A Russian state-sponsored threat group known as RomCom, also tracked as Nebulous Mantis and attributed with medium-to-high confidence to the GRU’s Unit 29155, has been observed leveraging the SocGholish loader for the very first time. The target of this new attack chain was a civil engineering firm based in the U.S. that had previously done work for a city closely associated with Ukraine. This activity marks a significant development in the group’s tactics, as it combines the financially motivated SocGholish’s initial access capabilities with RomCom’s espionage and cybercrime-focused payloads.
SocGholish, or FakeUpdates, is an initial access broker linked to the operator TA569 and is notorious for enabling various threat actors, including Evil Corp and LockBit, to deploy diverse malware. Its attack methodology typically involves compromising legitimate but poorly secured websites to inject malicious JavaScript. This code then displays fake browser update alerts, often for Chrome or Firefox, tricking unsuspecting users into downloading the malicious script that ultimately installs a loader to fetch subsequent stages of malware. The attacks exploit known vulnerabilities in website plugins to achieve this initial infection.
The RomCom threat actor, active since at least 2022, is known for a blend of cybercrime and geopolitical espionage, consistently targeting entities in Ukraine and NATO-related defense organizations. Their previous methods have included spear-phishing and leveraging zero-day exploits to breach networks and deploy their namesake RomCom remote access trojan (RAT). This recent attack on the U.S. firm suggests a continued, albeit potentially tenuous, focus on entities providing assistance or having any connection to Ukraine.
In the analyzed incident, the initial fake update payload executed on the compromised machine and rapidly established a reverse shell to a command-and-control (C2) server. This allowed the threat actors to conduct reconnaissance and quickly drop a custom Python backdoor dubbed VIPERTUNNEL. Crucially, a RomCom-linked DLL loader was also delivered to launch the Mythic Agent, a core component of a red teaming framework designed for cross-platform post-exploitation tasks, including file operations and command execution. Delivery of the RomCom-linked components was highly targeted, only proceeding after the victim’s Active Directory domain was verified.
Although this particular attack was unsuccessful and was blocked before the threat actors could progress beyond the initial stages, the incident underscores the growing potency and speed of these campaigns. Arctic Wolf Labs noted that the entire timeline from the initial SocGholish infection to the delivery of the RomCom loader was less than 30 minutes. The convergence of RomCom’s geopolitical targeting with the widespread nature and rapid progression of SocGholish attacks presents a substantial and evolving threat to organizations globally.
Reference:
