MalwareUsed by 1 actor

DustyHammock

DustyHammock is a Rust-based minimalist backdoor associated with RomCom/TA829 activity, including clusters also tracked as Storm-0978, Tropical Scorpius, Void Rabisu, Nebulous Mantis, and UNC2596. It is described as serving as a core backdoor for long-term command-and-control communication and remote command execution. Reported capabilities include executing commands via cmd.exe and downloading and executing additional files. Its beacon structure is highly similar to SingleCamper, suggesting both variants may be administered from the same panel. DustyHammock has been delivered by the MeltingClaw and RustyClaw downloaders, and reporting also places it in the broader TA829/RomCom toolchain alongside SlipScreen, ShadyHammock, and SingleCamper. The surrounding campaigns used phishing and lure themes such as job applications, complaints, resumes, invoices, and supplier/customer messages, often with spoofed OneDrive or Google Drive links, password-protected archives, or executables masquerading as PDF readers. Reported targeting tied to the broader RomCom/TA829 operations included government, defense, financial, manufacturing, logistics, retail, hospitality, and critical infrastructure organizations across Europe, North America, the UK, Ukraine, and Poland. No DustyHammock-specific indicators of compromise beyond its behavioral characteristics and delivery relationships are directly provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA829

...downloaders that deliver the ShadyHammock, DustyHammock, and SingleCamper backdoors.

via scworldscworld.com

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

picus security blogNews

Oct 2, 2025

RomCom Threat Actor Evolution (2023-2025)

A Rust-based core backdoor used for persistent, long-term C2 communications and remote command execution in RomCom espionage operations.

scworldNews

Jul 2, 2025

TA829, UNK_GreenSec malware campaigns underpinned by same infrastructure

Backdoor delivered by MeltingClaw/RustyClaw in TA829 intrusions.

proofpoint threat insight blogNews

Jun 30, 2025

10 Things I Hate About Attribution: RomCom vs. TransferLoader

DustyHammock is a minimalist backdoor used by TA829 for command execution, downloading and running additional files, and network reconnaissance. It is used as a foothold for further compromise and can facilitate data theft or ransomware deployment.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.