10 Things I Hate About Attribution: RomCom vs. TransferLoader
July 1, 2025, 8:36 a.m.
Description
This report analyzes the activities of two threat actor clusters: TA829 and UNK_GreenSec. TA829 conducts both espionage and cybercrime operations using tools like SingleCamper and DustyHammock. UNK_GreenSec deploys TransferLoader malware leading to ransomware infections. The actors share similarities in infrastructure, delivery tactics, and lure themes, raising questions about their relationship. Four hypotheses are presented regarding their potential connection, ranging from shared third-party services to being the same actor. The report highlights the increasing overlap between cybercrime and espionage activities, making attribution more challenging in the current threat landscape.
Tags
Date
- Created: July 1, 2025, 8:07 a.m.
- Published: July 1, 2025, 8:07 a.m.
- Modified: July 1, 2025, 8:36 a.m.
Indicators
- fba9f2c351e898bfc61c8b1181020212ccb9e55041c4dd433ca2867dbf796469
- f5f2761278163a1a813356666cb305fe37806f5f633b2a5475997f10d24fb3d4
- e7917ff12114be5c79ca9bd0082eb628192c2ebfbee7aad2ae626ea208ee37cf
- cd526475391c375e8e40f0146146672928db9bbf210acb41e0fd41381cd5eb9a
- 8f3b065e6aa6bc220867cdcb1c250c69b2d46422c51f66f25091f6cab5d043de
- 7fc65b23e0a85f548e4268b77b66a3c9f3d08b9c1817c99bc1336d51d36e1ec6
- 6d5226cba687d99ce14eda8de290edd470e79436625618559c8db1458a53666c
- 7e51eb44cfd945f4a155707f773fae3207ebfb59d45ea866ba69bd9bc28dfc32
- 54a94c7ec259104478b40fd0e6325d1f5364351e6ce1adfd79369d6438ed6ed9
- 3a234b49b834849689da477f77ca6363b40ee83e58213ee51b1ec248da90a543
- 33971df8f5c34c3c79f64e2e28e300260499285bd37f77295ba88897728ace4b
- 1c6a5476d485d311be1e07c2e0d2ae322214caa5d4f84398d4169d499105b01a
- 00385cae3630694eb70e2b82d5baa6130c503126c17db3fc63376c7d28c04145
- 07b9e353239c4c057115e8871adc3cfb42467998c6b737b28435ecc9405001c9
- ms.share-onedr.com
- workspace-doc.live
- temptransfer.live
- supportcausems.com
- site-staff.sale
- share-pdf.live
- share-doc.live
- pdfshare.click
- onlinedrive.click
- opendnsapi.net
- onestorelink.live
- onelivedrv.com
- onefile.social
- onedrivems.works
- onedrweb.live
- onedrivems.cloud
- onedrivecloud.net
- onedrivecloud.live
- onedrivecloud.expert
- onedrivecloud.click
- onedr.expert
- ondv.live
- ondrve.live
- myonedrive365.live
- mydrv1.live
- my1drv.live
- my1drv.online
- msvhost.com
- my-356drv.online
- mspdf.live
- mngersrv.com
- livestorage.click
- lauradream.com
- healthfy.bio
- gworkspace.social
- gdrvdocs.online
- gdrive-share.online
- gdl-cloud.works
- file-share.works
- file-acess.live
- dvcloud.live
- drsync.click
- drshare.online
- drivestorage.online
- drivepublic.live
- drivehub.live
- drivehost.live
- drivedefend.com
- dr365.live
- diskstorage.click
- documentapproved.click
- deliverycitylife.com
- datadrv1.com
- d1rv.social
- data-dv.live
- consvcprivacy.com
- cloudly.live
- clouderive.com
- cloud1dv.com
- cloud-pdf.online
- cdngateway.us
- 365work.chat
- 365msdrv.live
- 365drv.live
- 1dvstorage.com
- 1dv365.live
- 1drvms.space
- 1drw.live
- 1drvfiles.online
- 1drv365.online
- 1drvcloud.online
- 1drv365.live
- 1drv.zone
- 1drv.site
- 1drv.world
- 1drv.me
- 1drv-team.works
- 1drv.biz
- 1drivems.works
- 1drivecloud.click
- 1drivecloud.live
- 1drivems.expert
- 1drive.works
- 1drive.expert
- 1drive.social
- 1drive-work.online
- 1drive.bio
- 1dcloud.live
- 1day.live
Additional Informations
- Defense
- sharepdf.limited
- journalctl.website
- file-cloud.company
- 1share.limited
- Ukraine
- United States of America