{ "id": "c1bcc298-98f1-477b-9c75-016c8cf781fd", "created_at": "2026-04-06T00:21:07.309358Z", "updated_at": "2026-04-10T13:12:20.354539Z", "deleted_at": null, "sha1_hash": "756478188a674ba930328c7c03f8ddf420bdc321", "title": "Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine - Arctic Wolf", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2164201, "plain_text": "Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to\r\nU.S. Companies Supporting Ukraine - Arctic Wolf\r\nBy Jacob Faires and the Arctic Wolf Labs team\r\nPublished: 2025-11-25 · Archived: 2026-04-05 18:23:11 UTC\r\nSummary \r\nIn September 2025, Arctic Wolf® Labs identified a U.S.-based company that was targeted by RomCom threat\r\nactors via SocGholish, operated by TA569. While the typical initial SocGholish infection chain was followed,\r\nroughly 10 minutes post-exploitation, RomCom’s targeted Mythic Agent loader was delivered to the system. This\r\nis the first time that a RomCom payload has been observed being distributed by SocGholish.\r\nBased on evidence uncovered during the course of this investigation, Arctic Wolf Labs assesses with a medium-to-high confidence level that Russia’s GRU unit 29155 is utilizing SocGholish to target victims. GRU is Russia’s\r\nlargest foreign intelligence agency, and Unit 29155 is typically tasked with offensive computer network operations\r\ntargeting global entities. Since early 2022, the primary focus of Unit 29155 has been disrupting international\r\nefforts to provide aid to Ukraine.\r\nThe victim targeted in the threat activity described here appears to be affiliated with Ukraine, underscoring\r\nRomCom’s tendency to target entities with ties to Ukraine, regardless of their geographic location.\r\nKey Points\r\nActor: TA569 is considered the primary threat actor deploying and maintaining SocGholish, typically used\r\nby financially-motivated cybercriminals. The operator serves as an Initial Access Broker (IAB), selling\r\naccess to compromised systems to ransomware affiliates.\r\nActivity: The attackers compromise legitimate websites and use fake update lures to deliver malware.\r\nTechnique: Malicious JavaScript executes on the victim host, installing loaders that fetch additional\r\npayloads and maintain long term access.\r\nImpact: Infections are frequently linked to ransomware deployment, making a SocGholish compromise a\r\nthreat with a potentially high business impact.\r\nThanks to our continuous monitoring of these threat actors, Arctic Wolf customers were already protected. Our AI-powered Arctic Wolf® Aurora™ Platform included detections and threat intelligence content related to\r\nRomCom/TA569 activities. In the observed case, Arctic Wolf® Aurora™ Endpoint Defense immediately detected\r\nand quarantined the malicious RomCom loader upon delivery, effectively preventing a compromise.\r\nWeaponization and Technical Overview\r\nWeapons RomCom Mythic loader, VIPERTUNNEL, SocGholish FAKEUPDATE\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 1 of 14\n\nAttack Vector Malvertizing\r\nNetwork Infrastructure Mythic C2\r\nTargets Engineering firm based in the U.S.\r\nContext\r\nIntroducing RomCom\r\nActive since at least mid-2022, the Russian-aligned threat group RomCom has been a persistent threat to largely\r\nUkrainian-based organizations, including those that support the government and military. RomCom (also known\r\nas Storm-0978, Tropical Scorpius, or UNC2596) has often been seen in the past targeting organizations and\r\nindividuals associated with Ukraine, no matter how tenuous the connection. RomCom’s highly comprehensive\r\ncapabilities demonstrate beyond a reasonable doubt that the group is a nation-state-affiliated threat actor.\r\nAs the physical conflict between Ukraine and Russia grinds through the end of its third year, RomCom’s activity\r\nhas similarly escalated, and it now conducts opportunistic campaigns against selected business verticals\r\nworldwide. The RomCom group has previously been observed by Arctic Wolf Labs targeting other pro-Ukrainian\r\naffiliated organizations, including those based in the U.S.\r\nTA569 Background\r\nTA569 (also tracked as Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543) is a financially\r\nmotivated cyber threat group, known primarily for its deployment of website injections that deceive users into\r\ninfecting their own devices by installing fake software updates, a technique known as malvertising. Lures\r\ntypically appear in the form of fake web browser updates for Chrome or Firefox, but have also masqueraded as\r\nupdates for other popular software such as Microsoft Teams or Adobe Flash Player. TA569 is known to be\r\nextremely aggressive in deploying malware or even ransomware to compromised victims, leading to a remarkably\r\nlow dwell time.\r\nAt the heart of TA569’s SocGholish operation is a bespoke Malware-as-a-Service (MaaS) model, where infected\r\nsystems are sold to the highest bidder as initial access points for other cybercriminal organizations. Delivery of\r\nmalware through SocGholish’s infrastructure can be finely tuned, and provides their cybercriminal clientele an\r\nopportunity for targeted malware delivery from large-scale infection campaigns. Documented past clients have\r\nincluded Evil Corp (aka DEV-0243), Dridex, and LockBit.\r\nThe group’s use of this model is significant because it can turn seemingly opportunistic infections into precursors\r\nfor major incidents. Organizations encountering SocGholish should treat any detection as a potential early stage of\r\na ransomware attack. Timely identification and response are critical, as containment at this stage can prevent\r\nescalation into costly and disruptive ransomware events.\r\nWhat is SocGholish?\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 2 of 14\n\nSocGholish is a long-running malware delivery framework that has grown from a nuisance web-based threat into\r\nan enabler of ransomware operations. First discovered in 2017, SocGholish is essentially a downloader delivered\r\nthrough the use of malicious JavaScript injected into compromised websites. After execution, SocGholish\r\nexfiltrates data from infected systems via POST commands to their C2 infrastructure, enabling a multitude of\r\nmalicious post-exploitation activities.\r\nRecent cases have highlighted its increased use as an initial access channel for high-impact ransomware groups,\r\nincluding actors historically linked to EvilCorp. This evolution elevates the risk for organizations: what once\r\nappeared as a simple fake browser update is now a doorway that can be left wide open to data theft, network-wide\r\ncompromise, and disruptive encryption events.\r\nRecent activity shows that compromised legitimate websites are being leveraged at scale to distribute SocGholish,\r\nluring users into downloading malicious JavaScript payloads disguised as software updates. Once executed, these\r\npayloads establish persistence, enable remote access, and deliver follow-on malware, creating a foothold for\r\nattackers to conduct hands-on-keyboard operations.\r\nThreat intelligence company Silent Push recently published an excellent writeup on their distribution network,\r\nafter tracking SocGholish and its operators, TA569, since 2024.\r\nRomCom’s targeted loader has also been well researched. In the case analyzed in this research publication, our\r\nsample was extremely similar to one recently found by ESET. SocGholish’s JavaScript directly delivered\r\nRomCom’s loader as msedge.dll, with a hardcoded domain to ensure its execution on the correct target.\r\nFigure 1: SocGholish’s basic attack chain.\r\nTechnical Analysis\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 3 of 14\n\nAttack Vector\r\nSocGholish typically injects malicious JavaScript into legitimate websites to facilitate the delivery of its payloads,\r\nwhich are collectively known as FAKEUPDATE. The threat actors target outdated or poorly secured legitimate\r\nwebsites, using unpatched plugins or remote code execution flaws to inject malicious JavaScript into the site’s\r\nHTML, templates, or external JS resources. SocGholish infections can also originate from compromised websites\r\nthat have been infected to deliver the FAKEUPDATE lure to visitors.\r\nWhile SocGholish can also be spread by phishing tactics, including email phishing, the lures themselves deviate\r\nfrom the tried-and-tested norms of phishing campaigns, as they operate without the typical calls to action, sense of\r\nurgency, threats, or promises of reward. Instead, they weaponize the end-user’s security training, no matter how\r\nbasic, by displaying a simple fake update popup. When the user manually clicks “Update”, a malware payload is\r\ndownloaded to their device.\r\nThe injected code will take the user to an update page that looks similar to the following:\r\nFigure 2: SocGholish FAKEUPDATE delivery page.\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 4 of 14\n\nBesides their phishing campaigns, SocGholish operators obtain a second, more bountiful source of traffic by using\r\nthird-party Traffic Direction Systems (TDS) to redirect general web traffic to compromised websites.\r\nWhile TDSes can be used for legitimate advertising purposes such as geotargeting potential customers, malicious\r\nactors often use them to facilitate cyberattacks. Users are only redirected to the site containing the payload after\r\nthe TDS performs fingerprinting of the site’s visitor and determines if they are of interest as a candidate for\r\nexploitation, based on criteria predefined by the threat actor.\r\nThe goal of SocGholish campaigns is to gain initial access to a steady supply of computers that can generate\r\nmoney for its operators, either through direct data theft from those devices, or by reselling access to these\r\ncompromised devices to ransomware distributors.\r\nTheir campaigns can have a significant reach. In one recent example, cybersecurity company Intel 471 identified a\r\nSocGholish campaign from October 2024 that generated more than 1.5 million interactions in a one-week period.\r\nIn the case observed by Arctic Wolf, the user unintentionally initiated the above attack chain by executing\r\nSocGholish’s FAKEUPDATE payload, which allows the operators to run commands on their system. The version\r\nof the payload was obfuscated by obf-io, with further string obfuscation via a look up table (LUT).\r\nFigure 3: obf-io deobfuscated script.\r\nFurther deobfuscation of the script leads to the following code:\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 5 of 14\n\nFigure 4: Strings decrypted and further deobfuscated. (NOTE: “smashingboss[.]com” is SocGholish’s malicious\r\nFAKEUPDATE C2.)\r\nOnce the payload is executed by the user, a connection is made to SocGholish’s malicious command-and-control\r\n(C2), with any responses immediately executed.\r\nHashes (MD5, SHA-256)\r\n9912bb2d82218ba504c28e96816315b3\r\nf7605fc8a1ee5f21aec55da04dbaa95a05db95b5e7851b172a5d30c7fb1da885\r\nFile Name Chome_Latest_Version.js\r\nFile Size 20.78 KB (21,274 bytes)\r\nWeaponization\r\nOnce the reverse shell executes on the target’s system, SocGholish operators perform digital reconnaissance,\r\nprimarily through PowerShell commands. In our observed case, commands were run with mild detection\r\navoidance by inserting ” characters into commands, for example: p””owershell.\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 6 of 14\n\nFigure 5: PowerShell commands used for reconnaissance.\r\nA secondary payload including VIPERTUNNEL – a custom Python backdoor – is uploaded to the system and\r\nscheduled.\r\nFigure 6: PowerShell commands to establish persistence.\r\nThree minutes prior to the delivery of RomCom’s shellcode loader, the operator tests the connection to Mythic C2.\r\nMythic C2 is a collaborative, multi-platform red-teaming framework written in Python 3. It’s used by\r\ncybersecurity professionals to manage and control agents on compromised systems, but as with many other red-team security tools, it is also often commonly abused by threat actors.\r\nFigure 7: Mythic C2 test.\r\nLoader\r\nThe loader, as mentioned in ESET’s writeup, is named msedge.dll. This sample checks the domain that the system\r\nresides on, and, if it matches the hardcoded value, will decrypt and execute the shellcode. As in ESET’s case, the\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 7 of 14\n\nshellcode is a dynamichttp Mythic agent.\r\nFigure 8: “Decrypt if user domain is correct, otherwise exit.”\r\nShellcode execution is almost identical to the examples given in this blog by security researcher Osanda Malith\r\nJayathissa, only differing on this occasion in the addition of a decryption routine called for the shellcode instead of\r\ndirect storage of the shellcode in an array.\r\nFigure 9: AES decrypt and execute shellcode.\r\nFigure 10: Mythic dynamichttp C2 profile.\r\nThe sample reaches out to the C2 at https[:]//imprimerie-agp[.]com/s/0.7.8/clarity.js. CLSID would then be\r\nabused, similar to the ESET sample, to have msedge.exe load the DLL. But in the case we observed, Arctic Wolf®\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 8 of 14\n\nAurora™ Endpoint Defense immediately detected and quarantined the malicious RomCom loader upon delivery,\r\npreventing compromise. The targeted system was taken offline and isolated from the network shortly thereafter.\r\nITW File Name msedge.dll\r\nFile Type/ Signature PE32+ executable for MS Windows 6.00 (DLL), x86-64, 7 sections\r\nFile Size 694,464 bytes\r\nNetwork Infrastructure\r\nBoth ESET’s Mythic C2 domain and the suspicious domain observed in this campaign utilized the same “whois”\r\nregistration information. The C2 also responds with a 403 forbidden and nginx/1.24.0 in the headers. By searching\r\nfor domains using withheldforprivacy.com, namecheap.com, registrar-servers.com, a response of 403 forbidden,\r\nand nginx/1.24.0, we were able to narrow potential domain matches to a little over 1,200.\r\nWe were then able to perform test check-ins to the Mythic C2 endpoints to validate malicious servers. This\r\nreduced the results to just seven domains, including those identified by ESET and Arctic Wolf Labs.\r\nBoth domains positively identified as Mythic C2s also had a unique response in that the header stated it is running\r\nnginx/1.24.0, while the response body listed nginx/1.18.0. Iterating over the original list, we identified the same\r\nseven Mythic C2 domains as we found using the previous method.\r\nAll of these domains are hosted under separate autonomous system numbers (ASN), but six of the seven happened\r\nto have been registered on the same day in July 2025:\r\nMalicious Domain Name IP ASN Registered\r\norlandoscreenenclosure[.]net 135.125.255[.]39 Gutnik Oleksandr/16276 2025-07-09\r\nbasilic[.]info 88.119.174[.]128 61272 2025-07-09\r\nozivoice[.]com 193.233.205[.]14 Baxet Group Inc./398343 2025-07-09\r\nsolarrayes[.]com 162.248.227[.]182 Hosting Solution Ltd./14576 2025-07-09\r\nimprimerie-agp[.]com 104.238.61[.]141 CrownCloud US LLC/199959 2025-07-09\r\nsrlaptop[.]com 194.36.209[.]127 LLC Flex/56971 2025-07-09\r\ncarnesmemdesa[.]com 38.114.101[.]139 Baxet Group Inc./398343 2025-08-27\r\nBy meticulously cross-referencing and identifying these domains through multiple methods as being related to the\r\ntwo high-confidence RomCom Mythic C2s, we assert with medium to high confidence that these domains are\r\nassociated with RomCom activity.\r\nFive new domains were found to be related to the two RomCom-attributed Mythic C2s identified by Arctic Wolf\r\nLabs and ESET. Multiple methods were used to achieve the same relationships. As such, Arctic Wolf Labs asserts\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 9 of 14\n\nwith medium to high confidence that these domains are also associated with RomCom activity.\r\nTargets\r\nThe target in this incident was a Civil Engineering firm in the U.S. Over the course of our investigation, we\r\nlearned that the firm had done work in the past for a city with close ties to Ukraine. This underscores the RomCom\r\nthreat group’s agenda of targeting anyone even tenuously connected to organizations or individuals providing\r\nassistance to Ukraine. The attack was ultimately unsuccessful, because RomCom’s loader was caught by Arctic\r\nWolf’s Aurora Endpoint Defense, preventing the targeted entity from being compromised by this threat group.\r\nAttribution\r\nThe initial identification of msedge.dll as RomCom’s loader came from Ditekshen’s\r\nMALWARE_Win_RomCom_Loader Yara rule. Additional overlap with ESET’s sample further corroborates our\r\nattribution of this attempted intrusion to the RomCom threat actor.\r\nConclusions\r\nThis is the first time a RomCom payload has been observed being distributed by SocGholish. SocGholish has\r\npreviously been seen delivering Raspberry Robin, malware assessed by the FBI, CISA, and NSA to be strongly\r\nassociated with Russia’s GRU 161st Specialist Training Center, otherwise known as Unit 29155.\r\nThe timeline from infection via FAKEUPDATE to the delivery of RomCom’s loader was less than 30 minutes.\r\nDelivery is not made until the target’s Active Directory domain had been verified to match a known value\r\nprovided by the threat actor. \r\nBased on the above observations, Arctic Wolf Labs assesses with a high confidence level that GRU Unit\r\n29155 is utilizing SocGholish to target victims.\r\nArctic Wolf Assessment\r\nThis SocGholish activity demonstrates the ongoing exploitation of compromised legitimate websites as a malware\r\ndelivery framework, turning routine web browsing into a potential vector for ransomware access. Even a single\r\ninteraction with a malicious fake update prompt can provide threat actors with an entry point that may escalate\r\ninto full network compromise, data theft, and ransomware deployment, posing a significant risk to organizations\r\nglobally.\r\nTA569, the operator of SocGholish, has gradually expanded the malware’s role from opportunistic infections to a\r\ncore enabler of ransomware. Recent campaigns show increased scale and sophistication, with widespread\r\ncompromises of legitimate websites, stronger obfuscation in JavaScript loaders, and direct partnerships with\r\nransomware affiliates.\r\nThe widespread nature of SocGholish attacks and the relative speed at which the attack progresses from initial\r\naccess to infection makes it a potent threat to organizations worldwide. TA569’s use of novel social engineering\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 10 of 14\n\ntricks that hinge on the perceived urgency and necessity of software updates means that even a user with a good\r\nlevel of security training visiting what they believe to be a legitimate resource may become compromised.\r\nBecause TA569 leverages compromised legitimate websites to indiscriminately distribute SocGholish, all sectors\r\nand geographies are at risk. This broad victimology means the threat is not restricted to a particular industry or\r\nregion. Given the strong link between SocGholish infections and subsequent ransomware incidents, organizations\r\nworldwide should treat any detection as a precursor to a high-impact intrusion, and prioritize containment and\r\nrapid investigation.\r\nRemediations\r\nOrganizations can defend their systems and networks against SocGholish by hardening web and endpoint\r\ndefenses, including monitoring for suspicious JavaScript execution. Security teams should educate users on the\r\ndangers of fake update prompts, enforce application allowlisting, and ensure browsers and plugins are regularly\r\npatched via official channels.\r\nStrong endpoint detection and response (EDR) and security operations center (SOC) visibility, plus correlation\r\nwith threat intelligence can help detect and block SocGholish’s loader activity before it can deliver secondary\r\npayloads. Implementing layered security controls such as the following additionally address the multi-stage nature\r\nof SocGholish attacks:\r\nNetwork Security Controls:\r\nImplement DNS filtering to block known bulletproof hosting ASNs.\r\nMonitor for unusual PowerShell network connections.\r\nEndpoint Security Controls:\r\nEnable PowerShell logging (Script Block Logging, Module Logging, Transcription).\r\nMonitor for PowerShell with encoded commands and/or detection avoidance.\r\nImplement application whitelisting to prevent execution from user-writable directories.\r\nDeploy memory scanning capabilities to detect in-memory payloads.\r\nEnable LSA protection to reduce credential theft impact.\r\nDetection and Monitoring:\r\nHunt for scheduled tasks created in user directories with Python.\r\nHunt for PowerShell unpacking in suspicious folders, like c:\\programdata\\.\r\nSecurity Awareness Training\r\nOrganizations should issue clear, consistent direction on software update best practices.\r\nConsider implementing regular user awareness training to make users aware of the typical phishing red\r\nflags.\r\nFor those without the time to create security training resources from scratch, the Arctic Wolf Managed\r\nSecurity Awareness® training solution delivers easily digestible security lessons for employees, including\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 11 of 14\n\nregular phishing simulations and a “Report Phish” button.\r\nHow Arctic Wolf Protects Its Customers\r\nEnding cyber risk is at the core of Arctic Wolf’s mission, and the Arctic Wolf® Aurora™ Platform is engineered to\r\nstay ahead of emerging threat campaigns. In response to RomCom/TA569 activity, the platform has already\r\nincorporated new threat intelligence and detection capabilities to help protect customers.\r\nAs new insights and TTPs surface, the Aurora™ Platform will continuously update its coverage, ensuring it adapts\r\nto evolving IOCs and techniques used by this threat actor.\r\nAPPENDIX \r\nIndicators of Compromise (IOCs)\r\nHashes (MD5, SHA-256)\r\n9912bb2d82218ba504c28e96816315b3\r\nf7605fc8a1ee5f21aec55da04dbaa95a05db95b5e7851b172a5d30c7fb1da885\r\nFile Name Chome_Latest_Version.js\r\nFile Size 21274\r\nRomCom Mythic C2\r\nMalicious Domain Name IP ASN Registered\r\norlandoscreenenclosure[.]net 135.125.255[.]39 Gutnik Oleksandr/16276 2025-07-09\r\nbasilic[.]info 88.119.174[.]128 61272 2025-07-09\r\nozivoice[.]com 193.233.205[.]14 Baxet Group Inc./398343 2025-07-09\r\nsolarrayes[.]com 162.248.227[.]182 Hosting Solution Ltd./14576 2025-07-09\r\nimprimerie-agp[.]com 104.238.61[.]141 CrownCloud US LLC/199959 2025-07-09\r\nsrlaptop[.]com 194.36.209[.]127 LLC Flex/56971 2025-07-09\r\ncarnesmemdesa[.]com 38.114.101[.]139 Baxet Group Inc./398343 2025-08-27\r\nSocGholish Network Infrastructure\r\nNetwork Artifact Details Intrusion Phase Source\r\nrealty.yourpgcountyliving[.]com Payload Server Initial Access Arctic Wolf/ In-the-wild\r\nvirtual.urban-orthodontics[.]com Payload Server Initial Access Arctic Wolf/ In-the-wild\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 12 of 14\n\nafrica.thesmalladventureguide[.]com Payload Server Initial Access Arctic Wolf/ In-the-wild\r\nemail.smashingboss[.]com Payload Server Initial Access Arctic Wolf/ In-the-wild\r\n157.254.167[.]144 C2 Command and Control Arctic Wolf/ In-the-wild\r\n2.59.161[.]132 C2 Command and Control Arctic Wolf/ In-the-wild\r\nDetailed MITRE ATT\u0026CK® Mapping \r\nTactic Technique Sub-Technique Procedure\r\nInitial Access\r\nDrive-By\r\nCompromise\r\n(T1189)\r\nTA569 compromises legitimate websites and\r\ninjects malicious JavaScript to lure victims\r\ninto downloading fake software updates.\r\nExecution\r\nCommand and\r\nScripting\r\nInterpreter\r\nJavaScript\r\n(T1059.007)\r\nMalicious JavaScript executes on the victim\r\nmachine, downloads the loader, and initiates\r\nfollow-on payloads.\r\nPersistence\r\nBoot or Logon\r\nAutostart\r\nExecution\r\nRegistry Run Keys /\r\nStartup Folder\r\n(T1547.001)\r\nSocGholish loaders create registry entries or\r\nstartup scripts to maintain persistence after\r\nreboot.\r\nPersistence\r\nScheduled Task /\r\nJob (T1053.005)\r\nVIPERTUNNEL scheduled task.\r\nPersistence\r\nHijack Execution\r\nFlow\r\nDLL (T1574.001)\r\nmsedge.dll is run upon msedge.exe\r\nexecution.\r\nPersistence\r\nModify Registry\r\n(T1112)\r\nCLSID abused to force execution of\r\nmsedge.dll upon execution of desired\r\napplication.\r\nCommand \u0026\r\nControl\r\nApplication Layer\r\nProtocol\r\nWeb Protocols\r\n(HTTP/S)\r\n(T1071.001)\r\nThe malware communicates with its C2\r\nservers over HTTP/S for tasking, payload\r\ndownload, and reporting.\r\nAbout the Authors\r\nJacob Faires\r\nJacob Faires is a Principal Threat Researcher at Arctic Wolf. Jacob collaborates with data scientists, engineers, and\r\nintelligence analysts to actively monitor threats and develop cutting edge research focused internally and\r\nexternally on the evolving threat landscape. Jacob has nearly two decades of experience in the information and\r\ntechnology security sector.\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 13 of 14\n\nPrior to joining Arctic Wolf, Jacob was a Senior Threat Researcher with NTT’s Global Threat Intelligence Center\r\n(GTIC), where he tracked threat actors and advanced persistent threats (APTs), incident response, extended\r\ndetection and response (XDR) data, and data net flow analysis to effectively identify threat actors and provide\r\ndetection to NTT clients.\r\nArctic Wolf Labs\r\nArctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who\r\nexplore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and\r\nrefine advanced threat detection models with artificial intelligence and machine learning, and drive continuous\r\nimprovement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.\r\nArctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security\r\ncommunity at large.\r\nSource: https://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nhttps://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/" ], "report_names": [ "romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine" ], "threat_actors": [ { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "2eb5ae35-e3ae-4b76-a945-5e6c2cfc1942", "created_at": "2024-02-02T02:00:04.028297Z", "updated_at": "2026-04-10T02:00:03.530787Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "DEV-0206", "Purple Vallhund" ], "source_name": "MISPGALAXY:Mustard Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544cac23-af15-4100-8f20-46c07962cbfa", "created_at": "2023-01-06T13:46:39.484133Z", "updated_at": "2026-04-10T02:00:03.34364Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "TA569", "UNC1543" ], "source_name": "MISPGALAXY:GOLD PRELUDE", "tools": [ "FakeUpdates", "FakeUpdate", "SocGholish" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434867, "ts_updated_at": 1775826740, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/756478188a674ba930328c7c03f8ddf420bdc321.pdf", "text": "https://archive.orkl.eu/756478188a674ba930328c7c03f8ddf420bdc321.txt", "img": "https://archive.orkl.eu/756478188a674ba930328c7c03f8ddf420bdc321.jpg" } }