RomCom
RomCom is a Russia-aligned threat actor also tracked as Storm-0978, Tropical Scorpius, UNC2596, UNC4895, Void Rabisu, CIGAR, Underground Team, and by Microsoft development cluster names Storm-0671 and Storm-0978. The content describes RomCom as a Russia-based group that has conducted both financially motivated cybercrime and targeted espionage operations, with some reporting assessing links to Russian state interests and one report attributing a Mythic Agent intrusion with medium-to-high confidence to Russia’s GRU Unit 29155. Reported targeting includes defense industry, government, telecom, and financial organizations in Europe and North America; financial, manufacturing, defense, and logistics companies in Europe and Canada; and U.S. firms tied to projects supporting Ukraine. The group has consistently targeted entities linked to Ukraine and its defense. Observed tradecraft includes spearphishing, fake software updates, trojanized legitimate software, use of initial access brokers, and use of SocGholish/FakeUpdates to deliver payloads. RomCom has exploited major vulnerabilities including CVE-2023-36884 in Microsoft Office/Windows HTML and the WinRAR zero-day CVE-2025-8088. In July 2025, ESET observed RomCom exploiting CVE-2025-8088 in highly targeted spearphishing campaigns using fake job application or CV-themed RAR archives disguised as application documents. Successful exploitation delivered RomCom-associated malware including a SnipBot variant, RustyClaw, and Mythic Agent; other reporting also mentions RomCom backdoors and fake OneDrive loaders. The group has also been associated with trojanized installers for software including Adobe products, Advanced IP Scanner, SolarWinds Network Performance Monitor, SolarWinds Orion, KeePass, and Signal. The content states that RomCom conducts both opportunistic campaigns against selected business verticals and targeted intelligence collection, and that its focus has shifted to include espionage alongside conventional cybercrime. It has been linked to ransomware activity, including use of Industrial Spy ransomware and likely distribution of Underground ransomware. Underground ransomware reporting says access may come via CVE-2023-36884, phishing emails, or initial access brokers, and that operators maintain a leak site and Telegram channel. The content also notes a reported partnership model between Russian intelligence organizations and cybercriminal groups such as RomCom and Trickbot.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- RU
Tradecraft
56 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
24 malware families attributed to this actor across reporting.
19 additional families tracked in Mallory.
Associated vulnerabilities
8 CVEs this actor has used in observed campaigns. 8 of them exploited in the wild.
As recently as November 2025, an email phishing wave targeting Ukraine was found to deliver the implant via RAR archives that exploit CVE-2025-8088, a WinRAR vulnerability that has been exploited by a number of Russian hacking groups such as Sandworm, Gamaredon, and RomCom.
Historical parallels, such as the exploitation of CVE-2023-36884 by Storm-0978, underscore how Office-based RCE vulnerabilities have been weaponized for targeted intrusions.
GTIG spotlighted CIGAR (UNC4895/RomCom) deploying a zero-day chain against Firefox and Windows (CVE-2024-49039) that escalated privileges from low integrity to SYSTEM via Windows RPC abuse, enabling creation/execution of scheduled tasks as SYSTEM.
"Attackers were observed chaining this vulnerability with a remote code execution flaw in Firefox, identified as CVE-2024-9680."
Next the threat actors attempted to use a file called zero.exe, which is used to exploit the Zerologon vulnerability to escalate privileges.
3 more CVEs tied to this actor tracked in Mallory.
Observables
51 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as one of several Russian hacking groups known to have exploited the WinRAR vulnerability CVE-2025-8088.
Used SocGholish to deliver Mythic Agent, demonstrating use of SocGholish as an initial access broker service.
Russia-linked threat actor also reported as exploiting CVE-2025-8088.
Reported as one of the Russia-aligned threat actors that exploited CVE-2025-8088 earlier in the year.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.