RomCom

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to intrusion sets

· Published 20/12/2025 23:51 · Modified 27/05/2026 15:52 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 20/12/2025 23:51
Modified: 27/05/2026 15:52
Updated at: 27/05/2026 15:52
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 5 reports, 82 attack patterns (mitre), 13 malware, 19 sectors, 17 countries, 100 indicators, 27 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (5)

Russian RomCom Utilizing SocGholish to Deliver Mythic Agent …

1 CVE 7 MITREs 4 Malwares 8 Observables 1 APT
August Vulnerabilities of Note

20 CVEs 12 MITREs 3 Malwares 11 Observables 1 APT
Update WinRAR tools now: RomCom and others exploiting …

2 CVEs 3 Malwares 9 Observables 1 APT
Inside SnipBot: The Latest RomCom Malware Variant

21 MITREs 2 Malwares 38 Observables 1 APT
Ransomware Roundup - Underground

1 CVE 15 MITREs 1 Malware 4 Observables 1 APT

Attack patterns (MITRE) (82)

T1078 uses

Valid Accounts MITRE
T1059 uses

Command and Scripting Interpreter MITRE
T1574.001 uses

DLL MITRE
T1047 uses

Windows Management Instrumentation MITRE
T1083 uses

File and Directory Discovery MITRE
T1217 uses

Browser Information Discovery MITRE
T1546 uses

Event Triggered Execution MITRE
T1497 uses

Virtualization/Sandbox Evasion MITRE
T1543.003 uses

Windows Service MITRE
T1049 uses

System Network Connections Discovery MITRE
T1112 uses

Modify Registry MITRE
T1113 uses

Screen Capture MITRE

← Previous

Page / 7

1–12 of 82

VIPERTUNNEL uses

Family
SnipBot uses

Family
Underground uses

Family
Mythic uses

Family
QakBot uses

Family
RomCom backdoor uses
Hancitor uses
RomCom uses

Family
FAKEUPDATE uses

Family
Mythic Agent uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mythic C2 agent uses

Family
RustyClaw uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 13

Legal targets
Pharmacy and drugs manufacturing targets
Insurance services targets
Consulting targets
Government targets
Energy targets
Technology targets
Healthcare targets
Finance targets
Information Technologies Consulting targets
Logistics targets
Manufacturing targets

← Previous

Page / 2

1–12 of 19

Korea, Democratic People's Republic of targets
Slovakia targets
United States of America targets
United Kingdom of Great Britain and Northern Ireland targets
Korea, Republic of targets
Australia targets
Netherlands targets
Canada targets
France targets
Germany targets
British Indian Ocean Territory targets
Singapore targets

← Previous

Page / 2

1–12 of 17

e0cbe8f18315a2ee781de48565dc8a087a1564557c42c66067f65c267120c894 indicates
http://74.50.94.156/MSHTML_C7/zip_k.asp?d= indicates
104.238.61.141 indicates

stix 100/100 Revoked

· Valid until 19/12/2025 · Source: AlienVault
60d96087c35dadca805b9f0ad1e53b414bcd3341d25d36e0190f1b2bbfd66315 indicates
orlandoscreenenclosure.net indicates

stix 100/100 Revoked

· Valid until 22/04/2026 · Source: AlienVault
ozivoice.com indicates

stix 100/100 Revoked

· Valid until 22/04/2026 · Source: AlienVault
https://srlaptop.com/s/0.7.8/clarity.js indicates

stix 100/100 Revoked

· Valid until 01/11/2025 · Source: AlienVault
f1103e627311e73d5f29e877243e7ca203292f9419303c661aec57745eb4f26c indicates
basilic.info indicates

stix 100/100 Revoked

· Valid until 22/04/2026 · Source: AlienVault
9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f indicates
b5731baa7920b4649add429fc4a025142ce6a1e1adacb45850470ca4562d5e37 indicates
1cb4ff70f69c988196052eaacf438b1d453bbfb08392e1db3df97c82ed35c154 indicates

← Previous

Page / 9

25–36 of 100

Vulnerabilities (CVE) (27)

CVE-2020-25078 KEV targets

D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be …

Published: 05/08/2025
Modified: 27/05/2026

CVE-2025-48384 KEV targets

8.0 High

Git contains a link following vulnerability that stems from Git’s inconsistent handling of carriage return characters in configuration files.

Attack vector: Network
Published: 25/08/2025
Modified: 27/05/2026

CVE-2025-20265 targets

10.0 Critical

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to …

Attack vector: Network
Published: 14/08/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2023-36884 KEV targets

7.5 High

Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a …

Attack vector: Network
Published: 17/07/2023
Modified: 27/05/2026

CVE-2025-64446 KEV targets

9.8 Critical

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through …

Attack vector: Network
Published: 14/11/2025
Modified: 27/05/2026

Analyzed

CVE-2025-8876 KEV targets

9.4 Critical

Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1.

Attack vector: Network
Published: 13/08/2025
Modified: 27/05/2026

Analyzed

CVE-2025-57819 KEV targets

9.8 Critical

Sangoma FreePBX contains an authentication bypass vulnerability due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary …

Attack vector: NETWORK
Complexity: Low
Published: 28/08/2025
Modified: 18/06/2026

CWE-89

CVE-2025-54948 KEV targets

9.4 Critical

Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload …

Attack vector: Network
Published: 18/08/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2022-40799 KEV targets

8.8 High

D-Link DNR-322L contains a download of code without integrity check vulnerability that could allow an authenticated attacker to execute OS level commands …

Attack vector: Network
Published: 05/08/2025
Modified: 27/05/2026

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2024-8069 KEV targets

8.0 High

Citrix Session Recording contains a deserialization of untrusted data vulnerability that allows limited remote code execution with privilege of a NetworkService Account …

Attack vector: Adjacent
Published: 25/08/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2021-40444 KEV targets

Microsoft MSHTML contains a unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 27/05/2026

← Previous

Page / 3

1–12 of 27

Contact About Legal notice Privacy policy Terms of use

RomCom

Essential information

Description

Marking (TLP)

Related entities

Reports (5)

Attack patterns (MITRE) (82)

Malware (13)

Sectors (19)

Countries (17)

Indicators (100)

Vulnerabilities (CVE) (27)