain
TA829 first stage domain
February 2025
1drv365[.]live
Domain
TA829 first stage domain
February 2025
1drvfiles[.]online
Domain
TA829 first stage domain
February 2025
365drv[.]live
Domain
TA829 first stage domain
February 2025
drive-share[.]pub
Domain
TA829 first stage domain
February 2025
my1drv[.]online
Domain
TA829 first stage domain
February 2025
myonedrive365[.]live
Domain
TA829 first stage domain
February 2025
ondrve[.]live
Domain
TA829 first stage domain
February 2025
pdf-storage[.]pub
Domain
TA829 first stage domain
February 2025
sharepdf[.]limited
Domain
TA829 first stage domain
February 2025
storagedrive[.]pub
Domain
TA829 first stage domain
February 2025
d1rv[.]social
Domain
TA829 first stage domain
February 2025
dr365[.]live
Domain
TA829 first stage domain
February 2025
my-356drv[.]online
Domain
TA829 first stage domain
February 2025
1drive-work[.]online
Domain
TA829 first stage domain
February 2025
share-pdf[.]live
Domain
TA829 first stage domain
February 2025
1drvcloud[.]online
Domain
TA829 first stage domain
February 2025
file-acess[.]live
Domain
TA829 first stage domain
February 2025
1drv-team[.]works
Domain
TA829 first stage domain
February 2025
workspace-doc[.]live
Domain
TA829 first stage domain
March 2025
ondv[.]live
Domain
TA829 first stage domain
March 2025
my1drv[.]live
Domain
TA829 first stage domain
March 2025
gdrive-share[.]online
Domain
TA829 first stage domain
March 2025
1dv365[.]live
Domain
TA829 first stage domain
March 2025
365msdrv[.]live
Domain
TA829 first stage domain
March 2025
cloud-pdf[.]online
Domain
TA829 first stage domain
March 2025
drivestorage[.]online
Domain
TA829 first stage domain
March 2025
1drv365[.]online
Domain
TA829 first stage domain
March 2025
my-drive365[.]pub
Domain
TA829 first stage domain
March 2025
gdl-cloud[.]works
Domain
TA829 first stage domain
March 2025
gdrvdocs[.]online
Domain
TA829 first stage domain
March 2025
dvfilesync[.]pub
Domain
TA829 first stage domain
March 2025
storage-hub[.]pub
Domain
TA829 first stage domain
March 2025
data-dv[.]live
Domain
TA829 first stage domain
March 2025
gworkspace[.]social
Domain
TA829 first stage domain
March 2025
diskstorage[.]click
Domain
TA829 first stage domain
March 2025
365work[.]chat
Domain
TA829 first stage domain
March 2025
onedrweb[.]live
Domain
TA829 first stage domain
March 2025
pdfshare[.]click
Domain
TA829 first stage domain
March 2025
documentapproved[.]click
Domain
TA829 first stage domain
March 2025
cloudly[.]live
Domain
TA829 first stage domain
April 2025
drsync[.]click
Domain
TA829 first stage domain
April 2025
drshare[.]online
Domain
TA829 first stage domain
April 2025
drivenc[.]pub
Domain
TA829 first stage domain
April 2025
drivehub[.]live
Domain
TA829 first stage domain
April 2025
1day[.]live
Domain
TA829 first stage domain
April 2025
onestorelink[.]live
Domain
TA829 first stage domain
April 2025
1dcloud[.]live
Domain
TA829 first stage domain
April 2025
drivepoint[.]pub
Domain
TA829 first stage domain
April 2025
site-staff[.]sale
Domain
TA829 first stage domain
April 2025
driveshare[.]pub
Domain
TA829 first stage domain
April 2025
cloudlive[.]pub
Domain
TA829 first stage domain
April 2025
dvcloud[.]live
Domain
TA829 first stage domain
April 2025
drivepublic[.]live
Domain
TA829 first stage domain
April 2025
sharedrive[.]pub
Domain
TA829 first stage domain
April 2025
drivehost[.]live
Domain
TA829 first stage domain
April 2025
onlinedrive[.]click
Domain
TA829 first stage domain
April 2025
livestorage[.]click
Domain
TA829 first stage domain
April 2025
mydrv1[.]live
Domain
TA829 first stage domain
April 2025
1dv[.]online
Domain
TA829 first stage domain
April 2025
1drv.eu[.]com
Domain
TA829 landing page
October 2024
ms.share-onedr[.]com
Domain
TA829 landing page
February 2025
datadrv1[.]com
Domain
TA829 landing page
February 2025
onelivedrv[.]com
Domain
TA829 landing page
March 2025
clouderive[.]com
Domain
TA829 landing page
April 2025
cloud1dv[.]com
Domain
TA829 landing page
April 2025
1dvstorage[.]com
Domain
TA829 landing page
April 2025
journalctl[.]website
Domain
TA829 C2
October 2024
drivedefend[.]com
Domain
TA829 DustyHammock C2
February 2025
consvcprivacy[.]com
Domain
TA829 DustyHammock C2
February 2025
opendnsapi[.]net
Domain
TA829 DustyHammock C2
March 2025
mngersrv[.]com
Domain
TA829 DustyHammock C2
March 2025
supportcausems[.]com
Domain
TA829 SingleCamper C2
February 2025
deliverycitylife[.]com
Domain
TA829 SingleCamper C2
April 2025
msvhost[.]com
Domain
TA829 SingleCamper C2
April 2025
lauradream[.]com
Domain
TA829 SingleCamper C2
April 2025
1drive[.]bio
Domain
UNK_GreenSec first stage Domain
February 2025
1drive[.]expert
Domain
UNK_GreenSec first stage domain
February 2025
1drive[.]pub
Domain
UNK_GreenSec first stage domain
February 2025
1drive[.]social
Domain
UNK_GreenSec first stage domain
February 2025
1drive[.]works
Domain
UNK_GreenSec first stage domain
February 2025
1drivecloud[.]click
Domain
UNK_GreenSec first stage domain
February 2025
1drivecloud[.]live
Domain
UNK_GreenSec first stage domain
February 2025
1drivems[.]expert
Domain
UNK_GreenSec first stage domain
February 2025
1drivems[.]works
Domain
UNK_GreenSec first stage domain
February 2025
onedrivecloud[.]click
Domain
UNK_GreenSec first stage domain
February 2025
onedrivecloud[.]expert
Domain
UNK_GreenSec first stage domain
February 2025
onedrivecloud[.]live
Domain
UNK_GreenSec first stage domain
February 2025
onedrivecloud[.]net
Domain
UNK_GreenSec first stage domain
February 2025
onedrivems[.]works
Domain
UNK_GreenSec first stage domain
February 2025
onedrivems[.]cloud
Domain
UNK_GreenSec landing page
February 2025
1drv[.]world
Domain
UNK_GreenSec landing page
February 2025
1drv[.]me
Domain
UNK_GreenSec landing page
June 2025
1drv[.]biz
Domain
UNK_GreenSec landing page
June 2025
temptransfer[.]live
Domain
TransferLoader C2
February 2025
cdngateway[.]us
Domain
TransferLoader C2
June 2025
Malware Indicators
GMC CONSTRUCTION AND TRADING COMPANY LIMITED
SHA1: c8cbb1eaae2fd97fa811ece21655e2cb96510255
Certificate
SlipScreen code signing certificate
April 2025
TC SOYUZPLIT LLC
SHA1: d8b04523d86270ce8bf8a834d7da22829f1a8d16
Certificate
SlipScreen code signing certificate
March 2025
APPRAISAL PHARMACEUTICALS (OPC) PRIVATE LIMITED
SHA1: 5238c4815c13f9d26ad6fa46aec6cc55671cb16e
Certificate
SlipScreen code signing certificate
February 2025
Guangzhou VW Science and Technology Ltd. Co
SHA1: 24bd135b92a95c0e7f9967f6372bbe4bc99d9f84
Certificate
SlipScreen code signing certificate
February 2025
FUTURICO LLC
SHA1: cff9e5fee264dd58dbd6a3165322807248d3a1b2
Certificate
SlipScreen code signing certificate
October 2024
1c6a5476d485d311be1e07c2e0d2ae322214caa5d4f84398d4169d499105b01a
SHA256
MeltingClaw
April 2025
fba9f2c351e898bfc61c8b1181020212ccb9e55041c4dd433ca2867dbf796469
SHA256
MeltingClaw
April 2025
3a234b49b834849689da477f77ca6363b40ee83e58213ee51b1ec248da90a543
SHA256
ShadyHammock
April 2025
e7917ff12114be5c79ca9bd0082eb628192c2ebfbee7aad2ae626ea208ee37cf
SHA256
ShadyHammock
April 2025
6d5226cba687d99ce14eda8de290edd470e79436625618559c8db1458a53666c
SHA256
DustyHammock
N/A
7e51eb44cfd945f4a155707f773fae3207ebfb59d45ea866ba69bd9bc28dfc32
SHA256
DustyHammock
N/A
f5f2761278163a1a813356666cb305fe37806f5f633b2a5475997f10d24fb3d4
SHA256
DustyHammock
N/A
cd526475391c375e8e40f0146146672928db9bbf210acb41e0fd41381cd5eb9a
SHA256
DustyHammock
N/A
54a94c7ec259104478b40fd0e6325d1f5364351e6ce1adfd79369d6438ed6ed9
SHA256
SingleCamper
N/A
8f3b065e6aa6bc220867cdcb1c250c69b2d46422c51f66f25091f6cab5d043de
SHA256
SingleCamper
N/A
7fc65b23e0a85f548e4268b77b66a3c9f3d08b9c1817c99bc1336d51d36e1ec6
SHA256
SingleCamper
N/A
07b9e353239c4c057115e8871adc3cfb42467998c6b737b28435ecc9405001c9
SHA256
SingleCamper
N/A
NEXTGENSOFTWARE COMPANY LIMITED
Certificate
SlipScreen code signing certificate
February 2025
SHA1: 2b301191aa9e1d2c8e3eefd38b6eb1952b1fce88
Certificate
SlipScreen code signing certificate
February 2025
Common Brothers LTD
SHA1: d890d4b40ce56f90b9ea168bf6d7bf5043a47319
Certificate
SlipScreen code signing certificate
June 2025
00385cae3630694eb70e2b82d5baa6130c503126c17db3fc63376c7d28c04145
SHA256
TransferLoader
February 2025
33971df8f5c34c3c79f64e2e28e300260499285bd37f77295ba88897728ace4b
SHA256
TransferLoader
June 2025
ET Rules
2862007 – TA829 CnC Check-in – RDPE1 Variant
2862008 – TA829 CnC Check-in – RUSTY Variant
2862009 – TA829 CnC Check-in – VIVAT Variant
2862010 – TA829 CnC Check-in – CMPN1 Variant
2862011 – TA829 CnC Check-in – GAGA1 Variant
2862012 – TA829 Requesting Next Stage
2862013 – TA829 Requesting Next Stage
2862005 – TA829 CnC Check-in With Unknown Identifier String
2063154 – TransferLoader User-Agent Observed (Microsoft Edge/1.0)
2063155 – TransferLoader Custom HTTP Header and Values Observed (X-Custom-Header) Proofpoint Threat InsightRead More