{
  "name": "Ukrainian and Polish entities targeted with RomCom malware variants",
  "slug": "ukrainian-and-polish-entities-targeted-with-romcom-malware-variants",
  "description": "A Russian-speaking threat group, UAT-5647, has been conducting attacks against Ukrainian government entities and Polish targets since late 2023. The group has evolved its toolset to include four distinct malware families: RustClaw and MeltingClaw downloaders, DustyHammock backdoor, and ShadyHammock backdoor. The attacks involve spear-phishing campaigns delivering these malware components, which ultimately lead to the deployment of an updated version of the RomCom malware called SingleCamper. UAT-5647's activities suggest a focus on establishing long-term access for data exfiltration, with potential for future ransomware deployment. The group's tactics include network reconnaissance, lateral movement, and attempts to compromise edge devices for evasion purposes.",
  "published": "2024-10-17T14:16:38+00:00",
  "created_at": "2024-10-17T14:16:38+00:00",
  "modified_at": "2024-10-18T06:50:46+00:00",
  "created_at_opencti": "2024-10-17T14:16:38+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-10-17",
    "dustyhammock",
    "meltingclaw",
    "poland",
    "romcom",
    "russia",
    "rustclaw",
    "rustyclaw",
    "shadyhammock",
    "singlecamper",
    "ukraine"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:c24230ec57b82504",
        "name": "ShadyHammock",
        "slug": "shadyhammock"
      },
      {
        "id": "legacy:malware:12faa9d4b69e0b93",
        "name": "DustyHammock",
        "slug": "dustyhammock"
      },
      {
        "id": "legacy:malware:6e1f5609f605c8a7",
        "name": "MeltingClaw",
        "slug": "meltingclaw"
      },
      {
        "id": "d70c08a6-7802-4a7b-bb58-e230f0d565e9",
        "name": "RustyClaw",
        "slug": "rustyclaw"
      },
      {
        "id": "legacy:malware:3abf963995dd9132",
        "name": "SingleCamper",
        "slug": "singlecamper"
      },
      {
        "id": "legacy:malware:6c328d52ebf695c9",
        "name": "RomCom",
        "slug": "romcom"
      }
    ],
    "intrusion_sets": [
      {
        "id": "e7b5f4b6-fa4f-4b34-8cc7-9b9cb3cb8c7e",
        "name": "UAT-5647",
        "slug": "uat-5647"
      }
    ],
    "attack_patterns": [
      {
        "id": "d5c953ff-b143-41b6-bf2d-87b829132ea5",
        "name": "T1135"
      },
      {
        "id": "a15721d2-76b1-4869-bd1f-819afb6e368d",
        "name": "T1482"
      },
      {
        "id": "a2ba5594-6293-4868-928c-ab4b31927a02",
        "name": "T1572"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "31d29704-da1c-47ea-b93f-76d368813bdf",
        "name": "T1560"
      },
      {
        "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e",
        "name": "T1003"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Poland"
      },
      {
        "id": "",
        "name": "Ukraine"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://blog.talosintelligence.com/uat-5647-romcom/",
    "https://otx.alienvault.com/pulse/671138665921649e98001ab7"
  ]
}