Ethical Hacking News
In a recent report by Proofpoint, two threat actors, TA829 and UNK_GreenSec, have been linked to similar malware campaigns that utilize REM Proxy services deployed on compromised MikroTik routers. The findings highlight the growing trend of cybercrime and espionage activity overlapping in the threat landscape, making attribution and clustering within the ecosystem more challenging.
TA829 and UNK_GreenSec have been linked to similar malware campaigns using REM Proxy services on compromised MikroTik routers. The overlap in tradecraft between TA829 and UNK_GreenSec raises questions about their relationship, including coordination or temporary use of each other's infrastructure. Three possible scenarios regarding the relationship between TA829 and UNK_GreenSec include: (1) coordination, (2) ad-hoc distribution of services, (3) a single group with TransferLoader as a new addition to their malware arsenal. The findings highlight the increasing overlap of cybercrime and espionage activity in the threat landscape, making attribution and clustering more challenging. The use of REM Proxy services and similar infrastructure by TA829 and UNK_GreenSec makes it difficult to detect and block malicious activity in real-time.
In a recent report by cybersecurity firm Proofpoint, two threat actors, TA829 and UNK_GreenSec, have been linked to similar malware campaigns that utilize REM Proxy services deployed on compromised MikroTik routers for their upstream infrastructure. The findings highlight the growing trend of cybercrime and espionage activity overlapping in the threat landscape, making attribution and clustering within the ecosystem more challenging.
TA829, a group known for its ability to conduct both financially motivated attacks and espionage, has been associated with the RomCom RAT malware campaign. Meanwhile, UNK_GreenSec has been linked to TransferLoader, a loader that delivers Morpheus ransomware against targeted victims. The overlap in tradecraft between these two groups raises several possibilities regarding their relationship.
One possibility is that TA829 and UNK_GreenSec are procuring distribution and infrastructure from the same third-party provider. This would imply a level of coordination between the two groups, with each utilizing the other's services to conduct their respective malicious activities. On the other hand, it is also possible that TA829 acquires and distributes its own infrastructure, providing these services to UNK_GreenSec on an ad-hoc basis.
Another possibility is that UNK_GreenSec, typically a provider of warez to TA829, has temporarily adopted its malware distribution channels to deliver TransferLoader. This scenario would suggest that the two groups have a more fluid relationship, with each leveraging the other's infrastructure as needed. However, there is currently not enough evidence to substantiate this possibility.
Lastly, it is also possible that TA829 and UNK_GreenSec are one and the same group, with TransferLoader being a new addition to their malware arsenal. While this scenario seems plausible, given the overlap in tradecraft between the two groups, further investigation would be required to confirm or deny this hypothesis.
Regardless of the exact nature of the relationship between TA829 and UNK_GreenSec, the findings highlight the increasing points at which cybercrime and espionage activity overlap in the threat landscape. As campaign, indicators, and threat actor behaviors converge, attribution and clustering within the ecosystem become more challenging.
In this context, the attacks conducted by TA829 and UNK_GreenSec rely heavily on REM Proxy services to relay traffic to new accounts at freemail providers. These services have also been used by TA829 to initiate campaigns via compromised email accounts. The use of similar email lure themes and landing pages further reinforces the notion that these two groups are operating in tandem.
Furthermore, both groups have employed an "unusual amount of similar infrastructure" in their malware campaigns, including IPFS services to host utilities like Putty's PLINK. This level of coordination is unusual for threat actors typically competing against one another for resources and notoriety.
The overlap between TA829 and UNK_GreenSec also raises questions about the effectiveness of existing security measures. With both groups utilizing REM Proxy services and similar infrastructure, it becomes increasingly difficult to detect and block malicious activity in real-time.
In light of these findings, cybersecurity firms and organizations must take a more nuanced approach to threat intelligence and attribution. The lack of clear lines between cybercrime and espionage actors necessitates the development of new tactics for distinguishing between legitimate and illegitimate activity.
Ultimately, the convergence of TA829 and UNK_GreenSec highlights the need for continued vigilance in the face of an increasingly complex threat landscape. As the boundaries between cybercrime and espionage continue to blur, it is essential that cybersecurity professionals remain vigilant and adaptable in their efforts to detect and counter malicious activity.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Overlapping-Threats-of-TA829-and-UNKGreenSec-Unpacking-the-Tactical-Similarities-behind-RomCom-RAT-and-TransferLoader-ehn.shtml
https://thehackernews.com/2025/07/ta829-and-unkgreensec-share-tactics-and.html
https://cloudindustryreview.com/ta829-and-unk_greensec-collaborate-on-strategies-and-infrastructure-in-ongoing-malware-operations/
https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader
https://securityboulevard.com/2025/05/technical-analysis-of-transferloader/
https://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/
https://redskyalliance.org/xindustry/hellcat-and-morpheus-ransomware
https://gbhackers.com/ta829-hackers-use-new-ttps-and-enhanced-romcom-backdoor/
https://undercodenews.com/rising-cyber-threats-unmasking-ta829-and-unk_greensecs-malware-web/
Published: Tue Jul 1 12:40:48 2025 by llama3.2 3B Q4_K_M
