The cybersecurity landscape faces a renewed threat as TA829, a sophisticated threat actor group, has emerged with enhanced tactics, techniques, and procedures (TTPs) alongside an upgraded version of the notorious RomCom backdoor. The actor’s unique positioning in the threat ecosystem represents a concerning evolution in modern cyber warfare, where traditional boundaries between cybercrime and espionage continue to blur. The malware performs critical registry checks to ensure the targeted system contains at least 55 recent documents, effectively avoiding sandbox environments that typically lack such user activity traces. The persistence mechanism involves manipulating specific registry keys such as SOFTWARE\Classes\CLSID\{2155fee3-2419-4373-b102-6843707eb41f}\InprocServer32, allowing the malware to survive system reboots by executing during explorer.exe restarts. The group’s arsenal includes several sophisticated malware variants, with the upgraded RomCom backdoor now manifesting as SingleCamper and DustyHammock. The most notable evolution in TA829’s upgraded RomCom backdoor lies in its sophisticated registry-based persistence mechanism. This technique effectively embeds the malware deep within the Windows operating system’s core processes, making detection and removal significantly more challenging for traditional security solutions. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The group’s email campaigns feature plaintext messages with generic job-seeking or complaint themes, each containing unique links that route targets through elaborate redirection chains before delivering the malicious payload. The registry-based approach also enables the malware to store encrypted payloads across multiple registry locations, further complicating forensic analysis efforts. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The malware demonstrates advanced evasion capabilities through registry-based operations and sophisticated anti-analysis techniques. Following initial infection through phishing emails that spoof OneDrive or Google Drive interfaces, victims unknowingly download the SlipScreen loader, which serves as the first stage of the infection chain. TA829’s attack methodology centers on highly targeted phishing campaigns that leverage compromised MikroTik routers operating as REM Proxy services. Proofpoint researchers identified these variants as part of TA829’s regularly updated suite of tools, noting their integration into a unified infection management system. Upon verification, the system downloads additional components including RustyClaw or MeltingClaw loaders, which establish persistence through COM hijacking techniques. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. These compromised devices, typically hosting SSH services on port 51922, serve as upstream infrastructure for relaying malicious traffic through newly created accounts at freemail providers. This hybrid cybercriminal-espionage group has demonstrated remarkable adaptability, conducting both financially motivated attacks and state-aligned espionage operations, particularly following the invasion of Ukraine. The SlipScreen loader decrypts and executes shellcode directly within its memory space, initiating communications with command and control servers only after successful environmental validation. This loader, often signed with fraudulent certificates and disguised with PDF reader icons, implements multiple detection evasion mechanisms.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Jul 2025 07:00:19 +0000