For the first time, a RomCom payload has been observed being distributed via SocGholish. – Against Invaders

For the first time, a RomCom payload has been observed being distributed via SocGholish. - Against Invaders

For the first time, a RomCom payload has been observed being distributed via SocGholish.

RomCom malware used the SocGholish fake update loader to deliver Mythic Agent to a U.S. civil engineering firm.

In September 2025, Arctic Wolf Labs observed RomCom threat actors delivering the Mythic Agent via SocGholish to a U.S. company. The researchers noticed that the payload executed about 10 minutes after initial exploitation, marking the first time RomCom used SocGholish. Arctic Wolf attributes the attack with medium-to-high confidence to Russia’s GRU Unit 29155, which targets entities supporting Ukraine, highlighting RomCom’s focus on victims linked to Ukraine globally.

RomCom, active since mid-2022 and aligned with Russian interests, consistently targets organizations linked to Ukraine, even loosely. The group, also known as Storm-0978 or UNC2596, is believed to be a nation-state actor due to its advanced capabilities. As the Russia-Ukraine war persists, RomCom has expanded its operations, launching opportunistic attacks worldwide, including against U.S.-based pro-Ukrainian entities.

SocGholish, a malware delivery framework active since 2017, has evolved from a nuisance threat into a key initial access vector for major ransomware groups, including those linked to EvilCorp. It spreads through malicious JavaScript injected into compromised websites and uses fake browser-update prompts to trick users into downloading payloads. Once executed, it exfiltrates data, establishes persistence, enables remote access, and installs follow-on malware.

Recent campaigns show large-scale use of compromised legitimate sites and an expanding distribution network operated by TA569. In the case analyzed, SocGholish directly deployed RomCom’s targeted loader, disguised as msedge.dll, with a hardcoded domain to ensure execution only on the intended victim.

SocGholish spreads by injecting malicious JavaScript into vulnerable legitimate websites, often exploiting outdated plugins or remote-code-execution flaws to display FAKEUPDATE popups that trick users into manually downloading malware disguised as browser updates.

“While SocGholish can also be spread byphishingtactics, including email phishing, the lures themselves deviate from the tried-and-tested norms of phishing campaigns, as they operate without the typical calls to action, sense of urgency, threats, or promises of reward.” reads the report published by Arctic Wolf. “Instead, they weaponize the end-user’s security training, no matter how basic, by displaying a simple fake update popup. When the user manually clicks “Update”, a malware payload is downloaded to their device.”

It also leverages traffic-direction systems to funnel targeted visitors to compromised sites. Once executed, the payload connects to a SocGholish C2 server, enabling reconnaissance, remote commands, and delivery of follow-on malware such as the VIPERTUNNEL backdoor. In the Arctic Wolf case, the infection chain progressed through obfuscated JavaScript, PowerShell-based reconnaissance, and Mythic C2 testing before RomCom’s loader was deployed.

RomCom used a loader called msedge.dll to deploy a Mythic agent only when the victim’s domain matched a hardcoded value. The loader decrypted and executed shellcode that contacted a Mythic C2, but Arctic Wolf’s defenses quarantined it before execution. Investigators linked seven C2 domains, mostly registered on the same day, to RomCom. The U.S. civil-engineering target had prior ties to a Ukraine-linked city, aligning with RomCom’s pro-Russia targeting.

“This is the first time a RomCom payload has been observed being distributed by SocGholish. SocGholish has previously been seen delivering Raspberry Robin, malwareassessedby the FBI, CISA, and NSA to be strongly associated with Russia’s GRU 161st Specialist Training Center, otherwise known asUnit 29155.” concludes the report. “The timeline from infection via FAKEUPDATE to the delivery of RomCom’s loader was less than 30 minutes. Delivery is not made until the target’s Active Directory domain had been verified to match a known value provided by the threat actor.”

Follow me on Twitter:@securityaffairsandFacebookandMastodon

PierluigiPaganini

(SecurityAffairs–hacking,RomCom)

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.