A Russian state-backed threat group behind the RomCom malware used the SocGholish loader to deliver a RomCom payload – the Mythic agent – against a civil engineering firm based in the United States.

The attack – attributed by researchers with Arctic Wolf Labs to Russia’s Unit 29155 – marks the latest targeting by the RomCom threat group on an organization with ties to Ukraine and its ongoing war with its much larger neighbor, as well as the continuing evolution of the Russian state-sponsored group.

“This is the first time that a RomCom payload has been observed being distributed by SocGholish,” Arctic Wolf Labs researcher Jacob Faires wrote in a report this week, noting that Unit 29155 is run by the GRU, a Russian intelligence agency. In the past, SocGholish has been seen distributing Raspberry Robin.

“Unit 29155 is typically tasked with offensive computer network operations targeting global entities,” Faires wrote. “Since early 2022, the primary focus of Unit 29155 has been disrupting international efforts to provide aid to Ukraine.”

The victim in what proved to be an unsuccessful attack “appears to be affiliated with Ukraine, underscoring RomCom’s tendency to target entities with ties – no matter how tenuous – to Ukraine, regardless of their geographic location.”

“As the physical conflict between Ukraine and Russia grinds through the end of its third year, RomCom’s activity has similarly escalated, and it now conducts opportunistic campaigns against selected business verticals worldwide,” Faires wrote. “The RomCom group has previously been observed by Arctic Wolf Labs targeting other pro-Ukrainian affiliated organizations, including those based in the U.S.”

Use of SocGholish ‘Significant’

The use of SocGholish, a JavaScript loader, is new to the group and is operated by the malware group TA569. SocGolish runs as a malware-as-a-service (MaaS), with TA569 in the role of an initial access broker (IAB) selling access to compromised systems to ransomware or other financially motivated groups or state-connected operations, including Unit 29155, according to cybersecurity firm Silent Push. Some of the group’s customers have included high-profile names like Evil Corp, LockBit, and Dridex.

“The group’s use of this model is significant because it can turn seemingly opportunistic infections into precursors for major incidents,” Arctic Wolf’s Faires wrote. “Organizations encountering SocGholish should treat any detection as a potential early stage of a ransomware attack. Timely identification and response are critical, as containment at this stage can prevent escalation into costly and disruptive ransomware events.”

SocGholish – also known as FakeUpdates – is used to target outdated or poorly secured legitimate websites to deliver fake browser update alerts with the aim of enticing users into unknowingly downloading malware that then installs the loader, which in turns pulls in other malicious code. The malware uses unpatched plugins or remote code execution flaws to inject malicious JavaScript into a site’s HTML, templates, or external JavaScript resources, according to Faires.

Eyes on RomCom Loader

RomCom’s loader has gotten attention from security analysts. ESET in August reported that RomCom (also known as Storm-0978, Tropical Scorpius, and UNC2596) was exploiting a previously unknown zero-day – but since patched – vulnerability in the WinRAR archiver extractor tool. RomCom used the security flaw to try to deliver a range of backdoors, including a SnipBot variant, RustyClaw, and the Mythic agent.

Also, last month, Picus Security reported on RomCom’s evolution “from a regional cyber-espionage group into a sophisticated hybrid threat actor,” expanding its targets from Ukraine, Poland, and other regions within Russia’s interests in 2022 to defense and government agencies in North America and Europe in 2023 and 2024 – often using phishing lures that referenced NATO or Ukraine politics – to this year pushing into the private sector with campaigns targeting such industries as retail, hospitality, financial, and defense. Other areas include logistics, manufacturing, and critical infrastructure.

“This shift illustrates RomCom’s ability to alternate between long-term espionage against government agencies and monetization-focused operations against enterprises,” Picus threat researcher Sıla Özeren Hacıoğlu wrote.

Starting the Attack Chain

In the case detected by Arctic Wolf, a user unintentionally initiated the attack chain by executing SocGholish’s FakeUpdate payload, allowing the bad actors to run commands on the compromised system. Once the payload is executed by the unsuspecting user, a connection is made to SocGholish’s malicious command-and-control (C2), and responses are immediately executed, Faires wrote.

When a reverse shell executes on the system, SocGholish operators run digital reconnaissance, primarily through PowerShell commands, and then another payload that includes a custom Python backdoor called ViperTunnel is uploaded to the system and scheduled.

“Three minutes prior to the delivery of RomCom’s shellcode loader, the operator tests the connection to Mythic C2,” Faires wrote.

As with other legitimate red team tools, such as Cobalt Strike, Mythic C2 – written in Python 3 – also is often abused by threat actors. The loader is the same as that detailed in ESET’s report.

“The timeline from infection via FAKEUPDATE to the delivery of RomCom’s loader was less than 30 minutes,” Faires wrote. “Delivery is not made until the target’s Active Directory domain had been verified to match a known value provided by the threat actor.”

The Evolution of SocGholish

The incident also shows the continued use by bad actors of legitimate but compromised websites to deliver malware and the ongoing expansion TA569 of SocGholish from opportunistic infections to a key enabler of ransomware.

“Recent campaigns show increased scale and sophistication, with widespread compromises of legitimate websites, stronger obfuscation in JavaScript loaders, and direct partnerships with ransomware affiliates,” Faires wrote. “The widespread nature of SocGholish attacks and the relative speed at which the attack progresses from initial access to infection makes it a potent threat to organizations worldwide.”