DISCARDED: Tales From the Threat Research Trenches 10 Things I Hate About Attribution: A Clustering Conundrum
11 snips
Jul 15, 2025 
In this engaging discussion, Greg Lesnewich, a Staff Threat Researcher at Proofpoint, dives into the complexities of threat attribution. He shares a lighthearted rant on the frustrations of identifying cybercriminals, focusing on TA829 (RomCom) and the tricky GreenSec cluster. Greg unpacks malware tactics, particularly the elusive TransferLoader, and the challenges of distinguishing between cyber e-crime and espionage. The conversation concludes with humorous comparisons of e-crime groups to pop icons, leaving listeners both entertained and enlightened.
AI Snips
Chapters
Transcript
Episode notes
Nuanced Differences Matter
- TA829 (RomCom) and GreenSec/TransferLoader show many surface similarities but differ in nuanced delivery and payload checks.
- Tight hair-splitting on landing page JS, email format, and download behavior suggested they may be related but not identical.
Crime Actors With Espionage Tooling
- RomCom (TA-29) blends high-end capabilities with crime-style spam campaigns, sometimes using zero-days and browser exploits.
- Their ecosystem often evolves rapidly with different initial droppers per campaign, complicating static clustering.
Targeting Offers Clues, Not Proof
- Targeting overlaps between TA-29 and GreenSec exist but have meaningful divergence like GreenSec hitting law firms.
- Volume and target verticals (manufacturing, pharma, legal) provide clustering signals but not definitive attribution.