{"id":5994,"date":"2025-11-28T12:17:51","date_gmt":"2025-11-28T12:17:51","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5994"},"modified":"2025-11-28T12:17:51","modified_gmt":"2025-11-28T12:17:51","slug":"romcom-tries-dropping-a-not-so-romantic-payload-on-ukraine-linked-us-firms","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5994","title":{"rendered":"RomCom tries dropping a not-so-romantic payload on Ukraine-linked US firms"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>US firms with ties to projects supporting Ukraine are being targeted by the Russia-aligned RomCom group, which is using fake software updates to drop the Mythic Agent onto victim systems.<\/p>\n<p>In September 2025, Arctic Wolf Labs detected a campaign against a US engineering firm that had reportedly worked on such projects. The attack began as a seemingly harmless \u201cupdate your browser\u201d pop-up with a classic<a href=\"https:\/\/www.csoonline.com\/article\/574617\/5-top-threats-from-2022-most-likely-to-strike-in-2023.html#:~:text=Drive-by%20downloads%20alive%20and%20well%20with%20SocGholish\"> SocGholish<\/a> update malware.<\/p>\n<p>\u201cWhile the typical initial SocGholish infection chain was followed, roughly 10 minutes post-exploitation, RomCom\u2019s targeted Mythic Agent loader was delivered to the system,\u201d Arctic Wolf researchers said in a blog post. \u201cThis is the first time that a RomCom payload has been observed being distributed by SocGholish.\u201d<\/p>\n<p>Arctic Wolf notes that many indicators and targeting patterns align RomCom\u2019s activity with Russia\u2019s GRU unit 29155, the unit within Russia\u2019s largest intelligence agency, \u201ctypically tasked with offensive computer network operations targeting global entities.\u201d<\/p>\n<p>The intrusion was stopped before any real damage was done, the researchers added.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>SocGholish Meets RomCom<\/h2>\n<p>Until now, SocGholish had mostly been associated with ransomware <a href=\"https:\/\/www.csoonline.com\/article\/3829090\/mac-users-duped-with-frigidstealer-posing-as-browser-updates.html\">distributors<\/a> or financially motivated cyber-criminals. Its hallmark is delivering \u201cfake update\u201d lures on compromised legitimate websites\u2013often prompting users to install what appears to be a browser or software update. But instead of a ransomware payload, this time it carried a highly capable post-exploit tool: Mythic Agent.<\/p>\n<p>Mythic Agent is a sophisticated implant built on the Mythic C2 framework, designed to grant attackers powerful remote-access capabilities, including command execution, reconnaissance, file exfiltration, lateral movement, and additional plugin loading.<\/p>\n<p>\u201cMythic C2 is a collaborative, multi-platform red-teaming framework written in Python 3,\u201d the researchers <a href=\"https:\/\/arcticwolf.com\/resources\/blog\/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine\/\" target=\"_blank\" rel=\"noopener\">explained<\/a>. \u201cIt\u2019s used by cybersecurity professionals to manage and control agents on compromised systems, but as with many other red-team security tools, it is also often commonly abused by threat actors.\u201d<\/p>\n<p>Researchers noted that this convergence effectively blends low-friction initial access (via SocGholish) with high-impact espionage tooling (via Mythic Agent). This technique effectively lowers the barrier for RomCom to infiltrate well-defended environments.<\/p>\n<h2 class=\"wp-block-heading\">Target profile focused on Ukraine support<\/h2>\n<p>The second major insight from the report concerns victim selection. The targeted firm was not a defense contractor or a government body but a civil engineering company in the US. Its only notable link was past work involving a Ukraine-affiliated city.<\/p>\n<p>According to Arctic Wolf, the incident fits RomCom\u2019s broader pattern of targeting organizations that have even tangential connections to Ukraine. Researchers added that the group has steadily evolved from distributing trojanized installers to conducting more disciplined, selective operations, and its suspected ties to GRU Unit 29155 further explain why entities linked to Ukraine\u2013however indirectly\u2014continue to draw its attention. For indicators of compromise, Arctic Wolf shared a list of malicious domain names, IP addresses, and autonomous system numbers.<\/p>\n<p>\u201cFive new domains were found to be related to the two RomCom-attributed Mythic C2s identified by Arctic Wolf Labs,\u201d researchers said. \u201cThe attack was ultimately unsuccessful because RomCom\u2019s loader was caught by Arctic Wolf\u2019s <a href=\"https:\/\/arcticwolf.com\/solutions\/endpoint-security\/\">Aurora Endpoint<\/a> Defense, preventing the targeted entity from being compromised by this threat group.\u201d<\/p>\n<p>Arctic Wolf recommended organizations harden against similar threats by blocking untrusted script executions, enforcing strict update policies, and treating any in-browser \u201cupdate\u201d prompt as suspicious. The firm also stressed the need for continuous endpoint monitoring and threat-intel-driven detection to catch SocGholish-style fake updates before they escalate.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>US firms with ties to projects supporting Ukraine are being targeted by the Russia-aligned RomCom group, which is using fake software updates to drop the Mythic Agent onto victim systems. In September 2025, Arctic Wolf Labs detected a campaign against a US engineering firm that had reportedly worked on such projects. The attack began as [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5995,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5994","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5994"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5994"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5994\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5995"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5994"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5994"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}