A threat actor known as RomCom is using rogue versions of the popular software like SolarWinds Network Performance Monitor (NPM), KeePass Open-Source Password Manager, and PDF Reader Pro in attacks targeting Ukraine and some English-speaking countries such as the UK, according to Blackberry’s threat research and intelligence team.

The latest report comes a week after the company published a technical analysis of a spear-phishing campaign aimed at Ukrainian government organizations that delivered the RomCom RAT. The Computer Emergency Response Team of Ukraine (CERT-UA) also reported about this campaign, which it attributed to a threat actor named UNC2596 (Tropical Scorpius), a group believed to be operating the Cuba ransomware.

According to Blackberry, in the latest campaign the threat actor uses trojanized versions of well-known software, namely SolarWinds NPM, KeePass, Advanced IP Scanner and pdfFiller, distributed via fake websites spoofing legitimate sites, which serve as droppers for the RomCom RAT.

“In preparation for an attack, the RomCom threat actor performs the following simplified scheme: scraping the original legitimate HTML code from the vendor to spoof, registering a malicious domain similar to the legitimate one, Trojanizing a legitimate application, uploading a malicious bundle to the decoy website, deploying targeted phishing emails to the victims, or in some instances, using additional infector vectors,” the threat research team said. “The RomCom threat actor is actively deploying new campaigns targeting victims in Ukraine and English-speaking targets worldwide. Based on the TOS, it is possible that victims in the United Kingdom are a new target, while Ukraine continues to be the main focus.”

The researchers believe that the RomCom RAT, Cuba Ransomware, and Industrial Spy, a relatively new ransomware actor first seen in April 2022, have an apparent connection.

“However, given the targets' geography and characteristics, combined with the current geopolitical situation, it's unclear if the real motivation of the RomCom threat actor is purely cybercriminal in nature,” Blackberry concluded.