TA829
TA829 is a Russia-linked, Russia-aligned threat actor also tracked as Nebulous Mantis, Storm-0978, and UNC2596. Reporting cited in the source material associates TA829 with the RomCom RAT and describes the group as conducting both espionage and financial attacks. The content also states the actor has exploited zero-days in Firefox and Windows. Recent reporting describes strong tactical and infrastructure overlap between TA829 and the threat cluster UNK_GreenSec. Shared tradecraft includes use of REM proxy services to relay traffic to newly created freemail accounts, establishment of SSH tunnels using PuTTY's PLINK utility, and use of IPFS services to host utilities. Researchers assess that TA829 and UNK_GreenSec may share a third-party infrastructure provider or may be the same operation. In the activity described, TA829 intrusions involved the MeltingClaw and RustyClaw downloaders, which delivered the ShadyHammock, DustyHammock, and SingleCamper backdoors. The source material links TA829 to ongoing malware campaigns and notes broader overlap between cybercrime and espionage activity in this cluster.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Associated malware families
7 malware families attributed to this actor across reporting.
2 additional families tracked in Mallory.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cluster associated with RomCom RAT activity; shares tactics/infrastructure similarities with UNK_GreenSec-linked TransferLoader campaigns.
Russia-aligned intrusion set associated with RomCom RAT; conducts espionage and financially motivated activity, leveraging phishing and router-based proxy infrastructure, and has a history of exploiting Firefox/Windows zero-days. Uses SlipScreen in the described activity.
Russia-linked activity leveraging REM proxy services, SSH tunneling via PuTTY PLINK, and IPFS-hosted utilities; intrusions deploy MeltingClaw/RustyClaw downloaders to deliver ShadyHammock, DustyHammock, and SingleCamper backdoors. Researchers suspect shared third-party infrastructure with UNK_GreenSec or possible overlap/identity.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.