Target profile focused on Ukraine support: The second major insight from the report concerns victim selection. The targeted firm was not a defense contractor or a government body but a civil engineering company in the US. Its only notable link was past work involving a Ukraine-affiliated city.According to Arctic Wolf, the incident fits RomCom’s broader pattern of targeting organizations that have even tangential connections to Ukraine. Researchers added that the group has steadily evolved from distributing trojanized installers to conducting more disciplined, selective operations, and its suspected ties to GRU Unit 29155 further explain why entities linked to Ukrainehowever indirectly”, continue to draw its attention. For indicators of compromise, Arctic Wolf shared a list of malicious domain names, IP addresses, and autonomous system numbers.”Five new domains were found to be related to the two RomCom-attributed Mythic C2s identified by Arctic Wolf Labs,” researchers said. “The attack was ultimately unsuccessful because RomCom’s loader was caught by Arctic Wolf’s Aurora Endpoint Defense, preventing the targeted entity from being compromised by this threat group.”Arctic Wolf recommended organizations harden against similar threats by blocking untrusted script executions, enforcing strict update policies, and treating any in-browser “update” prompt as suspicious. The firm also stressed the need for continuous endpoint monitoring and threat-intel-driven detection to catch SocGholish-style fake updates before they escalate.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4097944/romcom-tries-dropping-a-not-so-romantic-payload-on-ukraine-linked-us-firms.html
