Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

RomCom SocGholish delivery chain for Mythic Agent

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The RomCom malware family was newly observed being delivered through SocGholish/FakeUpdates, adding a fresh infection path that can push multiple payloads and increase post-compromise risk. The chain targeted a U.S.-based civil engineering company and delivered Mythic Agent after a fake browser-update lure. The attempt was blocked before further progression, but it still demonstrated a fast path to reverse-shell access and post-exploit tooling.

Related Happenings

Silver Fox South Asia phishing campaign

Campaign
First: 24.03.2026 18:00 Last: 24.03.2026 18:00 Sources 1

About this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...

Open Happening

OpenClaw fake installer GitHub campaign promoted by Bing AI

Campaign
First: 06.03.2026 00:37 Last: 06.03.2026 00:37 Sources 1

About this happening: A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...

Latest development: 09.03.2026 20:31

A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.

Open Happening

RomCom campaign expands across multiple victims

Campaign
First: 26.11.2025 10:28 Last: 26.11.2025 10:28 Sources 1

How related: The widespread nature of SocGholish attacks and the relative speed at which the attack progresses from initial access to infection makes it a potent threat to organizations worldwide.

About this happening: The **RomCom** operation used **SocGholish/FakeUpdates** fake browser-update lures on **compromised websites** to deliver malware, extending a reusable initial-access chain that c...

Open Happening

InedibleOchotense ESET-impersonation phishing campaign with trojanized installers

Campaign
First: 06.11.2025 17:31 Last: 06.11.2025 17:31 Sources 1

About this happening: A **Russia-aligned** campaign by **InedibleOchotense** sent **ESET-branded spear-phishing** lures to **multiple Ukrainian entities**, creating a malware-delivery risk. The operati...

Open Happening

Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia

Malware Activity
First: 18.10.2025 09:51 Last: 18.10.2025 09:51 Sources 1

About this happening: The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...

Open Happening

Timeline

  1. 26.11.2025 10:28 2 articles · 6mo ago

    RomCom SocGholish fake-update delivery chain

    Technical Analysis Update

    Arctic Wolf Labs reported a RomCom delivery chain against a U.S.-based civil engineering company that used SocGholish/FakeUpdates fake browser update lures on compromised websites to install a loader, establish a reverse shell to a C2 server, drop the custom Python backdoor VIPERTUNNEL, and launch a RomCom-linked DLL loader that started Mythic Agent; the activity was attributed with medium-to-high confidence to Unit 29155 of Russia's GRU and was blocked before it could progress further.

    Show sources
    Open in new tab