Russian-Aligned RomCom Uses SocGholish to Deploy Mythic Agent on Ukraine Supporters in New Campaign Linked to GRU Unit 29155
Published
Key Takeaways
- Novel attack chain: The RomCom threat group is now using the SocGholish malware delivery framework to deploy its Mythic Agent payload.
- Target profile: It targets U.S. companies with affiliations to Ukraine, underscoring the group's focus on disrupting international aid efforts.
- Attribution: Security researchers assess with high confidence that Russia's GRU Unit 29155 is utilizing the SocGholish infrastructure to execute these targeted attacks.
The Russian-aligned threat actor known as RomCom (UAT-5647) has been identified in a new campaign targeting U.S. companies that support Ukraine. In a significant shift in tactics, the group is now using the SocGholish malware delivery framework, operated by the TA569 cybercrime group, to deploy its custom Mythic Agent payload.Â
This marks the first time a RomCom payload has been observed being distributed via SocGholish, signaling a collaboration between nation-state-aligned actors and financially motivated cybercriminals.
SocGholish Mythic Agent Attack Details
The attack chain begins when a user visits a legitimate but compromised website injected with SocGholish's malicious JavaScript, as Arctic Wolf detailed in its latest cybersecurity report. This triggers a fake browser update prompt, which, if clicked, executes the initial payload.Â
Arctic Wolf Labs observed that within 10 minutes of the initial infection, the attackers performed reconnaissance and delivered RomCom’s targeted Mythic Agent loader.Â
This rapid escalation from a common drive-by compromise to the deployment of a sophisticated nation-state tool highlights the severity of the threat. The targeted nature of the attack was confirmed as the loader was designed to activate only on systems belonging to a specific, pre-determined domain.
Main Intelligence Directorate (GRU) Unit 29155 Cyberattacks
This campaign provides strong evidence linking Russia’s GRU 161st Specialist Training Center cyberattacks, otherwise known as GRU Unit 29155, to the SocGholish infrastructure. Previously, SocGholish has been associated with delivering other malware tied to the GRU, Raspberry Robin.Â
The targeting of an American civil engineering firm with past ties to Ukraine aligns with RomCom’s established objective of disrupting entities that provide support to the nation.Â
This incident demonstrates how initial access brokers like TA569 (also known as GoldPrelude, MustardTemptation, and PurpleVallhund) can serve as conduits for nation-state espionage and sabotage, turning widespread, opportunistic infections into highly targeted intrusions.
RomCom is associated with cyberattacks aligned with Russian government interests, previously linked to a ransomware attack on Casio and campaigns targeting Ukraine-allied organizations. TA569 is associated with the FakeUpdates (SocGholish) malware and has previously acted as an initial access broker for ransomware groups.
In December 2024, malicious Google Search ads deployed SocGholish in a campaign targeting Kaiser Permanente employees. The malware was also used in a fake browser update campaign by TA2726 and TA2727 earlier this year.
RomCom targeted Ukraine and Poland in October 2024 and was seen exploiting Firefox and Windows zero-days on month later.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular