10 Things I Hate About Attribution: RomCom vs. TransferLoader
Essential information
- Published
- 01/07/2025 08:07
- Modified
- 01/07/2025 08:36
- Tags
- 2025-07-01 dustyhammock hellcat meltingclaw morpheus ransomware romcom rustyclaw shadyhammock singlecamper slipscreen transferloader
- Related entities
- 103 observables, 1 intrusion sets (apt), 19 techniques (mitre), 9 malware, 7 others
Description
This report analyzes the activities of two threat actor clusters: TA829 and UNK_GreenSec. TA829 conducts both espionage and cybercrime operations using tools like SingleCamper and DustyHammock. UNK_GreenSec deploys TransferLoader malware leading to ransomware infections. The actors share similarities in infrastructure, delivery tactics, and lure themes, raising questions about their relationship. Four hypotheses are presented regarding their potential connection, ranging from shared third-party services to being the same actor. The report highlights the increasing overlap between cybercrime and espionage activities, making attribution more challenging in the current threat landscape.