RomCom

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, RomCom RAT actors, and Industrial Spy ransomware actors. These groups have targeted various regions globally, with the RomCom malware particularly affecting Europe and North America. The malware is associated with Storm-0978, a pro-Russian Advanced Persistent Threat (APT) group also known as the RomCom Group. In October 2023, a significant "romcom" cyberattack occurred, which exploited a Windows remote code execution vulnerability (CVE-2023-36584) alongside another vulnerability (CVE-2023-36884). These vulnerabilities were used to deliver PEAPOD, an updated version of the RomCom RAT. This attack was part of a spear-phishing campaign launched by Storm-0978, targeting groups supporting Ukraine's admission into NATO. The attack demonstrated the level of control threat actors could achieve over their victims, similar to what they had with the earlier ROMCOM 3.0. The community attributes this activity to Storm-0978, referencing their use of the RomCom backdoor. Microsoft patched the exploited vulnerabilities as part of its security updates in October 2023. Despite these measures, systems infected by PEAPOD can still download a third component resembling the ROMCOM 3.0 worker, allowing threat actors to maintain significant control over their targets. Given the ongoing threats, individuals and organizations are advised to remain vigilant, especially when encountering suspicious online activities promising too-good-to-be-true outcomes.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Romcom Backdoor
5
The RomCom backdoor, a malicious software, is primarily used by the threat actor Void Rabisu, also known as Tropical Scorpius or Storm-0978. This malware has been associated with Cuba ransomware and has been notably deployed in cyberespionage activities, shifting away from opportunistic ransomware a
Romcom Rat
4
RomCom RAT, a type of malware, has been linked to Cuba ransomware and Industrial Spy ransomware actors since spring 2022. These malicious actors have been observed deploying the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a Command and Control (C2) server before initiating their ra
Peapod
4
PEAPOD, a novel variant of the RomCom RAT malware, was discovered to have been used in targeted attacks against female political leaders who participated in the Women Political Leaders Summit in June. The threat operation responsible for these attacks is known as Void Rabisu, also referred to as Sto
Void Rabisu
3
Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In
Storm-0978
2
Storm-0978, also known as RomCom or DEV-0978, is a threat actor group alleged to have connections with Russia. Microsoft, in a blog post published on July 11, 2023, accused this group of exploiting the vulnerability CVE-2023-36884 to install backdoors on target systems. The cybersecurity industry ha
Tropical Scorpius
2
Tropical Scorpius is a notorious malware, first identified in late 2020, associated with the Cuba ransomware gang. This malicious software has been linked to multiple cybercriminal activities, including disrupting operations, stealing personal information, and holding data hostage for ransom. The ma
Romcom Remote Access Trojan
2
The RomCom Remote Access Trojan (RAT) is a type of malware that has gained significant attention in the cybersecurity landscape this year. This malicious software, designed to exploit and damage computer systems, can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst
Unc2596
2
UNC2596, also known as Void Rabisu, Tropical Scorpius, and Storm-0978, is a hybrid threat actor involved in both financially motivated and espionage attacks. This group has been refining its tactics and techniques, utilizing backdoor attacks that have targeted various high-profile events, including
Romcom Group
1
The RomCom Group, also known as Storm-0978, is a pro-Russian Advanced Persistent Threat (APT) group notorious for its advanced cyber campaigns. The group is recognized for their use of the RomCom backdoor, a malware that exploits and damages computer systems to steal personal information, disrupt op
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Microsoft
Backdoor
Ukraine
Nato
Payload
Rat
Vulnerability
Exploit
Trojan
Apt
Phishing
Espionage
Papercut
Downloader
Loader
Cybercrime
Windows
Keepass
Extortion
Known Exploi...
Government
t1584.001
Securityweek
Remcos
State Sponso...
Acrobat
RCE (Remote ...
Infostealer
Proxy
T1090
Fbi
CISA
Outlook
Zero Day
Healthcare
Infiltration
Lateral_move...
Eu
Blackberry
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cuba RansomwareUnspecified
3
The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi
CubaUnspecified
2
The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted w
MeterpreterUnspecified
1
Meterpreter, a type of malware, is an attack payload of Metasploit that serves as an interactive shell, enabling threat actors to control and execute code on a system. Advanced Persistent Threat (APT) actors have created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, liste
njRATUnspecified
1
NjRAT is a remote-access Trojan (RAT) that has been commonly used in both criminal and targeted attacks since as early as 2013. It is part of a suite of RATs used by attackers, including Remcos and AsyncRAT, to exploit and damage computer systems. NjRAT can identify remote hosts on connected network
Dev-0978Unspecified
1
None
RootsawUnspecified
1
Rootsaw, also known as EnvyScout, is a first-stage payload malware extensively used by state-sponsored group APT29 for their initial access efforts in collecting foreign political intelligence. The malware is typically deployed via phishing emails with HTML file attachments or .HTA files, which exec
SpicaUnspecified
1
Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in hig
SmokeloaderUnspecified
1
SmokeLoader is a malicious software (malware) that has been extensively used by threat actors, particularly those associated with the Phobos ransomware. It functions as a backdoor trojan, often arriving on victims' systems via spoofed email attachments embedded with hidden payloads. Once downloaded,
RhadamanthysUnspecified
1
Rhadamanthys is a type of malware that has been identified as a significant threat to computer systems. This malicious software, designed to exploit and damage computers or devices, can infiltrate systems through suspicious downloads, emails, or websites. Once it gains access, Rhadamanthys can steal
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
1
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
GamaredonUnspecified
1
Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been actively tracked since 2013 and is recognized as a significant threat actor in the cybersecurity landscape. Its primary target is Ukraine, against which it deploys an array of home-brewed malware through malicious documents. The E
Gossamer BearUnspecified
1
Gossamer Bear, also known as Callisto, Blue Callisto, BlueCharlie (or TAG-53), Calisto, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a significant threat actor that has been active since 2019. The group primarily focuses on credential harvesting and conducts hack-and-leak campaigns ta
Winter VivernUnspecified
1
Winter Vivern is a threat actor group that has recently been active in the cybersecurity landscape. This group, which is believed to align with the interests of Belarus, has been involved in a series of malicious activities targeting different entities. They have notably exploited a zero-day vulnera
APT29Unspecified
1
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
Apt44Unspecified
1
APT44, previously known as Sandworm, is a Russian military intelligence hacking team newly designated by Mandiant. The group has been active in conducting campaigns leveraging Sandworm malware since the start of 2023, primarily targeting Ukraine, Eastern Europe, and investigative journalists. APT44'
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-36884Unspecified
3
CVE-2023-36884 is a significant software vulnerability discovered in Microsoft Windows, Server, Office, and Outlook. It is a flaw in the software design or implementation that allows for remote code execution (RCE), specifically in the Windows Search security feature. This vulnerability was being ac
FollinaUnspecified
1
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
CVE-2023-36584Unspecified
1
None
Source Document References
Information about the RomCom Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Flashpoint
2 months ago
Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
CERT-EU
4 months ago
Why Is Gender Diversity Important In Cybersecurity? | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
6 months ago
I'm in love with a Nigerian internet fraudster: The women who carry on loving romance scammers even after the man's been exposed as a fraud - and taken them to the cleaners | #datingscams | #lovescams | #datingscams | #love | #relationships | #scams | #pof | #match.com | #dating | National Cyber Security Consulting
CERT-EU
8 months ago
CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog
CERT-EU
8 months ago
In-depth analysis of July 2023 exploit chain featuring CVE-2023-36884 and CVE-2023-36584 - Cyber Security Review
Unit42
8 months ago
In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
BankInfoSecurity
9 months ago
Women Political Leaders Targeted With RomCom RAT Variant
CERT-EU
9 months ago
RomCom Malware Group Targets EU Gender Equality Summit
CERT-EU
9 months ago
RomCom Malware Group Targets EU Gender Equality Summit
CERT-EU
9 months ago
Novel RomCom RAT variant used in attacks against female political leaders
DARKReading
9 months ago
'RomCom' Cyber Campaign Targets Women Political Leaders
InfoSecurity-magazine
9 months ago
New RomCom Backdoor Targets Female Political Leaders
CERT-EU
9 months ago
Women Political Leaders Summit targeted in RomCom malware phishing
CERT-EU
9 months ago
New PEAPOD Cyberattack Campaign Targeting Women Political Leaders
CERT-EU
9 months ago
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Trend Micro
9 months ago
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
CERT-EU
10 months ago
At least 23 Russian hacker groups targeted Ukraine in 2023, Ukraine’s cyber defense says
CERT-EU
a year ago
Geopolitical Warfare in the Digital Age: The NATO Summit Cyber Incursion
CERT-EU
a year ago
Akira Ransomware, 8Base Ransomware, and more: Hacker’s Playbook Threat Coverage Round-up: August 22, 2023
CERT-EU
a year ago
Cuba Ransomware Group Exploiting Veeam Flaw in Latest Campaign