All news with #romcom tag

RomCom Uses SocGholish to Deliver Mythic Agent to US Firms

🔒 Arctic Wolf Labs observed a targeted September 2025 campaign in which the Russia-aligned RomCom group used fake browser-update prompts to deliver the Mythic Agent implant via a classic SocGholish chain. Researchers say this is the first observed instance of RomCom pairing SocGholish initial access with a Mythic C2-based loader. The intrusion was stopped before impact, and Arctic Wolf published IOCs and mitigation guidance.

RomCom via SocGholish Fake Update Targets US Civil Firm

🔒 Arctic Wolf Labs reports that a RomCom payload was delivered via a JavaScript loader known as SocGholish to a U.S.-based civil engineering company, marking the first observed use of this distribution method. The chain relied on fake browser update prompts to run a loader that established a reverse shell, dropped a custom Python backdoor called VIPERTUNNEL, and installed a RomCom DLL loader that launched the Mythic Agent. Attribution to GRU Unit 29155 is assessed at medium-to-high confidence, and the intrusion was blocked before it could progress further.

WinRAR zero-day (CVE-2025-8088) used in RomCom attacks

🔒 ESET researchers uncovered a previously unknown WinRAR vulnerability, tracked as CVE-2025-8088, that is being actively exploited by the Russia-aligned actor RomCom in targeted spearphishing campaigns. The Windows path traversal flaw enables execution of arbitrary code when victims open crafted archives. Users should update to WinRAR 7.13 immediately and consult ESET's video and blogpost for indicators and mitigation.

WinRAR zero-day (CVE-2025-8088) exploited by RomCom

🔒 ESET researchers disclosed a previously unknown WinRAR zero-day, CVE-2025-8088, actively exploited by the Russia-aligned group RomCom. The flaw is a path-traversal vulnerability that leverages NTFS alternate data streams (ADS) to conceal malicious files in RAR archives, which are silently deployed on extraction. Observed payloads included a Mythic agent, a SnipBot variant, and RustyClaw (MeltingClaw), targeting organizations in finance, manufacturing, defense and logistics. Users and vendors relying on WinRAR, UnRAR.dll or its source must update to the July 30, 2025 patched release immediately.