Overlapping Threats: Unveiling the Connection Between TA829 and UNK_GreenSec
Researchers at cybersecurity firm Proofpoint have raised significant alarm bells by uncovering a striking overlap between two distinct threat actor clusters: TA829 and an unnamed group temporarily referred to as UNK_GreenSec. This revelation is particularly intriguing as it highlights a convergence of state-aligned espionage operations and financially motivated cybercrime, prompting cybersecurity professionals to reassess the evolving landscape of online threats.
A Deep Dive into TA829
TA829 is known for its dual role in both espionage and financially motivated cybercrime. This group’s activities align with Russian state interests, showcasing an ability to conduct sophisticated campaigns using tailored malware. Notably, TA829 employs a range of customized tools, including the infamous RomCom backdoor and DustyHammock malware. These operations highlight the group’s adaptability and resources, allowing them to switch between its espionage-focused missions and financially driven efforts with ease.
The Intricacies of UNK_GreenSec
The newly identified UNK_GreenSec cluster has emerged as an unusual player in the cybercriminal ecosystem, primarily due to its use of TransferLoader, a new loader and backdoor associated with Morpheus ransomware infections. What sets UNK_GreenSec apart is that its activities don’t align with any previously observed patterns, creating a sense of intrigue and uncertainty about its affiliations and motives.
Shared Infrastructure and Delivery Tactics
A key area of overlap between TA829 and UNK_GreenSec lies in their operational frameworks, particularly their use of compromised MikroTik routers—also known as REM Proxy nodes. Both groups have leveraged these nodes to distribute phishing emails that often masquerade as legitimate job applications or security notifications. This misleading approach leads unwitting victims to spoofed OneDrive or Google Drive landing pages, enhancing the campaigns’ apparent legitimacy.
Both entities share a common modus operandi when constructing their phishing campaigns, utilizing such proxies to route emails and employing generic sender addresses that suggest the use of uniform email creation tools. This investigation led Proofpoint’s researchers to initially link these activities to TA829 before distinguishing the anomalies that warranted the classification of UNK_GreenSec as a separate threat actor.
The Infection Chain Explained
The infection chains utilized by both groups illustrate their technical prowess. Each group begins with plaintext email messages directed toward victim targets, utilizing actor-controlled domains that redirect to authentic-looking cloud storage landing pages. Both clusters distribute loaders disguised as innocent PDFs. However, a vital divergence occurs at this stage: while TA829 deploys various versions of RomCom or DustyHammock malware, UNK_GreenSec primarily utilizes TransferLoader, which subsequently leads to unrelenting Morpheus ransomware attacks.
Disturbing Differences
Despite the similarities, distinct operational differences set these clusters apart. UNK_GreenSec tends to run larger-scale campaigns, inundating a wide array of industries and regions with phishing messages. This broader scope is complemented by their sophisticated evasion tactics, including server-side filtering with services like Cloudflare— a strategy that has since been adopted by TA829.
While both groups might register domains with similar providers, their backend hosting choices showcase differing preferences, with TA829 leaning toward ShockHosting and Aeza, while UNK_GreenSec predominantly uses nginx on Ubuntu servers paired with IPFS for payload delivery.
Competing Theories on Their Relationship
The emergence of these overlapping activities raises compelling questions about the potential relationship between TA829 and UNK_GreenSec. Proofpoint has formulated four primary theories regarding how these clusters might be linked.
-
Shared Infrastructure: Both groups could be accessing services through a common third-party provider, creating a symbiotic relationship based on mutual resources.
-
Resource Procurement: TA829 might be sourcing infrastructure on behalf of UNK_GreenSec, blurring the lines of accountability between the two entities.
-
Dual-Use Strategy by UNK_GreenSec: Alternatively, UNK_GreenSec could serve as an infrastructure provider but opts to deploy its malware selectively.
-
Single Entity Experimentation: Lastly, it’s conceivable that both actor clusters represent a single entity experimenting with new methodologies, emphasizing a dynamic shift in methodologies within the cybercrime landscape.
The Blurred Lines of Espionage and Cybercrime
Proofpoint researchers emphasize that the lines separating espionage efforts from traditional cybercrime are increasingly fading. The convergence of tactics, techniques, and procedures (TTPs) exhibited by both groups complicates the process of attribution and necessitates a reevaluation of how cyber threats are categorized. The sophistication, frequency, and nature of TA829’s campaigns have intensified since February 2025, intertwining their methods and infrastructure more closely with those of UNK_GreenSec.
Continued Vigilance and Monitoring
The enormity of this investigation underscores the complexity involved in determining the exact nature of the relationship between TA829 and UNK_GreenSec. As of now, researchers caution that conclusive evidence regarding any connections is still pending. The collaborative efforts of these threat actors signal a larger trend that cybersecurity professionals must remain vigilant against, as they continue to monitor both threat vectors separately for any developments that may shed light on this intriguing intersection of cybercrime and espionage.