ShadyHammock

ShadyHammock is a malware component/backdoor associated with TA829/RomCom activity, also tracked in overlapping reporting as Storm-0978, Void Rabisu, Nebulous Mantis, UNC2596, Tropical Scorpius, and related RomCom-linked operations. It has been observed delivered by the MeltingClaw and RustyClaw downloaders alongside DustyHammock and SingleCamper. Reporting describes ShadyHammock as a C++ component that specializes in stealth by loading the main payload—an XOR-encoded SingleCamper RAT DLL—directly from the Windows Registry into memory. The ShadyHammock DLL has been identified with the internal name loader_moder.dll; it reads and decrypts registry contents and uses a shellcode loader to deploy a newer version of the SingleCamper backdoor into memory, with the payload DLL identified as message_module.dll. This in-memory, registry-based loading behavior is consistent with evasion-focused tradecraft. In April 2025, TA829 was reported shifting to the ShadyHammock and SingleCamper tool suite in financially motivated campaigns. The broader RomCom/TA829 ecosystem has targeted organizations in Europe and North America, including financial, manufacturing, defense, logistics, government, and other sectors, and has used spear-phishing and related social-engineering delivery chains. High-confidence identifiers directly mentioned for ShadyHammock include the malware name ShadyHammock, internal DLL name loader_moder.dll, and its role in loading the SingleCamper payload DLL message_module.dll from registry-stored, XOR-encoded data.