RomCom
Essential information
- Confidence
- 100/100
- Published
- 20/12/2025 23:51
- Modified
- 27/05/2026 15:52
- Updated at
- 27/05/2026 15:52
- Revoked
- No
- Author / Source
- AlienVault
- Resource level
- —
- Primary motivation
- —
- Related entities
- 5 reports, 82 attack patterns (mitre), 13 malware, 19 sectors, 17 countries, 100 indicators, 27 vulnerabilities (cve)
Description
No description.
Marking (TLP)
TLP:CLEAR
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (5)
-
1 CVE 7 MITREs 4 Malwares 8 Observables 1 APT
-
20 CVEs 12 MITREs 3 Malwares 11 Observables 1 APT
-
2 CVEs 3 Malwares 9 Observables 1 APT
-
21 MITREs 2 Malwares 38 Observables 1 APT
-
1 CVE 15 MITREs 1 Malware 4 Observables 1 APT
Attack patterns (MITRE) (82)
-
T1074 usesData Staged MITRE
-
T1071 usesApplication Layer Protocol MITRE
-
T1547 usesBoot or Logon Autostart Execution MITRE
-
T1053.005 usesScheduled Task MITRE
-
T1072 usesSoftware Deployment Tools MITRE
-
T1564 usesHide Artifacts MITRE
-
T1005 usesData from Local System MITRE
-
Exploits usesT1588.005 MITRE
-
TA0011 uses
-
TA0040 uses
-
T1486 usesData Encrypted for Impact MITRE
-
T1562 usesImpair Defenses MITRE
Malware (13)
-
VIPERTUNNEL usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SnipBot usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Underground usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mythic usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
QuackBot usesThe MITRE Corporation Confidence 100
[QakBot](https://attack.mitre.org/software/S0650) is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. [QakBot](https://attack.mitre.org/software/S0650) is continuously maintained and developed and has evolved from…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RomCom backdoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Hancitor usesFamily The MITRE Corporation Confidence 100
[Hancitor](https://attack.mitre.org/software/S0499) is a downloader that has been used by [Pony](https://attack.mitre.org/software/S0453) and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)
First seen 01/01/1970 · Last seen 16/11/5138 · -
RomCom usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FAKEUPDATE usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mythic Agent usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mythic C2 agent usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RustyClaw usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (19)
-
Legal targets
-
Pharmacy and drugs manufacturing targets
-
Insurance services targets
-
Consulting targets
-
Government targets
-
Energy targets
-
Technology targets
-
Healthcare targets
-
Finance targets
-
Information Technologies Consulting targets
-
Logistics targets
-
Manufacturing targets
Countries (17)
-
Korea, Democratic People's Republic of targets
-
Slovakia targets
-
United States of America targets
-
United Kingdom of Great Britain and Northern Ireland targets
-
Korea, Republic of targets
-
Australia targets
-
Netherlands targets
-
Canada targets
-
France targets
-
Germany targets
-
British Indian Ocean Territory targets
-
Singapore targets
Indicators (100)
-
stix 100/100 Revoked· Valid until 05/06/2024 · Source: AlienVault
-
1308146f161ed60c86532dd2d2de8de8b0401e27023fc56f83903f137fccacfdindicates -
stix 100/100 Revoked· Valid until 01/09/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 05/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 15/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 05/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 05/06/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 05/06/2024 · Source: AlienVault
-
20f58bd5381509072e46ad79e859fb198335dcd49c2cb738bd76f1d37d24c0a7indicates -
f08cc922c5dab73f6a2534f8ceec8525604814ae7541688b7f65ac9924ace855indicates
Vulnerabilities (CVE) (27)
Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is …
- Attack vector
- Network
- Published
- 26/08/2025
- Modified
- 27/05/2026
D-Link DCS-2530L and DCS-2670L devices contains a command injection vulnerability in the cgi-bin/ddns_enc.cgi. The impacted products could be end-of-life (EoL) and/or end-of-service …
- Published
- 05/08/2025
- Modified
- 27/05/2026
Citrix Session Recording contains an improper privilege management vulnerability that could allow for privilege escalation to NetworkService Account access. An attacker must …
- Attack vector
- Adjacent
- Published
- 25/08/2025
- Modified
- 27/05/2026