216.73.217.176

Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine

· Published 25/11/2025 18:11 · Modified 21/12/2025 18:02

Export JSON

Essential information

Published
25/11/2025 18:11
Modified
21/12/2025 18:02
Tags
2025-11-25 fakeupdate gru malvertising mythic agent socgholish ta569 ukraine vipertunnel
Related entities
1 vulnerabilities (cve), 8 observables, 1 intrusion sets (apt), 7 techniques (mitre), 4 malware, 16 others

Description

Arctic Wolf Labs identified a U.S.-based company targeted by the Russian-aligned threat group RomCom via , operated by . This marks the first observed instance of a RomCom payload being distributed through . The attack chain involved compromising legitimate websites, using fake update lures to deliver malware, and executing malicious JavaScript on victim hosts. The targeted company had ties to , aligning with RomCom's focus on entities supporting . Evidence suggests Russia's unit 29155 is leveraging for targeting. The attack was thwarted by Arctic Wolf's Aurora Endpoint Defense, which detected and quarantined the RomCom loader upon delivery.

External references