Post

Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine

Posted
By ictsec.pl
1 min read

Source: Arctic Wolf

Excerpt:
In September 2025, Arctic Wolf® Labs identified a U.S.-based company that was targeted by RomCom threat actors via SocGholish, operated by TA569. While the typical initial SocGholish infection chain was followed, roughly 10 minutes post-exploitation, RomCom’s targeted Mythic Agent loader was delivered to the system. This is the first time that a RomCom payload has been observed being distributed by SocGholish.

Based on evidence uncovered during the course of this investigation, Arctic Wolf Labs assesses with a medium-to-high confidence level that Russia’s GRU unit 29155 is utilizing SocGholish to target victims. GRU is Russia’s largest foreign intelligence agency, and Unit 29155 is typically tasked with offensive computer network operations targeting global entities. Since early 2022, the primary focus of Unit 29155 has been disrupting international efforts to provide aid to Ukraine.

The victim targeted in the threat activity described here appears to be affiliated with Ukraine, underscoring RomCom’s tendency to target entities with ties to Ukraine, regardless of their geographic location.

Key Points:

  • Actor: TA569 is considered the primary threat actor deploying and maintaining SocGholish, typically used by financially motivated cybercriminals. The operator serves as an Initial Access Broker (IAB), selling access to compromised systems to ransomware affiliates.
  • Activity: The attackers compromise legitimate websites and use fake update lures to deliver malware.
  • Technique: Malicious JavaScript executes on the victim host, installing loaders that fetch additional payloads and maintain long-term access.
  • Impact: Infections are frequently linked to ransomware deployment, making a SocGholish compromise a threat with a potentially high business impact.

To read the complete article, see: https://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/

APT
SECURITY CYBERATTACK UKRAINE ROMCOM SOCGHOLISH
This post is licensed under CC BY 4.0 by the author.