Fast Facts

• RomCom hackers used fake browser update pop-ups to deliver advanced malware.
• The attack was linked to Russia’s GRU military intelligence, specifically Unit 29155.
• SocGholish, a tool for spreading malware, played a key role in the infection chain.
• The target was a US civil engineering company with prior links to Ukraine.
• Attackers deployed the cross-platform Mythic Agent for remote access and espionage.

A New Twist on an Old Trick

Imagine browsing the web, only to be greeted by a pop-up urging you to update your browser. Annoying, right? But sometimes, these alerts are not just digital noise - they’re the bait in a sophisticated cyber-espionage trap. This was the case for a US-based civil engineering firm recently targeted in a campaign that wove together some of the most devious cybercriminal tactics in the playbook.

The Anatomy of the Attack

At the center of this operation were two heavyweights of the cyber underground: SocGholish (also called FakeUpdates) and RomCom. SocGholish is infamous for hijacking legitimate websites and injecting them with malicious code that displays convincing - but entirely fake - browser update messages. Unsuspecting users who click these are actually downloading harmful scripts instead of helpful updates.

In this incident, once the victim clicked the bogus update, a chain reaction began. Within 30 minutes, a JavaScript loader set the stage for the main act: the RomCom malware. This tool, linked to Russia’s GRU Unit 29155 - a group notorious for both espionage and cybercrime - was deployed for the first time through the SocGholish channel, according to Arctic Wolf Labs.

RomCom’s payload included a remote access trojan (RAT) and the Mythic Agent, an advanced tool that gives hackers covert control over infected computers. The attackers could run commands, steal files, and even install a special Python backdoor called VIPERTUNNEL. The goal? Espionage and digital reconnaissance, likely tied to the firm’s historical connections to Ukraine.

Context: Hackers, Geopolitics, and a Growing Threat

This attack is part of a larger pattern: since the invasion of Ukraine, Russian-aligned threat actors have targeted not only Ukrainian organizations but also Western companies assisting Ukraine. RomCom, also known as Nebulous Mantis or Storm-0978, has a history of leveraging both criminal and espionage tactics, often combining technical exploits with psychological tricks like phishing.

SocGholish itself has been used by several major ransomware and cybercrime groups (Evil Corp, LockBit, Dridex) to open doors into organizations. Its appeal lies in its speed and scale: the infection process moves rapidly from fake alert to full compromise, exploiting weak website security to reach as many victims as possible.

Though this particular attack was stopped before any damage was done, it’s a stark reminder that even minor ties to geopolitical flashpoints can put organizations in the crosshairs of state-backed hackers. As digital tools of deception become more convincing, vigilance and strong cyber hygiene are more essential than ever.

WIKICROOK

• SocGholish: SocGholish is malware that tricks users with fake browser update alerts, leading them to install malicious software and exposing systems to cyber threats.
• RomCom: RomCom is a remote access trojan (RAT) and hacking toolkit, linked to Russian actors, used for cyber espionage and criminal attacks.
• Mythic Agent: A Mythic Agent is malware that lets hackers remotely control infected computers, execute commands, and steal information without user awareness.
• Reverse Shell: A reverse shell is when a hacked computer secretly connects back to an attacker, giving them remote control and bypassing standard security defenses.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.