Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine

Description

Arctic Wolf Labs identified a U.S.-based company targeted by the Russian-aligned threat group RomCom via SocGholish, operated by TA569. This marks the first observed instance of a RomCom payload being distributed through SocGholish. The attack chain involved compromising legitimate websites, using fake update lures to deliver malware, and executing malicious JavaScript on victim hosts. The targeted company had ties to Ukraine, aligning with RomCom's focus on entities supporting Ukraine. Evidence suggests Russia's GRU unit 29155 is leveraging SocGholish for targeting. The attack was thwarted by Arctic Wolf's Aurora Endpoint Defense, which detected and quarantined the RomCom loader upon delivery.