New Report Uncovers Major Overlaps in Cybercrime and State-Sponsored Espionage
The lines between cybercrime and espionage are increasingly blurring, eroding the traditional distinctions between criminal hackers and state-sponsored actors. In a report published on June 30, Proofpoint highlighted substantial overlaps between two malicious campaigns. One originated from TA829, a hybrid hacking group that conducts both cyber extortion and pro-Russian cyber espionage activities, and the other from a newly identified cybercriminal cluster tracked as UNK_GreenSec.
While it is unclear how the known threat actor and the new cluster are linked, Proofpoint estimated that the similarities between the two groups’ activities suggests that the barriers between cyber espionage and cybercrime are dissolving. TA829, A Cyber Extorsion Group Conducting Cyber Espionage
TA829 is a unique hybrid threat actor. Initially tracked as a financially motivated group, TA829 also regularly conducts espionage campaigns using the same custom tool suite. Following the invasion of Ukraine, TA829 began conducting targeted espionage campaigns in Ukraine, in alignment with Russian state interests, in addition to its more traditional cyber extortion campaigns.
The group’s typical techniques, tactics and procedures (TTPs) involve phishing campaigns to deploy variants of its SingleCamper (aka SnipBot) an updated version of the RomCom backdoor or the lightweight DustyHammock malware. The group’s automated and scaled processes, such as the regular updating of packers and loaders, the use of varied sending infrastructure and source addresses for each target and the use of extensive redirection chains to detect and evade researchers, are more typical of cybercriminals compared to espionage.
However, it also deploys higher-end capabilities, such as the use of browser or operating-system zero-day exploits, in dedicated espionage campaigns. The Proofpoint researchers tracking TA829 noted that the group’s activity overlaps with that of other groups and clusters tracked by different vendors, such as RomCom, Void Rabisu, Storm-0978, CIGAR, Nebulous Mantis and Tropical Scorpius.
“It is unclear if the actor’s capabilities are co-opted for the espionage campaigns, or if there is some other form of guidance or tasking from the Russian government,” said the researchers. This ambiguity highlights the increasingly blurred lines between cybercrime and state-sponsored espionage, leaving law enforcement and cybersecurity professionals with a challenging task in attributing and tracking these malicious activities.
Four TA829-Like Campaigns Attributed to a New Cluster
According to Proofpoint, TA829’s activity has been relatively quiet over the past year until the group resurfaced in February 2025 with a series of campaigns aimed at deploying a previously unobserved malware payload. Upon investigating these February campaigns, the Proofpoint researchers noticed that four of them featured the hallmark characteristics of TA829 activity, but contained notable differences, including message volumes in the thousands targeting a broader set of industries and geographies, lure themes that consistently referenced job applications and hiring and the unique payload that came to be known as TransferLoader.
They attributed these four campaigns to a new cluster that tracked as UNK_GreenSec. TA829 and UNK_GreenSec: Similarities and Differences
The Most Recent TA829 Campaigns and the Four Campaigns Attributed to UNK_GreenSec Share Many Similarities, Including:
• The main campaigns are similar in terms of their tactics and techniques used. • Both groups deploy the same malware payloads: SingleCamper for TA829 and TransferLoader for UNK_GreenSec • Both use phishing campaigns to deploy malware. • Both have a focus on targeting government institutions, companies with sensitive data, and research organizations.
The Most Recent TA829 Campaigns and the Four Campaigns Attributed to UNK_GreenSec: Differences
• The payloads used by both groups differ. • TransferLoader has unique capabilities that are not seen in SingleCamper. • Message volumes in the thousands targeting a broader set of industries and geographies.
Four Hypotheses About the TA829-UNK_GreenSec Link
While there is not sufficient evidence to substantiate the exact nature of the relationship between TA829 and UNK_GreenSec, there is very likely a link between the groups, according to Proofpoint. The researchers have suggested four potential hypotheses:
Hypothesis 1: Joint Operations
Proofpoint suggests that the groups may be operating together as part of a coordinated effort to further Russian state interests.
Hypothesis 2: Co-Opted Capabilities
The researchers propose that TA829’s capabilities are being co-opted for use in UNK_GreenSec's campaigns, with the new cluster benefiting from the expertise and resources of the more established group.
Hypothesis 3: Shared Infrastructure
Another hypothesis is that both groups share infrastructure and resources, allowing them to collaborate on targeted attacks against specific targets.
Hypothesis 4: Shared Goals
The final hypothesis suggests that both TA829 and UNK_GreenSec are motivated by shared goals and objectives, potentially linked to the Russian government or other state actors.
The Blurring of Lines Between Cybercrime and State-Sponsored Espionage
Proofpoint's report highlights the increasingly blurred lines between cybercrime and state-sponsored espionage, leaving law enforcement and cybersecurity professionals with a challenging task in attributing and tracking these malicious activities. As the threat landscape continues to evolve, it is essential for researchers and experts to remain vigilant and work together to combat the growing threats posed by hybrid threat actors like TA829 and UNK_GreenSec.