RomCom + SocGholish: Fake Updates Deliver Mythic Agent Malware

November 26, 2025 Faeem BLOGS 0

A new campaign highlights the convergence of RomCom (a Russia‑aligned threat actor) and SocGholish (aka FakeUpdates), a long‑running JavaScript loader used by multiple cybercrime groups. For the first time, researchers observed RomCom payloads being distributed via SocGholish, targeting a U.S. civil engineering firm with ties to Ukraine.

Key points from the attack chain

  • Initial access via SocGholish
    • Fake browser update alerts (Chrome/Firefox) injected into compromised websites.
    • Victims tricked into downloading malicious JavaScript.
    • Loader establishes a foothold and fetches additional payloads.
  • RomCom payload delivery
    • Reverse shell to attacker C2 for reconnaissance.
    • Deployment of a custom Python backdoor (VIPERTUNNEL) for persistence and data theft.
    • DLL loader launches Mythic Agent, a red‑team framework component enabling command execution, file operations, and post‑exploitation tasks.
  • Targeting logic
    • Delivery only proceeds if the victim’s Active Directory domain matches attacker‑defined values.
    • Timeline from infection to loader delivery: <30 minutes.

Attribution and context

  • Activity attributed with medium‑to‑high confidence to Unit 29155 of Russia’s GRU, known for espionage and sabotage operations.
  • RomCom (aka Nebulous Mantis, Storm‑0978, Tropical Scorpius, UNC2596, Void Rabisu) has targeted Ukraine, NATO defense organizations, and Western entities since 2022.
  • SocGholish is operated by TA569, an initial access broker serving groups like Evil Corp, LockBit, Dridex, and Raspberry Robin.
  • Attack demonstrates collaboration or service use across financially motivated and state‑aligned actors.

Why this matters

  • Speed and automation: infection chain progresses rapidly, leaving defenders little time to react.
  • Dual‑use tooling: Mythic Agent is a legitimate red‑team framework, repurposed for espionage.
  • Target selection: even indirect ties to Ukraine can trigger targeting, showing broad geopolitical motivations.
  • Global risk: SocGholish campaigns are widespread, compromising poorly secured websites to reach victims worldwide.

Defensive recommendations

  • Patch and harden websites: prevent JavaScript injection via vulnerable plugins/CMS components.
  • User awareness: train staff to distrust browser update prompts outside official vendor channels.
  • Endpoint detection: monitor for reverse shells, suspicious DLL loads, and Mythic framework indicators.
  • Network monitoring: flag outbound connections to known SocGholish and RomCom C2 infrastructure.
  • Active Directory vigilance: watch for domain‑based targeting logic and unusual reconnaissance activity.
  • Incident response readiness: prepare playbooks for rapid containment of loader‑based infections.

Final thought

This campaign underscores how initial access brokers like SocGholish amplify the reach of state‑aligned actors. By piggybacking on widespread fake update lures, RomCom can deliver advanced espionage tooling (Mythic Agent) with speed and precision. Organizations worldwide should treat fake update prompts as high‑risk indicators and ensure layered defenses are in place to detect and block loader activity before it escalates.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.