Cybersecurity researchers have discovered that the Russia-linked threat actor RomCom attempted to compromise a U.S.-based civil engineering company using a JavaScript loader known as SocGholish, delivering the sophisticated Mythic Agent malware.
According to Arctic Wolf Labs researcher Jacob Faires, this marks the first observed instance of a RomCom payload being distributed via SocGholish. The campaign has been attributed with medium-to-high confidence to Unit 29155 of Russia’s Main Directorate of the General Staff, also referred to as the GRU. The targeted company reportedly previously engaged in projects for a city with connections to Ukraine.
SocGholish, also called FakeUpdates, is a notorious access broker managed by financially motivated operators tracked under various aliases including TA569, Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543. It allows threat actors to deploy diverse malware families, with known customers including Evil Corp, LockBit, Dridex, and Raspberry Robin.
The attack typically starts with fraudulent browser update notifications for Google Chrome or Mozilla Firefox served through legitimate but compromised websites. Unsuspecting users are tricked into downloading malicious JavaScript, which installs a loader that subsequently fetches additional malware payloads. Poorly secured sites and vulnerable plugins are often exploited to inject these scripts.
RomCom, also known as Nebulous Mantis, Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu, has been active in cybercrime and espionage since at least 2022. The group employs techniques such as spear-phishing and zero-day exploits to infiltrate networks, ultimately deploying its signature remote access trojan (RAT) on target systems. Previous attacks have focused on Ukrainian entities and NATO-related defense organizations.
In the attack analyzed by Arctic Wolf, the fake update payload enabled attackers to establish a reverse shell to a command-and-control (C2) server. This provided remote access for reconnaissance, deployment of a Python backdoor codenamed VIPERTUNNEL, and other malicious actions. Additionally, a RomCom-linked DLL loader delivered the Mythic Agent, a key component of a cross-platform post-exploit red teaming framework that allows command execution, file operations, and communication with a remote server.
Although the attack was blocked before causing harm, it demonstrates RomCom’s ongoing focus on organizations connected to Ukraine, even through indirect ties. Faires noted that the infection timeline—from the fake update to the loader deployment—was under 30 minutes, with delivery only occurring after verifying the target’s Active Directory domain against threat actor-provided values.
“The speed and scale of SocGholish attacks make it a serious global threat,” Faires concluded, emphasizing the efficiency with which initial access can lead to malware deployment.
