A U.S.-based civil engineering firm has been targeted by Russia-aligned hackers with a history of malicious activity linked to the war in Ukraine, according to a blog post released Tuesday by Arctic Wolf.
A Russia-aligned threat group, known as RomCom, used SocGholish malware to target the company in a September attack, according to the blog. A Russian foreign intelligence agency, GRU unit 29155, has used SocGholish to target various entities in connection with the war since 2022.
SocGholish is operated by a group known as TA569, which usually works as an initial access broker.
Researchers did not identify the targeted company by name, describing it only as a firm that has previously done work for a city that has close ties to Ukraine. RomCom has a history of malicious attacks against various organizations or individuals that have provided support to Ukraine.
Researchers said the attack is the first time they have detected SocGholish distribute a payload from RomCom. The attack was ultimately blocked, according to researchers.
RomCom has been actively involved in prior attacks against Western organizations. In August, researchers at ESET uncovered RomCom exploiting a zero-day vulnerability in WinRAR. That campaign targeted organizations in Europe and Canada.
In 2023, RomCom targeted a U.S. healthcare firm that was providing medical assistance to Ukrainian refugees, according to a blog post from Arctic Wolf.
Tensions between the U.S. and Russia have increased in recent months, as the Trump administration has attempted to reach a negotiated end to the Ukraine war.
Russia-aligned groups have used various asymmetric methods to target Western support for the Ukrainian war effort. U.S. authorities and allied nations warned in May about the Russia-linked threat actor Fancy Bear targeting logistics and other organizations providing assistance to Ukraine.