US firms with ties to projects supporting Ukraine are being targeted by the Russia-aligned RomCom group, which is using fake software updates to drop the Mythic Agent onto victim systems.
In September 2025, Arctic Wolf Labs detected a campaign against a US engineering firm that had reportedly worked on such projects. The attack began as a seemingly harmless “update your browser” pop-up with a classic SocGholish update malware.
“While the typical initial SocGholish infection chain was followed, roughly 10 minutes post-exploitation, RomCom’s targeted Mythic Agent loader was delivered to the system,” Arctic Wolf researchers said in a blog post. “This is the first time that a RomCom payload has been observed being distributed by SocGholish.”
Arctic Wolf notes that many indicators and targeting patterns align RomCom’s activity with Russia’s GRU unit 29155, the unit within Russia’s largest intelligence agency, “typically tasked with offensive computer network operations targeting global entities.”
The intrusion was stopped before any real damage was done, the researchers added.
SocGholish Meets RomCom
Until now, SocGholish had mostly been associated with ransomware distributors or financially motivated cyber-criminals. Its hallmark is delivering “fake update” lures on compromised legitimate websites–often prompting users to install what appears to be a browser or software update. But instead of a ransomware payload, this time it carried a highly capable post-exploit tool: Mythic Agent.
Mythic Agent is a sophisticated implant built on the Mythic C2 framework, designed to grant attackers powerful remote-access capabilities, including command execution, reconnaissance, file exfiltration, lateral movement, and additional plugin loading.
“Mythic C2 is a collaborative, multi-platform red-teaming framework written in Python 3,” the researchers explained. “It’s used by cybersecurity professionals to manage and control agents on compromised systems, but as with many other red-team security tools, it is also often commonly abused by threat actors.”
Researchers noted that this convergence effectively blends low-friction initial access (via SocGholish) with high-impact espionage tooling (via Mythic Agent). This technique effectively lowers the barrier for RomCom to infiltrate well-defended environments.
Target profile focused on Ukraine support
The second major insight from the report concerns victim selection. The targeted firm was not a defense contractor or a government body but a civil engineering company in the US. Its only notable link was past work involving a Ukraine-affiliated city.
According to Arctic Wolf, the incident fits RomCom’s broader pattern of targeting organizations that have even tangential connections to Ukraine. Researchers added that the group has steadily evolved from distributing trojanized installers to conducting more disciplined, selective operations, and its suspected ties to GRU Unit 29155 further explain why entities linked to Ukraine–however indirectly—continue to draw its attention. For indicators of compromise, Arctic Wolf shared a list of malicious domain names, IP addresses, and autonomous system numbers.
“Five new domains were found to be related to the two RomCom-attributed Mythic C2s identified by Arctic Wolf Labs,” researchers said. “The attack was ultimately unsuccessful because RomCom’s loader was caught by Arctic Wolf’s Aurora Endpoint Defense, preventing the targeted entity from being compromised by this threat group.”
Arctic Wolf recommended organizations harden against similar threats by blocking untrusted script executions, enforcing strict update policies, and treating any in-browser “update” prompt as suspicious. The firm also stressed the need for continuous endpoint monitoring and threat-intel-driven detection to catch SocGholish-style fake updates before they escalate.
No Responses