Threat actors behind the RomCom malware family used the SocGholish JavaScript loader to deliver the Mythic Agent post-exploitation tool, cybersecurity firm Arctic Wolf Labs said in its latest report, noting that this is the first time that a RomCom payload has been observed being distributed by SocGholish.
Arctic Wolf attributes the activity with medium-to-high confidence to Unit 29155 of Russia’s GRU. The attack targeted a US-based civil engineering firm supporting Ukraine.
SocGholish (aka FakeUpdates) is a long-running malware delivery framework linked to a financially motivated threat actor tracked as “TA569.” First discovered in 2017, SocGholish is a downloader delivered through a malicious JavaScript injected into compromised websites.
RomCom (also tracked as Nebulous Mantis, Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu) has conducted both espionage and financially motivated campaigns since 2022, frequently focusing on targets in Ukraine and NATO-aligned sectors. The group is known to employ spear-phishing, zero-day exploits, and custom malware tooling.
In the case observed by Arctic Wolf, the infection chain was triggered following the execution of SocGholish’s FAKEUPDATE payload, which allows operators to run commands on a compromised system. The attackers then deployed a Python backdoor dubbed VIPERTUNNEL and attempted to deliver a RomCom-linked DLL loader to execute the Mythic Agent, a cross-platform red-teaming component capable of running commands and performing file operations.
“This SocGholish activity demonstrates the ongoing exploitation of compromised legitimate websites as a malware delivery framework, turning routine web browsing into a potential vector for ransomware access,” the report notes. “Even a single interaction with a malicious fake update prompt can provide threat actors with an entry point that may escalate into full network compromise, data theft, and ransomware deployment, posing a significant risk to organizations globally.”
