Mythic Agent
Mythic Agent is a post-exploitation implant built on the Mythic C2 framework that provides remote-access capabilities including command execution, reconnaissance, file exfiltration, lateral movement, command-and-control communication, and loading of additional plugins or payloads. The content links it primarily to RomCom activity in 2025, including campaigns where RomCom used SocGholish/FakeUpdates fake browser-update lures to deliver a targeted Mythic Agent loader to a U.S. civil engineering firm with ties to Ukraine-related work, and separate spearphishing campaigns exploiting the WinRAR zero-day CVE-2025-8088 against financial, manufacturing, defense, and logistics organizations in Europe and Canada. In the WinRAR chains, malicious RAR archives dropped LNK and DLL/EXE payloads; one observed chain used Updater.lnk to set HKCU\SOFTWARE\Classes\CLSID{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\InprocServer32 to %TEMP%\msedge.dll for COM hijacking, after which msedge.dll decrypted embedded AES shellcode and launched the Mythic agent. Arctic Wolf also reported a targeted loader disguised as msedge.dll that executed only when the victim Active Directory domain matched a hardcoded value, and described the shellcode as a Mythic dynamichttp agent. Reported C2 endpoints associated with Mythic Agent activity in the content include https://srlaptop[.]com/s/0.7.8/clarity.js and https://imprimerie-agp[.]com/s/0.7.8/clarity.js. The content also notes Mythic Agent was found among malware on a compromised Microsoft Exchange server in an intrusion likely involving Erudite Mogwai/Space Pirates, and one source associates Mythic Agent with GOFFEE. High-confidence aliases in the provided content are limited to Mythic Agent and mythic_agent.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
...источником их заражения оказался почтовый сервер Exchange, который оказался скомпрометированным еще летом 2024 года с помощью эксплуатации цепочки уязвимостей ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
...эксплуатации цепочки уязвимостей ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
The vulnerability, tracked as CVE-2025-8088, affects all Windows versions of WinRAR up to 7.12 ... a path traversal bug that leverages Window’s alternate data streams (ADS) feature to circumvent normal file extraction safeguards.
...эксплуатации цепочки уязвимостей ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In November 2025, Arctic Wolf revealed that SocGholish was being used by the RomCom threat actors to deliver the Mythic Agent, highlighting the use of the initial access broker's services by a broad range of actors with varied motivations.
...были обнаружены различные файлы вредоносного ПО: ... Mythic Agent (GOFFEE)
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
The backdoor used by the group is capable of executing commands and downloading additional modules to the victim’s machine.
ESET researchers have discovered a previously unknown zero-day vulnerability in WinRAR being exploited in the wild by Russia-aligned group RomCom... The vulnerability, CVE-2025-8088, is a path traversal vulnerability... Disguised as an application document, the weaponized archives exploited a path traversal flow to compromise its targets.
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
PowerTaskel загружает бинарный агент с командного сервера, внедряет его в память своего процесса и запускает в отдельном потоке
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A payload delivered via SocGholish by RomCom threat actors.
Post-exploitation agent/payload delivered in a RomCom intrusion chain (via SocGholish) to provide remote control capabilities.
Referenced as an agent/implant from the Mythic post-exploitation framework found on the compromised system; associated in the text with GOFFEE. No further details provided.
Mythic Agent is a remote access trojan (RAT) delivered via SocGholish, used for persistent access and control over victim systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.