TA829 Hackers Unveil Advanced Tactics and Revamped RomCom Backdoor to Bypass Security Measures

The notorious threat actor TA829 has returned to the global cyber stage with a series of sophisticated campaigns that blend espionage and cybercrime, leveraging a revamped version of the RomCom backdoor.

Recent research by Proofpoint and other cybersecurity firms reveals that TA829’s operations have grown more advanced, with automation, infrastructure diversity, and technical innovation that challenge traditional security defenses.

TA829, also known as RomCom, Void Rabisu, and Storm-0978 among other aliases, has historically targeted both financial and espionage objectives.

Following a lull in late 2024, the group re-emerged in February 2025, launching phishing campaigns that spoofed OneDrive and Google Drive links, often using compromised MikroTik routers as REM Proxy nodes to relay malicious emails.

The infection chain typically begins with a plaintext email containing a unique link for each target, which leads to a landing page that mimics legitimate cloud storage services.

The technical sophistication is evident in TA829’s use of regularly updated packers and loaders, such as the SlipScreen loader (written in Rust or C++), which employs registry checks to evade sandboxes and static detection.

Once executed, SlipScreen decrypts and loads shellcode, initiating communication with command-and-control (C2) servers.

Subsequent stages may deploy either the DustyHammock or SingleCamper (an updated RomCom variant), both of which are capable of executing commands, downloading further payloads, and conducting reconnaissance.

TA829’s infection chain also utilizes advanced persistence techniques, including COM hijacking via specific registry keys, and stores encrypted payloads across multiple registry locations.

The group’s backdoors use a unified beacon structure, suggesting a centralized management panel for both espionage and financially motivated intrusions.

Technical Innovations and the Emergence of TransferLoader

A notable development in 2025 was the appearance of a parallel campaign attributed to a cluster dubbed UNK_GreenSec, which deployed a new loader and backdoor named TransferLoader.

While sharing significant infrastructure and delivery tactics with TA829 such as the use of REM Proxy nodes, freemail providers, and Rebrandly redirectors, TransferLoader introduced enhanced filtering, Cloudflare protections, and a unique payload chain.

TransferLoader’s executable, typically disguised as a PDF, incorporates filename verification, custom encryption routines, and dynamic API resolution via hashed function names.

Its infection chain is designed to thwart static analysis and automated detection, executing only if specific filename patterns are matched.

Once active, TransferLoader decrypts and loads additional modules, which can sometimes lead to the deployment of ransomware, such as Morpheus (an evolution of HellCat ransomware).

UNK_GreenSec’s campaigns, which peaked during a TA829 operational pause, targeted a broader range of industries and geographies with high-volume phishing lures themed around job applications. Their infrastructure protection was more mature, employing dynamic landing pages, server-side filtering, and direct IPFS payload hosting.

Shared Infrastructure, Diverging Payloads, and Attribution Challenges

Both TA829 and UNK_GreenSec rely on a mix of criminal underground services for infrastructure, including domain registrations (Tucows, WebNic), NGINX servers, and Cloudflare proxies.

Their infection chains overlap in early stages but diverge at payload delivery, with TA829 focusing on espionage-capable backdoors and UNK_GreenSec on modular loaders and ransomware.

The technical overlaps raise questions about the relationship between the two clusters, specifically whether they share suppliers, infrastructure, or even personnel.

Attribution remains ambiguous, but the convergence of cybercrime and espionage tactics in these campaigns signals a new era of hybrid threat activity, making defense and attribution more complex than ever.

Indicators of Compromise: