CFOtech UK - Technology news for CFOs & financial decision-makers
United Kingdom

Guides

#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
healthtech

Search

Ps outlook picture 20
#
Ransomware
#
Phishing
#
Advanced Persistent Threat Protection

Proofpoint links TA829 & UNK_GreenSec in cybercrime overlap

Yesterday
Author image
By Melvin Hipolito, Editor

Researchers at cybersecurity company Proofpoint have identified significant overlap between two threat actor clusters, TA829 and a temporarily named cluster referred to as UNK_GreenSec, in operations that combine elements of both state-aligned espionage and financially motivated cybercrime.

The analysis highlights shared infrastructure, overlapping delivery tactics, and common malware components, prompting questions about whether the two clusters are collaborating directly, sharing third-party resources, or represent a single entity experimenting with new techniques.

Espionage and cybercrime crossovers

TA829 has been observed conducting both financially motivated cybercrime as well as espionage campaigns, some of which are aligned with Russian state interests. The group employs custom-developed tools such as the RomCom backdoor and DustyHammock malware in its operations.

Proofpoint attributes the deployment of a new loader and backdoor, known as TransferLoader, to the separate UNK_GreenSec cluster. TransferLoader has been linked with Morpheus ransomware infections. Unlike TA829, UNK_GreenSec does not align with any previously reported activity sets, marking it as unusual within the cybercriminal ecosystem.

According to Proofpoint, both clusters utilise compromised MikroTik routers, also known as REM Proxy nodes, for distributing phishing emails. These emails often feature job application or security breach lures and lead victims to spoofed OneDrive or Google Drive landing pages, making the campaigns appear legitimate to potential targets.

Infrastructure and tactics

The two clusters show substantial similarities in how they construct their phishing campaigns and deliver malware. Both rely on REM Proxy services to route emails via compromised routers and use freemail providers to send bulk phishing messages. The sender addresses tend to feature a generic pattern, suggesting the use of shared email creation utilities.

"While hunting for TA829, Proofpoint observed another actor using an unusual amount of similar infrastructure, delivery tactics, landing pages, and email lure themes. Initially our researchers clustered this activity as part of TA829, but after further investigation into the infection chain, behaviors, and malware, Proofpoint researchers began tracking this activity as a separate cluster. This report will detail that collision by highlighting overlaps in the activity and malware across both actors. Additionally, we will explore our hypotheses for why and how these shared traits exist, ranging from both groups using a shared infrastructure and delivery provider to a more direct relationship between the two clusters," the Proofpoint report states.

The infection chain for both sets of actors includes plaintext email messages, actor-controlled domains, and redirectors leading to spoofed cloud storage landing pages. These landing pages distribute signed loaders disguised as PDFs, but at this stage, the malware diverges: TA829 delivers variants of its existing RomCom or DustyHammock malware, while UNK_GreenSec deploys TransferLoader, leading to Morpheus ransomware infections.

Notable differences

Despite the similarities, there are operational differences. Campaigns attributed to UNK_GreenSec tend to be larger in scale, sending thousands of messages and targeting a wide range of industries and geographies, whereas TA829 often operates with smaller message volumes and more targeted phishing. UNK_GreenSec also employs improved filtering and obfuscation measures, such as server-side filtering using Cloudflare services, to prevent automated analysis from security researchers – a tactic later adopted by TA829.

The infrastructure hosting for both actors shows both overlap and differentiation. Domains are often registered with the same or similar providers, such as Tucows and Rebrandly. However, backend hosting companies and technical setups are sometimes different, with TA829 favouring ShockHosting and Aeza, using OpenResty technology, while UNK_GreenSec commonly uses nginx on Ubuntu servers and IPFS for payload delivery.

Competing hypotheses

"The investigation of both sets of activity raises questions of whether these actors are related or the overlap is coincidental. These include similarties in TTPs, infrastructure, and malware. The timing of UNK_GreenSec activity during a TA829 break and the connection to Morpheus and HellCat ransomware further reinforce the possibility of a relationship between UNK_GreenSec and TA829.

The report lays out four principal theories: both clusters might source infrastructure from the same third-party provider; TA829 might have procured infrastructure for UNK_GreenSec; UNK_GreenSec could be a provider that occasionally deploys its own malware; or, less likely, the two are the same actor experimenting with a new tool family.

Evolving landscape

Proofpoint researchers note that the distinction between espionage operations and cybercrime is becoming increasingly blurred. "In the current threat landscape, the points at which cybercrime and espionage activity overlap continue to increase, removing the distinctive barriers that separate criminal and state actors. Campaigns, indicators, and threat actor behaviors have converged, making attribution and clustering within the ecosystem more challenging."

According to the report, TA829's campaigns have grown more frequent and sophisticated since February 2025, using methods and infrastructure also evident in UNK_GreenSec's campaigns. Both clusters have made use of utility programs such as PuTTY's PLINK for establishing SSH tunnels and have hosted payloads using decentralised services like IPFS.

Ongoing analysis

The researchers acknowledge the complexity of determining the relationship between the two clusters, stating there is not yet enough evidence to conclusively define their connection.

"While there is not sufficient evidence to substantiate the exact nature of the relationship between TA829 and UNK_GreenSec, there is very likely a link between the groups. Proofpoint will continue to track both activity sets separately and investigate further developments and overlaps in both groups' TTPs."
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
UK firms pay higher ransoms as recovery costs from attacks rise
Eftsure acquires Sis ID to create global payment protection giant
Token Recovery appoints Scott Pounder to lead global operations
Siren adopts ISO GQL to boost graph search for investigators
Tray.ai unveils Merlin Agent Builder 2.0 for enterprise AI scale

Top stories

UK firms face GBP £4m losses as outages shift tech focus
John Lewis expands retail media to offsite digital channels
IMP Software gains 9ine certification for data privacy in schools
Contactless NFC sticker payments roll out across UK venues
Blue Yonder powers supply chains for 20 Gartner top 25 firms