{ "id": "c7d26f3f-0026-47d2-a54d-e244ba97c07d", "created_at": "2026-04-06T00:11:56.408018Z", "updated_at": "2026-04-10T13:11:43.808829Z", "deleted_at": null, "sha1_hash": "17bdc60e1fa40052b03ec7410e00b1d1bfbee9d4", "title": "Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6138727, "plain_text": "Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in\r\nThreat Actors’ Goals\r\nPublished: 2023-05-30 · Archived: 2026-04-02 10:37:28 UTC\r\nWith contributions from Veronica Chierzi and Jayvee Mark Villaroman\r\nSince the start of the war in Ukraineopen on a new tab in February 2022, the number of cyber campaigns against\r\nUkraine and North Atlantic Treaty Organization (NATO) countries has increased significantly. These campaigns\r\ncome from many different angles: known advanced persistent threat (APT) actors, APT actors that were not\r\npublicly reported on before, and cyber mercenaries, hacktivists, and criminal actors who appear to have shifted\r\nfrom purely financial motives to geopolitical goals. In the past, these actors had different motivations, mode of\r\noperations, and targets, but the line between their campaigns has started to blur: Not only is an overlap in their\r\ntargeting becoming apparent, but the distinction between their modes of operation is less clear. For instance, in\r\n2022, one of Contiopen on a new tab’s affiliates was found to be using its initial access techniques against\r\nUkraineopen on a new tab instead of using them to spread ransomwareopen on a new tab.\r\nAnother example of this is Void Rabisu, also known as Tropical Scorpius, an actor believed to be associated with\r\nCuba ransomwareopen on a new tab and the RomCom backdoor. Because of its many ransomware attacks, Void\r\nRabisu was believed to be financially motivated, even though its associated Cuba ransomware allegedly attacked\r\nthe parliament of Montenegro in August 2022open on a new tab, which could be considered part of a geopolitical\r\nagenda. The motives of Void Rabisu seem to have changed since at least October 2022, when Void Rabisu’s\r\nassociated RomCom backdoor was reported to have been used in attacks against the Ukrainian government and\r\nmilitary: In a campaign in December 2022, a fake version of the Ukrainian army’s DELTA situational awareness\r\nwebsiteopen on a new tab was used to lure targets into installing the RomCom backdoor. Normally, this kind of\r\nbrazen attack would be thought to be the work of a nation state-sponsored actor, but in this case, the indicators\r\nclearly pointed towards Void Rabisu, and some of the tactics, techniques, and procedures (TTPs) used were\r\ntypically associated with cybercrime.\r\nTrend Micro’s telemetry and research corroborates that the RomCom backdoor has been used in geopolitically\r\nmotivated attacks since at least October 2022, with targets that included organizations in Ukraine’s energy and\r\nwater utility sectors. Targets outside of Ukraine were observed as well, such as a provincial local government that\r\nprovides help to Ukrainian refugees, a parliament member of a European country, a European defense company,\r\nand various IT service providers in Europe and the US. Independent research from Google showed that RomCom\r\nwas being used in campaigns against attendees of the Masters of Digital conferenceopen on a new tab, a\r\nconference organized by DIGITALEUROPE, and the Munich Security Conference.\r\nIn this blog entry, we will discuss how the use of the RomCom backdoor fits into the current landscape, where\r\npolitically motivated attacks are not committed by nation-state actors alone. Even though we cannot confirm\r\ncoordination between the different attacks, Ukraine and countries who support Ukraine are being targeted by\r\nvarious actors, like APT actors, hacktivists, cyber mercenaries, and cybercriminals like Void Rabisu. We will also\r\ndelve into how RomCom has evolved over time and how the backdoor is spread both by methods that look like\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 1 of 33\n\nAPT, as well as methods used by prominent cybercriminal campaigns taking place currently, to show that\r\nRomCom is using more detection evasion techniques that are popular among the most impactful cybercriminals.\r\nWe assess that RomCom makes use of the same third-party services that are being utilized by other criminal actors\r\nas well, like malware signing and binary encryption. RomCom has been spread through numerous lure sites that\r\nare sometimes set up in rapid bursts. These lure sites are most likely only meant for a small number of targets, thus\r\nmaking discovery and analysis more difficult. Void Rabisu is one of the most evident examples of financially\r\nmotivated threat actors whose goals and motivations are becoming more aligned under extraordinary geopolitical\r\ncircumstances, and we anticipate that this will happen more in the future.\r\nRomCom campaigns\r\nWe have been tracking RomCom campaigns since the summer of 2022, and since then, have seen an escalation in\r\nits detection evasion methods: Not only do the malware samples routinely use VMProtect to make both manual\r\nand automated sandbox analysis more difficult, they also utilize binary padding techniques on the payload files.\r\nThis adds a significant amount of overlay bytes to the files, increasing the size of the malicious payload (we've\r\nseen a file with 1.7 gigabytes). Additionally, a new routine has been recently added that involves the encryption of\r\nthe payload files, which can only be decrypted if a certain key is downloaded to activate the payload.\r\nIn addition to these technical evasion techniques, RomCom is being distributed using lure sites that often appear\r\nlegitimate and are being utilized in narrow targeting. This makes automated blocking of these lure websites\r\nthrough web reputation systems harder. Void Rabisu has been using Google Ads to entice their targets to visit the\r\nlure sites, similar to a campaign that distributed IcedID botnet in December 2022open on a new tab. A key\r\ndifference is that while IcedID’s targeting was wider, Void Rabisu probably opted for narrower targeting that\r\nGoogle Ads offers to its advertisers. RomCom campaigns also make use of highly targeted spear phishing emails.\r\nOn the RomCom lure sites, targets are offered trojanized versions of legitimate applications, like chat apps such as\r\nAstraChat and Signal, PDF readers, remote desktop apps, password managers, and other tools, that are typically\r\nused by system administrators. \r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 2 of 33\n\ndirwinstat.com\r\n(as of April 4, 2023)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 3 of 33\n\ndevolrdm.com\r\n(as of March 23, 2023)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 4 of 33\n\nvectordmanagesoft.com\r\n(as of March 22, 2023)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 5 of 33\n\ncozy-sofware.com\r\n(as of March 13, 2023)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 6 of 33\n\ndevolutionrdp.com\r\n(as of March 6, 2023)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 7 of 33\n\nastrachats.com\r\n(as of February 27,\r\n2023)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 8 of 33\n\nchatgpt4beta.com\r\n(as of February 23,\r\n2023)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 9 of 33\n\nsingularlabs.org\r\n(as of January 30, 2023)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 10 of 33\n\ngotomeet.us\r\n(as of December 14,\r\n2022)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 11 of 33\n\ngllmp.com\r\n(as of December 8,\r\n2022)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 12 of 33\n\nlnfo-messengers.com\r\n(as of November 3,\r\n2022)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 13 of 33\n\npass-shield.com\r\n(as of October 15, 2022)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 14 of 33\n\npdffreader.com\r\n(as of October 12, 2022)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 15 of 33\n\nveeame.com\r\n(as of September, 9\r\n2022)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 16 of 33\n\nnpm-solar.com\r\n(as of July 31, 2022)\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 17 of 33\n\nadvanced-ip-scanners.com\r\n(as of July 20, 2022)\r\nTable 1. RomCom lure sites\r\nImage credit: DomainToolsopen on a new tab\r\nAs reported by the Ukrainian Computer Emergency Response Team (CERT-UA)open on a new tab in the fall of\r\n2022, RomCom was used in specific campaigns against Ukrainian targets, including the Ukrainian government\r\nand the Ukrainian military. Trend Micro’s telemetry confirms this targeting, and, as shown in a selection of the\r\nnumerous RomCom campaigns over time (Table 1), it is immediately clear that RomCom already had Ukrainian-language social engineering lures back in October and November 2022. \r\nWe count a few dozen lure websites that have been set up since July 2022. RomCom shows a mix in their\r\ntargeting methodologies, mixing typical cybercriminal TTPs with TTPs that are more common for APT actors. For\r\nexample, RomCom used spear phishing against a member of a European parliament in March 2022, but targeted a\r\nEuropean defense company in October 2022 with a Google Ads advertisement that led to an intermediary landing\r\nsite that would redirect to a RomCom lure site. That intermediary landing site used the domain name\r\n“kagomadb[.]com,” which was later used for Qakbot and Gozi payloads in December 2022.\r\nAmong the targets we have seen based on Trend Micro’s telemetry were a water utility company, entities in the\r\nfinancial and energy sectors, and an IT company in Ukraine. Outside Ukraine, other targets included a local\r\ngovernment agency that supports Ukrainian refugees, a defense company in Europe, a high-profile European\r\npolitician, several IT service providers in Europe and the US, a bank in South America, and a couple of targets\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 18 of 33\n\nlocated in Asia. Combined with the targets that were published by CERT-UA and Google, a clear picture emerges\r\nof the RomCom backdoor’s targets: select Ukrainian targets and allies of Ukraine. \r\nRomCom 3.0: The AstraChat Campaign\r\nIn this section, we will analyze one of the RomCom backdoor samples that was used in February 2023 against\r\ntargets in Eastern Europe. Previous RomCom versions analyzed by Palo Alto's Unit 42open on a new tab use a\r\nmodular architecture and support up to 20 different commands. Since then, the malware evolved significantly in\r\nterms of the number of supported commands, but its modular architecture remains almost unchanged. The threat\r\nactor behind RomCom 3.0 also makes use of different techniques to drop and execute the malware. This analysis\r\nis based on a campaign that embedded RomCom 3.0 in an AstraChat instant messaging software installation\r\npackage.\r\nDropper\r\nThe file astrachat.msi is a Microsoft Installer (MSI) archive. Despite installing files related to legitimate\r\nAstraChat software, it unpacks a malicious InstallA.dll file and calls its Main() function (Figure 1).\r\nFigure 1. CustomAction table from a RomCom MSI dropper\r\nThe InstallA.dll file extracts three Dynamic Link Libraries (DLLs) files under the %PUBLIC%\\Libraries folder:\r\nprxyms\u003cnumber\u003e.dll\r\nwinipfile\u003cnumber\u003e.dll0\r\nnetid\u003cnumber\u003e.dll0\r\nThe number in these DLL files is an integer number based on the Machine GUID read from Windows Registry at\r\nHKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid.\r\nPersistence\r\nFor persistence, RomCom uses COM hijacking, hence its name. InstallA.dll writes the following registry value in\r\nWindows Registry:\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 19 of 33\n\n[HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{C90250F3-4D7D-4991-9B69-\r\nA5C5BC1C2AE6}\\InProcServer32]\r\n@=\"%PUBLIC%\\\\Libraries\\\\prxyms\u003cnumber\u003e.dll\"\r\nThis overwrites the same key under the HKEY_LOCAL_MACHINE hive, causing processes that request this Class\r\nID (CLSID) to load the RomCom loader DLL at %PUBLIC%\\Libraries\\prxyms\u003cnumber\u003e.dll. One such process\r\nis explorer.exe, which is restarted by RomCom dropper, so the loader DLL is called.\r\nThe RomCom loader also redirects calls to its exported functions to the legit actxprxy.dll by making use of\r\nforwarded exports (Figure 2).\r\nFigure 2. Forwarded exports from the RomCom 3.0 loader (prxyms\u003cnumber\u003e.dll)\r\nHowever, before a call is forwarded, the malicious code at the DLL entry point of RomCom loader runs. This code\r\nuses rundll32.exe to execute the exported Main() function from both winipfile\u003cnumber\u003e.dll0 and\r\nnetid\u003cnumber\u003e.dll0.\r\nArchitecture\r\nRomCom 3.0 is divided into three components: a loader, a network component that interacts with the command-and-control (C\u0026C) server, and a worker component that performs the actions on the victim’s machine. The\r\nnetwork component is handled by netid\u003cnumber\u003e.dll0, which is responsible for receiving commands from the\r\nC\u0026C server and sending back their results. When this component receives a command, the command is sent\r\nthrough a localhost socket to winipfile\u003cnumber\u003e.dll0, which handles the worker component, as shown in Figure\r\n3. If initial loopback addresses or ports are in use, both components try to find other available combinations.\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 20 of 33\n\nFigure 3. Overall RomCom 3.0 architecture\r\nBot Commands\r\nRomCom 3.0 commands are received as responses to HTTP POST requests made by the malware network\r\ncomponent. \r\nFigure 4. RomCom 3.0 command structure\r\nFigure 4 shows an example of command 5 – a command to download a file to the victim's machine – being\r\nreceived. The ID used for communication is 0x950, and command 0x05 is received with additional data. In this\r\ncase, the additional data tells the malware running on the infected machine that the downloaded file should occupy\r\n939 (0x3ac – 1) 4KB blocks. The file itself is downloaded in a separate response, so in this instance, the final file\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 21 of 33\n\nsize on the victim’s side will be 3,846,144 bytes. As an evasion technique, null bytes are appended to the file to\r\nachieve this result. The contents of the additional data field may vary according to the command.\r\nIn RomCom 3.0, we could enumerate 42 valid commands, as shown in Table 2. This is a high number of\r\ncommands for a regular backdoor, but a few commands are simply variations of others.\r\nCommand Purpose (from the victim’s perspective)\r\n1 Send information about connected drives\r\n2 Send a list of file names under a specified directory\r\n3 Start cmd.exe to run an existing program\r\n4 Upload a specified file to the C\u0026C server\r\n5 Download a file to the victim's machine\r\n6 Delete a specified file in the victim's machine\r\n7 Delete a specified directory in the victim's machine\r\n8 Spawn a given process with PID spoofing (the PID is also given as part of the command data)\r\n12\r\nCall startWorker() from %PUBLIC%\\Libraries\\PhotoDirector.dll, then send\r\n%PUBLIC%\\Libraries\\PhotoDirector.zip to the C\u0026C server and delete it\r\n13\r\nCall startWorker() from %PUBLIC%\\Libraries\\PhotoDirector.dll and write screen information\r\nto %PUBLIC%\\Libraries\\update.conf\r\n14 Upload %PUBLIC%\\Libraries\\PhotoDirector.zip to the C\u0026C server and delete it\r\n15 Send a list of running process with its PIDs\r\n16 Send a list of installed software\r\n17 Delete the worker component (winipfile\u003cnumber\u003e.dll0)\r\n18 Download a file and save it to %PUBLIC%\\Libraries\\PhotoDirector.dll\r\n19\r\nDownload a file, save it to %PUBLIC%\\Libraries\\BrowserData\\procsys.dll, and call its stub()\r\nexported function\r\n20 Download a ZIP archive likely containing 3proxy and plink (see command 21)\r\n21\r\nUse 3proxy and plink to set up a proxy via SSH. The IP address, password, local, and remote\r\nports are received as command parameters. SSH server username is fixed as “john.”\r\n22 Kill the 3proxy.exe and plink.exe processes\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 22 of 33\n\n23\r\nDownload a file and save it to %PUBLIC%\\Libraries\\upd-fil\u003cnumber\u003e.dll0 to update the\r\nworker\r\n24 Send the contents of %PUBLIC%\\Libraries\\BrowserData\\Result\r\n25 Duplicate the worker\r\n26 Send the Windows version\r\n29 Download freeSSHdopen on a new tab from the C\u0026C server\r\n30\r\nRun freeSSHd and use plink to create a reverse connection with 51.195.49.215 using “john” as\r\nthe username and “eK6czNHWCT569L1xK9ZH” as the password\r\n31 Kill the freeSSHd process\r\n32\r\nSend .txt, .rtf, .xls, .xlsx, .ods, .cmd, .pdf, .vbs, .ps1, .one, .kdb, .kdb, .doc, .doc, .odt, .eml,\r\n.msg, and .email files in Downloads, Documents, and Desktop folders under\r\n%USERPROFILE%\r\n34\r\nRun AnyDesk on the victim’s machine on a hidden window and send the AnyDesk ID to the\r\nC\u0026C server\r\n35 Kill the AnyDesk process and delete its executable\r\n36 Download the AnyDesk executable and save it to %PUBLIC%\\Libraries\\dsk.exe\r\n38 Download a file and save it to %PUBLIC%\\Libraries\\wallet.exe\r\n39 Download a file and save it to %PUBLIC%\\Libraries\\7z.dll\r\n40 Download a file and save it to %PUBLIC%\\Libraries\\7z.exe\r\n41 Send the contents of %PUBLIC%\\Libraries\\tempFolder compressed with 7-Zip\r\n42 Download a file and save it to %PUBLIC%\\Libraries\\7za.exe\r\n43\r\nUse %PUBLIC%\\Libraries\\7za.exe to compress a given folder to a fold.zip archive and send\r\nthe compressed archive to the C\u0026C server\r\n44 Kill the PhotoDirector.dll process\r\n45 Download a file and save it to %PUBLIC%\\Libraries\\msg.dll\r\n46 Call stW() function exported by %PUBLIC%\\Libraries\\msg.dll\r\n47 Download a file and save it to %PUBLIC%\\Libraries\\FileInfo.dll\r\n48 Call fSt() function exported by %PUBLIC%\\Libraries\\FileInfo.dll\r\n49 Update the network component\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 23 of 33\n\nTable 2. RomCom 3.0 commands\r\nAdditional Malware\r\nBased on messages sent back to the C\u0026C server and how the commands use these files, we can infer the purpose\r\nof a few additional components:\r\nPhotoDirector.dll – a program that takes one or more screenshots and compresses them in a\r\n%PUBLIC%\\Libraries\\PhotoDirector.zip archive\r\nprocsys.dll – a stealer known as STEALDEAL to retrieve browser cookies and write them to\r\n%PUBLIC%\\Libraries\\BrowserData\\Result\r\nwallet.exe – a crypto wallet grabber that writes stolen information to %PUBLIC%\\Libraries\\tempFolder\r\nmsg.dll – an Instant Messaging grabber to steal chat messages\r\nFileInfo.dll – a stealer of FTP credentials, or a component to make the victim’s machine upload files to an\r\nFTP server\r\nDespite these additional pieces of malware, RomCom 3.0 also seems to have commands to download and run\r\nlegitimate software:\r\ndsk.exe – a portable version of AnyDesk software\r\n7z.dll, 7z.exe, and 7za.exe – files related to the 7-Zip program\r\nSTEALDEAL\r\nThe stealer that is downloaded through RomCom’s C\u0026C servers is a relatively simple one that steals stored\r\ncredentials and browsing history from the following browsers:\r\nGoogle Chrome\r\nMicrosoft Edge\r\nMozilla Firefox\r\nChromium\r\nChrome Beta\r\nYandex Browser\r\nThe stealer also collects information on installed mail clients. The stolen data is stored locally on the victim’s\r\nmachine at %PUBLIC%\\Libraries\\BrowserData\\Result, and through C\u0026C command 24, this data is exfiltrated\r\nthrough a RomCom C\u0026C server. We detected the stealer as TrojanSpy.Win64.STEALDEAL, which is also known\r\nas SneakyStealer.\r\nEvasion Techniques\r\nRomCom 3.0 binaries are protected with VMProtect. Some binaries are also signed with valid certificates.\r\nBecause the actors decided to use VMProtect’s anti-VM feature, any attempt to run it in a virtual machine (VM)\r\nwithout modification or VM hardening will cause the malware to show an error message and exit (Figure 5).\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 24 of 33\n\nFigure 5. Default VMProtect anti-VM detection in RomCom 3.0 samples\r\nAnother interesting technique RomCom uses is the ability to add null bytes appended to the files received from a\r\nC\u0026C server. Making the file bigger can be an attempt to avoid sandbox products or security software scanners that\r\nimpose a file size limit.\r\nIn later versions of RomCom, the binary that is hosted on a lure site contains an encrypted payload. To correctly\r\ndecrypt the payload, it will need to reach out to a web server at the IP address 94.142.138.244 and download the\r\ndecryption key. We suspect this website is a third-party service that is also being used by other malware, including\r\nthe Vidar stealer that is also known as StealC. Also, recent RomCom droppers have stopped dropping the worker\r\ncomponent. Instead, the network component downloads it from the C\u0026C server.\r\nPacket Structure and Communications Flow\r\nBased on our observations of the communication between victim machines and RomCom C\u0026C servers, we were\r\nable to determine what the packet structure of this communication looks like (Figure 6). Initially, the client will\r\nreach out to the server with information on the victim’s computer, such as its Universally Unique Identifier\r\n(UUID), username, and the computer name. The server will then respond with a session ID that is four bytes long,\r\nas mentioned previously. This session ID is then incremented by one on the first byte by the C\u0026C server with each\r\ncommand that is sent to the victim machine. \r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 25 of 33\n\nFigure 6. Packet structure of the observed packets\r\nOne of the first commands we observed was command 3, which uses cmd.exe to run a Nltest command with the\r\nargument /domain_trusts. This is done to gather information on any domains that the victim machine may know\r\nabout. Once the command is finished, it returns the results of the command with the Session ID five bytes in; the\r\nfirst four bytes are unknown at this time, but we observed the first byte will be 0x01 if it is returning data to the\r\nserver, or 0x00 if it is receiving data from the server. The C\u0026C server then appears to ask for specific information\r\nin an automated manner, as the same requests are sent in quick succession (Figure 7). From our analysis, we have\r\ndetermined that the server is asking for the victim machine to:\r\n1. Return ntlest /domain_trusts with command 3\r\n2. Download StealDeal to collect certain information\r\n3. Use StealDeal to collect cookies and other information from the victim’s machine\r\n4. Collect files from the Desktop, Documents, and Downloads folders using command 32\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 26 of 33\n\nFigure 7. Flow of the communication between the C\u0026C server and victim machine\r\nUse of fake companies and websites\r\nThe malware uses certificates to lend credibility to the software that the targeted victims download. On the\r\nsurface, the companies that are signing these binaries look like legitimate companies that have undergone the\r\nprocess of becoming a signer of these certificates. However, a closer look at these companies’ websites reveals\r\nseveral oddities, including non-existent phone numbers, stock photos of executives, office addresses that do not\r\nseem to match. This leads us to believe these are either fake companies or legitimate companies that are being\r\nabused in order to pass the checks needed to become an authorized signer of binaries.  \r\nThe RomCom 3.0 sample that was used in the AstraChat campaign was signed by a Canadian company called\r\nNoray Consulting Ltd., which has a LinkedIn page (Figure 8), a website, and even a listing in a business registry\r\nin Canada (Figure 9). \r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 27 of 33\n\nFigure 8. Screenshot of Noray Consulting's LinkedIn page\r\nFigure 9. Ontario business registry search results for Noray Consulting\r\nThe company’s LinkedIn page goes on to mention that Noray Consulting works on SOX compliance, an annual\r\naudit mandated by the Sarbanes-Oxley Act (SOX), as well as other areas of risk control. However, the LinkedIn\r\npage also points to a website, noray[.]ca, that does not exist.\r\nAs the company claims to be based in Ontario according to its LinkedIn page, we looked for any information\r\nabout it in public records for businesses in Canada. It appears that in 2020, the owners of Noray Consulting.\r\nChanged the name of the company to just “Noray.” This new company name is not related to any of the things\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 28 of 33\n\nmentioned in this blog post or, from what we can tell, is doing anything malicious. It appears that the actors are\r\nwatching out for companies that become inactive, or in a similar status, then will appropriate these companies’\r\nnames.\r\nInternet searches for Noray Consulting show that its main website has a non-matching domain name,\r\nfirstbyteconsulting[.]com. The website used to be for a company that specialized in project management. This\r\ndomain appears to have expired in 2020, but was bought and repurposed to resemble the website from before\r\n2020. What ties this domain to Noray Consulting now is that the address details on the website match that which\r\nis found on Noray Consulting’s LinkedIn page: a Canadian company in Milton, Ontario. The contact page has a\r\nmap that shows the company’s location, but the map is in Russian (Figure 10). This could mean that the person\r\nwho made this Google map had their primary language set to Russian, which would be unusual for a seemingly\r\nCanadian-based company. \r\nFigure 10. Screenshot of the website’s contact page map\r\nWe also found that the people mentioned on their website are likely stock images or AI-generated photos of people\r\nwho are not related in any way to the business, as shown in Figure 11. \r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 29 of 33\n\nFigure 11. Screenshot of the website’s team members page \r\nFurther investigation reveals that Figure 11 has a number of red flags:\r\nNone of these people appear to have real personas on the internet\r\nReverse image search reveals these are stock photo images used on several sites\r\nTwo members of the team have the same job title of \"Manager, HR Process and Compensation\"\r\nWe have also observed that the text in other parts of Noray Consulting’s website has been at least partially copied\r\nfrom other websites. This illustrates that these actors are trying to make the sites believable, offering what seems\r\nlike realistic services that were lifted from real companies found online.\r\nVoid Rabisu has had many lure websites that attempt to convince targets to download trojanized legitimate\r\napplications. These lure sites look legitimate at first, but usually have similar oddities on the websites. For\r\nexample, a site that had a business address of a shopping mall, and the contact phone number of a grocery store. \r\nFigure 12. Screenshot of the contact information of a Void Rabisu lure site\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 30 of 33\n\nWe can link the two Canadian companies that were used to sign RomCom binaries in the AstraChat campaign and\r\na campaign against the Ukrainian armed forces with more than 80 other mostly Canadian companies in total,\r\nbased on an analysis of internet infrastructure. Among these 80 other mostly Canadian companies, about two\r\ndozen companies were used to sign other malware binaries like Emotetopen on a new tab, Matanbuchus Loader,\r\nBatLoaderopen on a new tab, another backdoor known as SolarMarker, and coinminers. This makes us believe\r\nthat Void Rabisu is likely to be using a third-party service that aids in signing binaries with certificates of\r\nseemingly legitimate Canadian companies.\r\nConclusions and Recommendations\r\nThe war against Ukraine has made cyber campaigns against Ukraine, Eastern Europe, and NATO countriesopen\r\non a new tab more visible for two reasons: the number of attacks has increased dramatically, and both the private\r\nand public sectors are looking closely at what happens in Ukraine. More information from intelligence agencies is\r\nbeing declassifiedopen on a new tab by Western governments, so privately-owned companies can investigate\r\nfurther for themselves. Another important factor is that many actors who previously had different motivations are\r\nbecoming more aligned towards the same goal, even when their campaigns do not appear to be part of a\r\ncoordinated effort.\r\nThe line is blurring between cybercrime driven by financial gain and APT attacks motivated by geopolitics,\r\nespionage, disruption, and warfare. Since the rise of Ransomware-as-a-Service (RaaS)open on a new tab,\r\ncybercriminals are now using advanced tactics and targeted attacks that were previously thought to be the domain\r\nof APT actors. Inversely, tactics and techniques that were previously used by financially motivated actors are\r\nincreasingly being used in attacks with geopolitical goals.  \r\nCurrently, APT actors like Pawn Stormopen on a new tab and APT29open on a new tab, cyber mercenaries like\r\nVoid Balauropen on a new tab, hacktivism groups like Killnetopen on a new tab, along with cybercriminals like\r\nformer Conti affiliates and Void Rabisu, are targeting Ukraine and its allies, but their campaigns do not yet look\r\ncoordinated. We expect that significant geopolitical events like the current war against Ukraine will accelerate the\r\nalignment of the campaigns of threat actors who reside in the same geographic region. This will lead to new\r\nchallenges for defenders, as attacks can then come from many different angles, and it will be less clear who is the\r\nactor responsible for them.\r\nBased on our analysis, we believe the following activity should be monitored in endpoints:\r\nDownloading and executing MSI packages that contain entries in CustomAction tables referring to DLL\r\nexported functions\r\nWriting access to SOFTWARE\\Classes\\CLSID\\\u003cCSLID\u003e under both HKEY_CURRENT_USER (HKCU)\r\nand HKEY_LOCAL_MACHINE (HKLM), which can be a sign of COM hijacking\r\nInitiation of localhost sockets by rundll32.exe, as RomCom DLLs are loaded by this process — we\r\nobserved that RomCom listens on the port range 5554-5600 when setting up localhost sockets\r\nBinary padding with null bytes, a known technique to evade scanners. Although RomCom didn’t use this\r\nfeature in our tests, it is present in command 5. We included a YARA ruleset to look for such files in our\r\nGitHub research repositoryopen on a new tab.\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 31 of 33\n\nBinary padding with non-zero data, which we observed in one sample when it was dropping another. This\r\nalone is not malicious, but it is worth flagging once detected for further investigation.\r\nEndpoint solutions like Trend Micro's Smart Protection Suitesopen on a new tab and Worry-Free Business\r\nSecurityopen on a new tab solutions also offer protection for both users and businesses against threats like\r\nRomCom. These solutions come equipped with behavior-monitoring capabilities that enable them to detect\r\nmalicious files, scripts, and messages. They can also block all related malicious URLs. Additionally, the Trend\r\nMicro™ Deep Discovery™open on a new tab solution includes an email inspection layeropen on a new tab that\r\ncan identify and protect enterprises from malicious attachments and URLs. By leveraging these powerful tools,\r\nusers and businesses can effectively defend themselves against the damaging effects of RomCom and other similar\r\nthreats.\r\nIndicators of Compromise\r\nDownload the full list of indicators hereopen on a new tab.\r\nMITRE ATT\u0026CK\r\nID Name Description\r\nT1583.008\r\nAcquire Infrastructure:\r\nMalvertising\r\nRomCom uses malvertising to redirect targets to lure\r\nwebsites from which to download fake installer\r\napplications\r\nT1566.002 Phishing: Spear Phishing Link RomCom sent highly targeted spear phishing emails\r\nT1027.002\r\nObfuscated Files or Information:\r\nSoftware Packing\r\nRomCom uses VMProtect\r\nT1027.001\r\nObfuscated Files or Information:\r\nBinary Padding\r\nRomCom uses binary padding on dropped files to avoid\r\nsecurity solutions\r\nT1546.015\r\nEvent Triggered Execution:\r\nComponent Object Model\r\nHijacking\r\nRomCom uses COM hijacking for persistence\r\nT1571 Non-Standard Port\r\nRomCom listens on port ranges 5554 to 5600 for\r\ncommunication between dropped components\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nRomCom uses HTTPS for C\u0026C communications\r\nT1555.003\r\nCredentials from Password Stores:\r\nCredentials from Web Browsers\r\nRomCom uses a stealer to gather credentials of several\r\nbrowsers\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 32 of 33\n\nT1113 Screen Capture\r\nRomCom can capture screenshots of the victim's\r\nmachine\r\nT1219 Remote Access Software\r\nRomCom's backdoor has a functionality to run\r\nAnyDesk application\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\r\nPage 33 of 33", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html" ], "report_names": [ "void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html" ], "threat_actors": [ { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434316, "ts_updated_at": 1775826703, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/17bdc60e1fa40052b03ec7410e00b1d1bfbee9d4.pdf", "text": "https://archive.orkl.eu/17bdc60e1fa40052b03ec7410e00b1d1bfbee9d4.txt", "img": "https://archive.orkl.eu/17bdc60e1fa40052b03ec7410e00b1d1bfbee9d4.jpg" } }