RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu, has been targeting UK companies in the retail, hospitality, and critical national infrastructure (CNI) sectors in a recently discovered cyber espionage and profit-driven operation called “Operation Deceptive Prospect.”

Active since at least 2022, RomCom has a history of blending espionage with cybercrime, often focusing on governmental and military entities, particularly those linked to Ukrainian affairs and NATO.

Their latest campaign, uncovered by Bridewell’s Cyber Threat Intelligence (CTI) team in March 2025, showcases a cunning strategy of exploiting externally facing customer feedback portals to deliver phishing emails to customer service representatives.

These emails, crafted with convincing personas and complaints about issues like stolen luggage or substandard airport facilities, contain malicious links disguised as Google Drive or Microsoft OneDrive files, ultimately leading to the deployment of a sophisticated executable downloader masquerading as a PDF.

Evolving Malware and Zero-Day Exploits Highlight RomCom’s Technical Prowess

RomCom’s technical arsenal has evolved significantly, with their malware, including the RomCom backdoor, progressing to stealthier variants like RomCom 4.0 (PEAPOD) and the latest SnipBot (RomCom 5.0), identified as early as December 2023.

SnipBot introduces advanced obfuscation techniques, anti-sandboxing measures, and an expanded set of 27 commands for data exfiltration and granular control over infected systems.

The group has also demonstrated proficiency in exploiting zero-day vulnerabilities, notably chaining CVE-2024-9680 (a use-after-free flaw in Mozilla Firefox) and CVE-2024-49039 (a Windows privilege escalation flaw) in late 2024 to execute zero-click attacks across Europe and North America.

In “Operation Deceptive Prospect,” the infection chain leverages multiple redirection stages through domains hosted on Amazon S3 via Rebrandly and intermediate URL shorteners like opn.to, before landing on threat actor-controlled payload hosting sites mimicking OneDrive.

The final payload, an executable signed with a likely stolen certificate from a dissolved UK-based company, is retrieved from Mediafire and exhibits potential defense evasion tactics, such as checking the RecentDocs registry key-a technique previously linked to SnipBot by Palo Alto’s Unit 42 research.

According to the Report, This campaign’s social engineering tactics heavily exploit trust, with emails following a structured complaint format and incorporating intimidation by threatening escalation within tight deadlines.

The use of AI-generated content is suspected due to formulaic language and formatting anomalies, underscoring RomCom’s adaptability in crafting believable lures.

Nearly 100 domains mimicking cloud storage services have been identified, predominantly using generic top-level domains like .click and .live, hosted on bulletproof infrastructure such as HZ Hosting and AEZA Group Ltd.

While static and dynamic analysis of the payloads shows limited overt malicious behavior, the overlap with RomCom’s known tactics and ESET’s detection as Win32/TrojanDownloader.RomCom.

A suggest a deeper threat requiring further investigation. Organizations are urged to scrutinize customer feedback channels, monitor for suspicious domains, and enhance endpoint detection to mitigate this evolving threat from a group suspected of aligning with Russian state interests.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!