10 Things I Hate About Attribution: RomCom vs. TransferLoader

    Tuesday, July 1, 2025 In: Threat Research Print

    Date: 07/01/2025

    Severity: High

    Summary

    RomCom vs. TransferLoader highlights two related cybercriminal operations. TA829 conducts espionage and cybercrime using tools based on the legacy RomCom backdoor. A highly similar campaign, using a new loader and backdoor called TransferLoader, is linked to a separate cluster named UNK_GreenSec. The analysis explores the similarities and differences between these groups and raises questions about their possible connections within the broader criminal and espionage landscape.

    Indicators of Compromise (IOC) List 

    URL/Domain

    1drv.site

    1drv.zone

    1drvms.space

    1drw.live

    1share.limited

    file-cloud.company

    file-share.works

    healthfy.bio

    mspdf.live

    onedr.expert

    onefile.social

    pdf-share.pub

    share-doc.live

    1drv-storage.pub

    1drv365.live

    1drvfiles.online

    365drv.live

    drive-share.pub

    my1drv.online

    myonedrive365.live

    ondrve.live

    pdf-storage.pub

    sharepdf.limited

    storagedrive.pub

    d1rv.social

    dr365.live

    my-356drv.online

    1drive-work.online

    share-pdf.live

    1drvcloud.online

    file-acess.live

    1drv-team.works

    workspace-doc.live

    ondv.live

    my1drv.live

    gdrive-share.online

    1dv365.live

    365msdrv.live

    cloud-pdf.online

    drivestorage.online

    1drv365.online

    my-drive365.pub

    gdl-cloud.works

    gdrvdocs.online

    dvfilesync.pub

    storage-hub.pub

    data-dv.live

    gworkspace.social

    diskstorage.click

    365work.chat

    onedrweb.live

    pdfshare.click

    documentapproved.click

    cloudly.live

    drsync.click

    drshare.online

    drivenc.pub

    drivehub.live

    1day.live

    onestorelink.live

    1dcloud.live

    drivepoint.pub

    site-staff.sale

    driveshare.pub

    cloudlive.pub

    dvcloud.live

    drivepublic.live

    sharedrive.pub

    drivehost.live

    onlinedrive.click

    livestorage.click

    mydrv1.live

    1dv.online

    1drv.eu.com

    ms.share-onedr.com

    datadrv1.com

    onelivedrv.com

    clouderive.com

    cloud1dv.com

    1dvstorage.com

    journalctl.website

    drivedefend.com

    consvcprivacy.com

    opendnsapi.net

    mngersrv.com

    supportcausems.com

    deliverycitylife.com

    msvhost.com

    lauradream.com

    1drive.bio

    1drive.expert

    1drive.pub

    1drive.social

    1drive.works

    1drivecloud.click

    1drivecloud.live

    1drivems.expert

    1drivems.works

    onedrivecloud.click

    onedrivecloud.expert

    onedrivecloud.live

    onedrivecloud.net

    onedrivems.works

    onedrivems.cloud

    1drv.world

    1drv.me

    1drv.biz

    temptransfer.live

    cdngateway.us

    Hash

    c8cbb1eaae2fd97fa811ece21655e2cb96510255

    d8b04523d86270ce8bf8a834d7da22829f1a8d16

    5238c4815c13f9d26ad6fa46aec6cc55671cb16e

    24bd135b92a95c0e7f9967f6372bbe4bc99d9f84

    cff9e5fee264dd58dbd6a3165322807248d3a1b2

    2b301191aa9e1d2c8e3eefd38b6eb1952b1fce88

    d890d4b40ce56f90b9ea168bf6d7bf5043a47319

    1c6a5476d485d311be1e07c2e0d2ae322214caa5d4f84398d4169d499105b01a

    fba9f2c351e898bfc61c8b1181020212ccb9e55041c4dd433ca2867dbf796469

    3a234b49b834849689da477f77ca6363b40ee83e58213ee51b1ec248da90a543

    e7917ff12114be5c79ca9bd0082eb628192c2ebfbee7aad2ae626ea208ee37cf

    6d5226cba687d99ce14eda8de290edd470e79436625618559c8db1458a53666c

    7e51eb44cfd945f4a155707f773fae3207ebfb59d45ea866ba69bd9bc28dfc32

    f5f2761278163a1a813356666cb305fe37806f5f633b2a5475997f10d24fb3d4

    cd526475391c375e8e40f0146146672928db9bbf210acb41e0fd41381cd5eb9a

    54a94c7ec259104478b40fd0e6325d1f5364351e6ce1adfd79369d6438ed6ed9

    8f3b065e6aa6bc220867cdcb1c250c69b2d46422c51f66f25091f6cab5d043de

    7fc65b23e0a85f548e4268b77b66a3c9f3d08b9c1817c99bc1336d51d36e1ec6

    07b9e353239c4c057115e8871adc3cfb42467998c6b737b28435ecc9405001c9

    00385cae3630694eb70e2b82d5baa6130c503126c17db3fc63376c7d28c04145

    33971df8f5c34c3c79f64e2e28e300260499285bd37f77295ba88897728ace4b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "workspace-doc.live" or siteurl like "workspace-doc.live" or url like "workspace-doc.live" or domainname like "365msdrv.live" or siteurl like "365msdrv.live" or url like "365msdrv.live" or domainname like "drivehub.live" or siteurl like "drivehub.live" or url like "drivehub.live" or domainname like "drivestorage.online" or siteurl like "drivestorage.online" or url like "drivestorage.online" or domainname like "1drv-team.works" or siteurl like "1drv-team.works" or url like "1drv-team.works" or domainname like "365drv.live" or siteurl like "365drv.live" or url like "365drv.live" or domainname like "1drv.zone" or siteurl like "1drv.zone" or url like "1drv.zone" or domainname like "mydrv1.live" or siteurl like "mydrv1.live" or url like "mydrv1.live" or domainname like "my1drv.live" or siteurl like "my1drv.live" or url like "my1drv.live" or domainname like "1drive.expert" or siteurl like "1drive.expert" or url like "1drive.expert" or domainname like "1drivecloud.click" or siteurl like "1drivecloud.click" or url like "1drivecloud.click" or domainname like "cloud-pdf.online" or siteurl like "cloud-pdf.online" or url like "cloud-pdf.online" or domainname like "pdf-storage.pub" or siteurl like "pdf-storage.pub" or url like "pdf-storage.pub" or domainname like "ondrve.live" or siteurl like "ondrve.live" or url like "ondrve.live" or domainname like "onedrivecloud.net" or siteurl like "onedrivecloud.net" or url like "onedrivecloud.net" or domainname like "1dv.online" or siteurl like "1dv.online" or url like "1dv.online" or domainname like "onedrivecloud.live" or siteurl like "onedrivecloud.live" or url like "onedrivecloud.live" or domainname like "onestorelink.live" or siteurl like "onestorelink.live" or url like "onestorelink.live" or domainname like "dr365.live" or siteurl like "dr365.live" or url like "dr365.live" or domainname like "1drv.site" or siteurl like "1drv.site" or url like "1drv.site" or domainname like "1drv365.online" or siteurl like "1drv365.online" or url like "1drv365.online" or domainname like "drivepoint.pub" or siteurl like "drivepoint.pub" or url like "drivepoint.pub" or domainname like "1drivecloud.live" or siteurl like "1drivecloud.live" or url like "1drivecloud.live" or domainname like "onedrivecloud.expert" or siteurl like "onedrivecloud.expert" or url like "onedrivecloud.expert" or domainname like "1dcloud.live" or siteurl like "1dcloud.live" or url like "1dcloud.live" or domainname like "1drive.pub" or siteurl like "1drive.pub" or url like "1drive.pub" or domainname like "1drvms.space" or siteurl like "1drvms.space" or url like "1drvms.space" or domainname like "1dvstorage.com" or siteurl like "1dvstorage.com" or url like "1dvstorage.com" or domainname like "1drivems.works" or siteurl like "1drivems.works" or url like "1drivems.works" or domainname like "1drv365.live" or siteurl like "1drv365.live" or url like "1drv365.live" or domainname like "1drive-work.online" or siteurl like "1drive-work.online" or url like "1drive-work.online" or domainname like "pdfshare.click" or siteurl like "pdfshare.click" or url like "pdfshare.click" or domainname like "opendnsapi.net" or siteurl like "opendnsapi.net" or url like "opendnsapi.net" or domainname like "lauradream.com" or siteurl like "lauradream.com" or url like "lauradream.com" or domainname like "pdf-share.pub" or siteurl like "pdf-share.pub" or url like "pdf-share.pub" or domainname like "ondv.live" or siteurl like "ondv.live" or url like "ondv.live" or domainname like "1drive.bio" or siteurl like "1drive.bio" or url like "1drive.bio" or domainname like "drive-share.pub" or siteurl like "drive-share.pub" or url like "drive-share.pub" or domainname like "onedrweb.live" or siteurl like "onedrweb.live" or url like "onedrweb.live" or domainname like "myonedrive365.live" or siteurl like "myonedrive365.live" or url like "myonedrive365.live" or domainname like "1drv.me" or siteurl like "1drv.me" or url like "1drv.me" or domainname like "temptransfer.live" or siteurl like "temptransfer.live" or url like "temptransfer.live" or domainname like "cdngateway.us" or siteurl like "cdngateway.us" or url like "cdngateway.us" or domainname like "1drv.eu.com" or siteurl like "1drv.eu.com" or url like "1drv.eu.com" or domainname like "consvcprivacy.com" or siteurl like "consvcprivacy.com" or url like "consvcprivacy.com" or domainname like "diskstorage.click" or siteurl like "diskstorage.click" or url like "diskstorage.click" or domainname like "clouderive.com" or siteurl like "clouderive.com" or url like "clouderive.com" or domainname like "drivehost.live" or siteurl like "drivehost.live" or url like "drivehost.live" or domainname like "drsync.click" or siteurl like "drsync.click" or url like "drsync.click" or domainname like "1drv.biz" or siteurl like "1drv.biz" or url like "1drv.biz" or domainname like "drshare.online" or siteurl like "drshare.online" or url like "drshare.online"

    Detection Query 2 : 

    domainname like "storage-hub.pub" or siteurl like "storage-hub.pub" or url like "storage-hub.pub" or domainname like "mspdf.live" or siteurl like "mspdf.live" or url like "mspdf.live" or domainname like "gdrvdocs.online" or siteurl like "gdrvdocs.online" or url like "gdrvdocs.online" or domainname like "site-staff.sale" or siteurl like "site-staff.sale" or url like "site-staff.sale" or domainname like "sharedrive.pub" or siteurl like "sharedrive.pub" or url like "sharedrive.pub" or domainname like "ms.share-onedr.com" or siteurl like "ms.share-onedr.com" or url like "ms.share-onedr.com" or domainname like "1drivems.expert" or siteurl like "1drivems.expert" or url like "1drivems.expert" or domainname like "onedr.expert" or siteurl like "onedr.expert" or url like "onedr.expert" or domainname like "drivepublic.live" or siteurl like "drivepublic.live" or url like "drivepublic.live" or domainname like "onedrivems.works" or siteurl like "onedrivems.works" or url like "onedrivems.works" or domainname like "share-pdf.live" or siteurl like "share-pdf.live" or url like "share-pdf.live" or domainname like "mngersrv.com" or siteurl like "mngersrv.com" or url like "mngersrv.com" or domainname like "drivenc.pub" or siteurl like "drivenc.pub" or url like "drivenc.pub" or domainname like "dvfilesync.pub" or siteurl like "dvfilesync.pub" or url like "dvfilesync.pub" or domainname like "365work.chat" or siteurl like "365work.chat" or url like "365work.chat" or domainname like "gdl-cloud.works" or siteurl like "gdl-cloud.works" or url like "gdl-cloud.works" or domainname like "1drvfiles.online" or siteurl like "1drvfiles.online" or url like "1drvfiles.online" or domainname like "dvcloud.live" or siteurl like "dvcloud.live" or url like "dvcloud.live" or domainname like "cloud1dv.com" or siteurl like "cloud1dv.com" or url like "cloud1dv.com" or domainname like "my-356drv.online" or siteurl like "my-356drv.online" or url like "my-356drv.online" or domainname like "1drw.live" or siteurl like "1drw.live" or url like "1drw.live" or domainname like "file-share.works" or siteurl like "file-share.works" or url like "file-share.works" or domainname like "healthfy.bio" or siteurl like "healthfy.bio" or url like "healthfy.bio" or doaminname like "onefile.social" or siteurl like "onefile.social" or url like "onefile.social" or domainname like "share-doc.live" or siteurl like "share-doc.live" or url like "share-doc.live" or domainname like "1drv-storage.pub" or siteurl like "1drv-storage.pub" or url like "1drv-storage.pub" or domainname like "my1drv.online" or siteurl like "my1drv.online" or url like "my1drv.online" or domainname like "d1rv.social" or siteurl like "d1rv.social" or url like "d1rv.social" or domainname like "1drvcloud.online" or siteurl like "1drvcloud.online" or url like "1drvcloud.online" or domainname like "file-acess.live" or siteurl like "file-acess.live" or url like "file-acess.live" or domainname like "gdrive-share.online" or siteurl like "gdrive-share.online" or url like "gdrive-share.online" or domainname like "1dv365.live" or siteurl like "1dv365.live" or url like "1dv365.live" or domainname like "my-drive365.pub" or siteurl like "my-drive365.pub" or url like "my-drive365.pub" or domainname like "data-dv.live" or siteurl like "data-dv.live" or url like "data-dv.live" or domainname like "gworkspace.social" or siteurl like "gworkspace.social" or url like "gworkspace.social" or domainname like "documentapproved.click" or siteurl like "documentapproved.click" or url like "documentapproved.click" or domainname like "cloudly.live" or siteurl like "cloudly.live" or url like "cloudly.live" or domainname like "1day.live" or siteurl like "1day.live" or url like "1day.live" or domainname like "driveshare.pub" or siteurl like "driveshare.pub" or url like "driveshare.pub" or domainname like "cloudlive.pub" or siteurl like "cloudlive.pub" or url like "cloudlive.pub" or domainname like "onlinedrive.click" or siteurl like "onlinedrive.click" or url like "onlinedrive.click" or domainname like "livestorage.click" or siteurl like "livestorage.click" or url like "livestorage.click" or domainname like "datadrv1.com" or siteurl like "datadrv1.com" or url like "datadrv1.com" or domainname like "onelivedrv.com" or siteurl like "onelivedrv.com" or url like "onelivedrv.com" or domainname like "journalctl.website" or siteurl like "journalctl.website" or url like "journalctl.website" or domainname like "drivedefend.com" or siteurl like "drivedefend.com" or url like "drivedefend.com" or domainname like "supportcausems.com" or siteurl like "supportcausems.com" or url like "supportcausems.com" or domainname like "deliverycitylife.com" or siteurl like "deliverycitylife.com" or url like "deliverycitylife.com" or domainname like "msvhost.com" or siteurl like "msvhost.com" or url like "msvhost.com" or domainname like "1drive.social" or siteurl like "1drive.social" or url like "1drive.social" or domainname like "1drive.works" or siteurl like "onedrivecloud.click" or url like "onedrivecloud.click" or domainname like "onedrivems.cloud" or siteurl like "1drv.world" or url like "1drv.world"

    Detection Query 3 : 

    sha256hash IN ("8f3b065e6aa6bc220867cdcb1c250c69b2d46422c51f66f25091f6cab5d043de","6d5226cba687d99ce14eda8de290edd470e79436625618559c8db1458a53666c","00385cae3630694eb70e2b82d5baa6130c503126c17db3fc63376c7d28c04145","f5f2761278163a1a813356666cb305fe37806f5f633b2a5475997f10d24fb3d4","cd526475391c375e8e40f0146146672928db9bbf210acb41e0fd41381cd5eb9a","33971df8f5c34c3c79f64e2e28e300260499285bd37f77295ba88897728ace4b","1c6a5476d485d311be1e07c2e0d2ae322214caa5d4f84398d4169d499105b01a","fba9f2c351e898bfc61c8b1181020212ccb9e55041c4dd433ca2867dbf796469","3a234b49b834849689da477f77ca6363b40ee83e58213ee51b1ec248da90a543","e7917ff12114be5c79ca9bd0082eb628192c2ebfbee7aad2ae626ea208ee37cf","7e51eb44cfd945f4a155707f773fae3207ebfb59d45ea866ba69bd9bc28dfc32","54a94c7ec259104478b40fd0e6325d1f5364351e6ce1adfd79369d6438ed6ed9","7fc65b23e0a85f548e4268b77b66a3c9f3d08b9c1817c99bc1336d51d36e1ec6","07b9e353239c4c057115e8871adc3cfb42467998c6b737b28435ecc9405001c9")

    Detection Query 4 : 

    hash IN ("c8cbb1eaae2fd97fa811ece21655e2cb96510255","d8b04523d86270ce8bf8a834d7da22829f1a8d16","5238c4815c13f9d26ad6fa46aec6cc55671cb16e","24bd135b92a95c0e7f9967f6372bbe4bc99d9f84","cff9e5fee264dd58dbd6a3165322807248d3a1b2","2b301191aa9e1d2c8e3eefd38b6eb1952b1fce88","d890d4b40ce56f90b9ea168bf6d7bf5043a47319")

    Reference:    

    https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader


    Tags

    MalwareThreat ActorCyber EspionageRomcomTransferLoaderBackdoorTA829UNK_GreenSec

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.