RomCom
Essential information
- Confidence
- 100/100
- Published
- 20/12/2025 23:51
- Modified
- 27/05/2026 15:52
- Updated at
- 27/05/2026 15:52
- Revoked
- No
- Author / Source
- AlienVault
- Resource level
- —
- Primary motivation
- —
- Related entities
- 5 reports, 82 attack patterns (mitre), 13 malware, 19 sectors, 17 countries, 100 indicators, 27 vulnerabilities (cve)
Description
No description.
Marking (TLP)
TLP:CLEAR
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (5)
-
1 CVE 7 MITREs 4 Malwares 8 Observables 1 APT
-
20 CVEs 12 MITREs 3 Malwares 11 Observables 1 APT
-
2 CVEs 3 Malwares 9 Observables 1 APT
-
21 MITREs 2 Malwares 38 Observables 1 APT
-
1 CVE 15 MITREs 1 Malware 4 Observables 1 APT
Attack patterns (MITRE) (82)
-
T1078 usesValid Accounts MITRE
-
T1059 usesCommand and Scripting Interpreter MITRE
-
T1574.001 usesDLL MITRE
-
T1047 usesWindows Management Instrumentation MITRE
-
T1083 usesFile and Directory Discovery MITRE
-
T1217 usesBrowser Information Discovery MITRE
-
T1546 usesEvent Triggered Execution MITRE
-
T1497 usesVirtualization/Sandbox Evasion MITRE
-
T1543.003 usesWindows Service MITRE
-
T1049 usesSystem Network Connections Discovery MITRE
-
T1112 usesModify Registry MITRE
-
T1113 usesScreen Capture MITRE
Malware (13)
-
VIPERTUNNEL usesFamily
-
SnipBot usesFamily
-
Underground usesFamily
-
Mythic usesFamily
-
QakBot usesFamily
-
RomCom backdoor uses
-
Hancitor uses
-
RomCom usesFamily
-
FAKEUPDATE usesFamily
-
Mythic Agent usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mythic C2 agent usesFamily
-
RustyClaw usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (19)
-
Legal targets
-
Pharmacy and drugs manufacturing targets
-
Insurance services targets
-
Consulting targets
-
Government targets
-
Energy targets
-
Technology targets
-
Healthcare targets
-
Finance targets
-
Information Technologies Consulting targets
-
Logistics targets
-
Manufacturing targets
Countries (17)
-
Korea, Democratic People's Republic of targets
-
Slovakia targets
-
United States of America targets
-
United Kingdom of Great Britain and Northern Ireland targets
-
Korea, Republic of targets
-
Australia targets
-
Netherlands targets
-
Canada targets
-
France targets
-
Germany targets
-
British Indian Ocean Territory targets
-
Singapore targets
Indicators (100)
-
88d13669a994d2e04ec0a9940f07ab8aab8563eb845a9c13f2b0fec497df5b17indicates -
1308146f161ed60c86532dd2d2de8de8b0401e27023fc56f83903f137fccacfdindicates -
stix 100/100 Revoked· Valid until 01/09/2024 · Source: AlienVault
-
8a3d71c668574ad6e7406d3227ba5adc5a230dd3057edddc4d0ec5f8134d76c3indicates -
bc1qhtwfcysclc7pck2y3vmjtpzkaezhcm6perc99xindicates -
01242b35b6def71e42cc985e97d618e2fabd616b16d23f7081d575364d09ca74indicates -
c646199a9799b6158de419b1b7e36b46c7b7413d6c35bfffaeaa8700b2dcc427indicates -
mcprotect.cloudindicates -
2eb3ef8a7a2c498e87f3820510752043b20cbe35b0cbd9af3f69e8b8fe482676indicates -
20f58bd5381509072e46ad79e859fb198335dcd49c2cb738bd76f1d37d24c0a7indicates -
f08cc922c5dab73f6a2534f8ceec8525604814ae7541688b7f65ac9924ace855indicates
Vulnerabilities (CVE) (27)
D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be …
- Published
- 05/08/2025
- Modified
- 27/05/2026
Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files.
- Attack vector
- Network
- Published
- 25/08/2025
- Modified
- 27/05/2026
A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to …
- Attack vector
- Network
- Published
- 14/08/2025
- Modified
- 27/05/2026
Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a …
- Attack vector
- Network
- Published
- 17/07/2023
- Modified
- 27/05/2026
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through …
- Attack vector
- Network
- Published
- 14/11/2025
- Modified
- 27/05/2026
Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.
- Attack vector
- Network
- Published
- 13/08/2025
- Modified
- 27/05/2026
Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary …
- Attack vector
- NETWORK
- Complexity
- Low
- Published
- 28/08/2025
- Modified
- 18/06/2026
Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload …
- Attack vector
- Network
- Published
- 18/08/2025
- Modified
- 27/05/2026
D-Link DNR-322L contains a download of code without integrity check vulnerability that could allow an authenticated attacker to execute OS level commands …
- Attack vector
- Network
- Published
- 05/08/2025
- Modified
- 27/05/2026
RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 12/08/2025
- Modified
- 27/05/2026
Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account …
- Attack vector
- Adjacent
- Published
- 25/08/2025
- Modified
- 27/05/2026
Microsoft MSHTML contains a unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 27/05/2026