Arctic Wolf Labs identified RomCom threat actors delivering Mythic Agent via SocGholish to a U.S. company, highlighting sophisticated nation-state targeting linked to Russia’s GRU. This marks the first known instance of RomCom using SocGholish for their operations, emphasizing evolving malware delivery tactics. #RomCom #MythicAgent #SocGholish #GRUUnit29155
Keypoints
- RomCom has been active since mid-2022, primarily targeting entities linked to Ukraine.
- SocGholish is a malware delivery framework that exploits compromised websites via malicious JavaScript.
- The threat actor used SocGholish to deploy a Mythic Agent loader disguised as msedge.dll.
- The attack involved obfuscated scripts, PowerShell reconnaissance, and Mythic C2 testing prior to loader deployment.
- Investigations confirmed connections to Russia’s GRU Unit 29155 and targeted domains associated with RomCom’s campaigns.