Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine
Essential information
- Published
- 25/11/2025 18:11
- Modified
- 21/12/2025 18:02
- Tags
- 2025-11-25 fakeupdate gru malvertising mythic agent socgholish ta569 ukraine vipertunnel
- Related entities
- 1 vulnerabilities (cve), 8 observables, 1 intrusion sets (apt), 7 techniques (mitre), 4 malware, 16 others
Description
Arctic Wolf Labs identified a U.S.-based company targeted by the Russian-aligned threat group RomCom via SocGholish, operated by TA569. This marks the first observed instance of a RomCom payload being distributed through SocGholish. The attack chain involved compromising legitimate websites, using fake update lures to deliver malware, and executing malicious JavaScript on victim hosts. The targeted company had ties to Ukraine, aligning with RomCom's focus on entities supporting Ukraine. Evidence suggests Russia's GRU unit 29155 is leveraging SocGholish for targeting. The attack was thwarted by Arctic Wolf's Aurora Endpoint Defense, which detected and quarantined the RomCom loader upon delivery.