UNK_GreenSec

UNK_GreenSec is a threat cluster linked to TransferLoader malware and associated ransomware deployment. Reporting cited in the content describes the cluster as involved in ongoing malware campaigns and, in one mention context, as Russia-attributed or Russia-linked, though some campaign-level attribution remains low confidence. Researchers and reporting noted highly similar infrastructure and tradecraft overlaps between UNK_GreenSec and the Russia-linked operation TA829 (also known as Nebulous Mantis, Storm-0978, UNC2596, and RomCom/Void Rabisu/Tropical Scorpius in related reporting), including use of REM proxy services relaying traffic to newly created freemail accounts, SSH tunnels established with PuTTY PLINK, and IPFS services for utility hosting. Proofpoint assessed that the overlap could indicate a shared third-party infrastructure provider or that the clusters may be the same operation. UNK_GreenSec activity has been tied to TransferLoader, which later launches Morpheus and Metasploit ransomware strains. Separate reporting linked infrastructure used in the ZipLine campaign to UNK_GreenSec; ZipLine targeted supply chain-critical manufacturing and other organizations, especially in the United States, using contact-form initiated social engineering, fake NDA-themed lures, malicious ZIP archives, LNK-triggered PowerShell loaders, COM TypeLib hijacking persistence, and the MixShell backdoor, which used DNS TXT tunneling with HTTP fallback for command and control. Mentioned context also states UNK_GreenSec used NDA-themed lures in August 2025 to deliver the MixShell backdoor. Known alias in the provided content: unk_greensec.