The cybersecurity landscape faces a renewed threat as TA829, a sophisticated threat actor group, has emerged with enhanced tactics, techniques, and procedures (TTPs) alongside an upgraded version of the notorious RomCom backdoor.<\/p>\n
This hybrid cybercriminal-espionage group has demonstrated remarkable adaptability, conducting both financially motivated attacks and state-aligned espionage operations, particularly following the invasion of Ukraine.<\/p>\n
The actor\u2019s unique positioning in the threat ecosystem represents a concerning evolution in modern cyber warfare, where traditional boundaries between cybercrime and espionage continue to blur.<\/p>\n
TA829\u2019s attack methodology centers on highly targeted phishing campaigns<\/a> that leverage compromised MikroTik routers operating as REM Proxy services.<\/p>\n These compromised devices, typically hosting SSH services on port 51922, serve as upstream infrastructure for relaying malicious traffic through newly created accounts at freemail providers.<\/p>\n The group\u2019s email campaigns feature plaintext messages with generic job-seeking or complaint themes, each containing unique links that route targets through elaborate redirection chains before delivering the malicious payload.<\/p>\n The group\u2019s arsenal includes several sophisticated malware<\/a> variants, with the upgraded RomCom backdoor now manifesting as SingleCamper and DustyHammock.<\/p>\n Proofpoint researchers identified<\/a> these variants as part of TA829\u2019s regularly updated suite of tools, noting their integration into a unified infection management system.<\/p>\n The malware demonstrates advanced evasion capabilities through registry-based operations and sophisticated anti-analysis techniques.<\/p>\n Following initial infection through phishing emails that spoof OneDrive or Google Drive interfaces, victims unknowingly download the SlipScreen loader, which serves as the first stage of the infection chain.<\/p>\n This loader, often signed with fraudulent certificates and disguised with PDF reader icons, implements multiple detection evasion mechanisms.<\/p>\n The malware performs critical registry checks to ensure the targeted system contains at least 55 recent documents, effectively avoiding sandbox environments that typically lack such user activity traces.<\/p>\n The most notable evolution in TA829\u2019s upgraded RomCom backdoor lies in its sophisticated registry-based persistence mechanism.<\/p>\n The SlipScreen loader decrypts and executes shellcode directly within its memory space, initiating communications with command and control servers only after successful environmental validation.<\/p>\n Upon verification, the system downloads additional components including RustyClaw or MeltingClaw loaders, which establish persistence through COM hijacking techniques.<\/p>\n The persistence mechanism involves manipulating specific registry keys such as This technique effectively embeds the malware deep within the Windows operating system\u2019s core processes, making detection and removal significantly more challenging for traditional security solutions.<\/p>\n The registry-based approach also enables the malware to store encrypted payloads across multiple registry locations, further complicating forensic analysis<\/a> efforts.<\/p>\n Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions ->\u00a0Try ANY.RUN now<\/strong><\/a><\/p>\n The post TA829 Hackers Employs New TTPs and Upgraded RomCom Backdoor to Evade Detections<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgic01SOpTnaJnfVwP1dxxhr8nhyhEJKLFYmYxFBpyFg051RBsnf2GZb4HgZAulZG3NEb2CiBrXJy6h-8nWp2Q5pkCISZ0QOnpVeaHVn-Ye0MKS4aXWFvq4xrL9g-WuBv3rt4f9QL_wu9dwurFOshjGwRlWOaquDurtdNGtLYzDAo-BRQ8jbsz_h3hjY68\/s16000\/Delivery%2520and%2520installation%2520for%2520the%2520UNK_GreenSec%2520and%2520TA829%2520%28Source%2520-%2520Proofpoint%29.webp?ssl=1\")
Advanced Registry-Based Persistence Mechanism<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh15QFoZ0waOYK0gfPadueoleCpx2_NDZ2NE4MkK3FMJb98pRzgNUFAcPaNd_iHxHHI0wqLJG6E5Gx0S-acBNrm-CqFoHHyvgZhWFcsdTyZdfXuv6RkS_dWX71lAWjbCl9ZlwzRVokAsAd3OoY7SQdtU_7vIVSamgaxYnCYOSvH7ER80RrbGIUYbfVeXWg\/s16000\/TA829%2520download%2520JavaScript%2520%28Source%2520-%2520Proofpoint%29.webp?ssl=1\")
SOFTWAREClassesCLSID{2155fee3-2419-4373-b102-6843707eb41f}InprocServer32<\/code>, allowing the malware to survive system reboots by executing during explorer.exe restarts.<\/p>\n