In a significant escalation of cyber threats, Arctic Wolf Labs has identified a coordinated campaign in which the Russian-aligned RomCom threat group leverages the SocGholish malware to target a U.S.-based engineering firm with suspected ties to Ukraine.
This marks the first documented instance of RomCom payloads being distributed through SocGholish’s infrastructure, signaling a dangerous convergence of two prominent threat actors.
The incident unfolded in September 2025 when TA569, the primary operator of SocGholish, compromised legitimate websites to inject malicious JavaScript capable of delivering fake software update prompts.
The targeted user, unaware of the deception, downloaded what appeared to be a routine browser update. Within minutes of exploitation, approximately ten minutes post-infection, RomCom’s sophisticated Mythic Agent loader was delivered to the compromised system.
Arctic Wolf’s analysis reveals that the attackers employed obfuscated JavaScript code designed to evade detection.
Once executed, the payload established a reverse shell connection to SocGholish’s command-and-control infrastructure, granting attackers immediate remote access for reconnaissance and further exploitation.
Russian State Involvement
Based on forensic evidence uncovered during the investigation, Arctic Wolf Labs assesses with medium-to-high confidence that Russia’s GRU Unit 29155 is orchestrating these attacks.
Besides their phishing campaigns, SocGholish operators obtain a second, more bountiful source of traffic by using third-party Traffic Direction Systems (TDS).
Unit 29155, Russia’s largest foreign intelligence agency, specializes in offensive network operations targeting global entities.
Since early 2022, the unit has concentrated efforts on disrupting international aid to Ukraine, making the targeting of Ukraine-affiliated organizations a strategic priority.
The victim organization’s historic work for a Ukrainian-aligned city underscores RomCom’s methodical approach to targeting entities with even tenuous ties to Ukraine, regardless of their location.
The attack demonstrated considerable technical sophistication. After gaining initial access, the operators deployed a secondary payload including VIPERTUNNEL, a custom Python backdoor.
Reconnaissance commands were executed using PowerShell with anti-detection techniques built in. Further deobfuscation of the script leads to the following code,
Within three minutes of establishing persistence, the threat actors tested connections to a Mythic C2 (command-and-control) framework a red-team tool now repurposed for criminal use.
The RomCom loader, delivered as msedge.dll, included domain verification routines to ensure precise targeting. Shellcode execution leveraged AES encryption and callback protection techniques.
Malware-as-a-Service Model
TA569 operates SocGholish as a Malware-as-a-Service (MaaS) platform, selling access to compromised systems to the highest criminal bidder.
The loader, as mentioned in ESET’s writeup, is named msedge.dll. This sample checks the domain that the system resides on, and, if it matches the hardcoded value, will decrypt and execute the shellcode.
Past clientele have included ransomware groups such as Evil Corp and LockBit. SocGholish infections are increasingly precursors to major ransomware events, raising the stakes for victim organizations.
Arctic Wolf Labs identified seven malicious Mythic C2 domains tied to RomCom, six of which were registered on a single day in July 2025.
Technical correlation using server headers and registration data built a strong case for attribution to RomCom activity.
In this attack, Arctic Wolf’s Aurora Endpoint Defense platform immediately detected and quarantined the RomCom loader, isolating the compromised system and preventing wider network damage.
The convergence of SocGholish’s initial access operations and RomCom’s advanced loader capabilities signals a new phase in the threat landscape.
Organizations must treat SocGholish detections as high-risk incidents with advanced follow-on compromise likely, reinforcing the necessity for robust detection and rapid incident response.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.