RomCom campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
The RomCom operation used SocGholish/FakeUpdates fake browser-update lures on compromised websites to deliver malware, extending a reusable initial-access chain that can affect organizations worldwide. In one observed case, the activity targeted a U.S.-based civil engineering company and pushed Mythic Agent after an intermediate loader stage. The chain was blocked before further progression, but it shows a fast-moving delivery operation with environment checks and follow-on payload delivery.
Related Happenings
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor Meta
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
**North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor MetaAbout this happening: **North Korea-linked threat actors** are continuing to **poison open-source ecosystems** with malicious packages, signaling an ongoing supply-chain operating model aimed at **data...
Lazarus Group graphalgo recruitment-themed package campaign
Campaign
First: 12.02.2026 18:55
Last: 12.02.2026 18:55
Sources 1
About this happening:
The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...
Lazarus Group graphalgo recruitment-themed package campaign
CampaignAbout this happening: The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...
RomCom SocGholish delivery chain for Mythic Agent
Malware Activity
First: 26.11.2025 10:28
Last: 26.11.2025 10:28
Sources 1
How related:
The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent.
About this happening:
The **RomCom** malware family was newly observed being delivered through **SocGholish/FakeUpdates**, adding a fresh infection path that can push multiple payloads and increase pos...
RomCom SocGholish delivery chain for Mythic Agent
Malware ActivityHow related: The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent.
About this happening: The **RomCom** malware family was newly observed being delivered through **SocGholish/FakeUpdates**, adding a fresh infection path that can push multiple payloads and increase pos...
Stealit fake game and VPN installer campaign
Campaign
First: 13.10.2025 16:45
Last: 13.10.2025 16:45
Sources 1
About this happening:
The **Stealit** campaign is using **fake game and VPN installers** to infect users and **move its C2 panel**, increasing the risk of credential and wallet theft. The operation mat...
Stealit fake game and VPN installer campaign
CampaignAbout this happening: The **Stealit** campaign is using **fake game and VPN installers** to infect users and **move its C2 panel**, increasing the risk of credential and wallet theft. The operation mat...
Contagious Interview ClickFix BeaverTail campaign targeting crypto and retail roles
Campaign
First: 21.09.2025 13:56
Last: 21.09.2025 13:56
Sources 1
About this happening:
**North Korean operatives** expanded **Contagious Interview** with **ClickFix** lures and a **fake hiring platform** to deliver **BeaverTail** and **InvisibleFerret**, shifting th...
Contagious Interview ClickFix BeaverTail campaign targeting crypto and retail roles
CampaignAbout this happening: **North Korean operatives** expanded **Contagious Interview** with **ClickFix** lures and a **fake hiring platform** to deliver **BeaverTail** and **InvisibleFerret**, shifting th...
Timeline
-
26.11.2025 10:28 2 articles · 6mo ago
RomCom payloads delivered via SocGholish
Initial DisclosureOn 2025-11-26, Arctic Wolf Labs identified RomCom payloads delivered through SocGholish/FakeUpdates to a U.S.-based civil engineering company, using fake Google Chrome or Mozilla Firefox update alerts on legitimate-but-compromised websites to trigger a malicious JavaScript loader. The chain established a reverse shell to a C2 server, dropped the custom Python backdoor VIPERTUNNEL, and used a RomCom-linked DLL loader to launch Mythic Agent; the activity was attributed with medium-to-high confidence to Unit 29155 of Russia's GRU and was blocked before it could progress further.
Show sources
- RomCom Uses SocGholish Fake Update Attacks to Deliver Mythic Agent Malware — thehackernews.com — 26.11.2025 10:28
- RomCom Uses SocGholish Fake Update Attacks to Deliver Mythic Agent Malware — thehackernews.com — 26.11.2025 10:28