The Russian-based menace group RomCom, also called Storm-0978, Tropical Scorpius, and Void Rabisu, has been focusing on UK firms within the retail, hospitality, and important nationwide infrastructure (CNI) sectors in a not too long ago found cyber espionage and profit-driven operation referred to as “Operation Misleading Prospect.”
Lively since a minimum of 2022, RomCom has a historical past of mixing espionage with cybercrime, usually specializing in governmental and navy entities, significantly these linked to Ukrainian affairs and NATO.
Their newest marketing campaign, uncovered by Bridewell’s Cyber Menace Intelligence (CTI) group in March 2025, showcases a crafty technique of exploiting externally going through buyer suggestions portals to ship phishing emails to customer support representatives.
These emails, crafted with convincing personas and complaints about points like stolen baggage or substandard airport services, include malicious hyperlinks disguised as Google Drive or Microsoft OneDrive recordsdata, in the end resulting in the deployment of a classy executable downloader masquerading as a PDF.
Evolving Malware and Zero-Day Exploits Spotlight RomCom’s Technical Prowess
RomCom’s technical arsenal has developed considerably, with their malware, together with the RomCom backdoor, progressing to stealthier variants like RomCom 4.0 (PEAPOD) and the newest SnipBot (RomCom 5.0), recognized as early as December 2023.
SnipBot introduces superior obfuscation strategies, anti-sandboxing measures, and an expanded set of 27 instructions for knowledge exfiltration and granular management over contaminated methods.
The group has additionally demonstrated proficiency in exploiting zero-day vulnerabilities, notably chaining CVE-2024-9680 (a use-after-free flaw in Mozilla Firefox) and CVE-2024-49039 (a Home windows privilege escalation flaw) in late 2024 to execute zero-click assaults throughout Europe and North America.
In “Operation Misleading Prospect,” the an infection chain leverages a number of redirection levels via domains hosted on Amazon S3 by way of Rebrandly and intermediate URL shorteners like opn.to, earlier than touchdown on menace actor-controlled payload internet hosting websites mimicking OneDrive.
The ultimate payload, an executable signed with a possible stolen certificates from a dissolved UK-based firm, is retrieved from Mediafire and displays potential protection evasion techniques, equivalent to checking the RecentDocs registry key-a approach beforehand linked to SnipBot by Palo Alto’s Unit 42 analysis.
In keeping with the Report, This marketing campaign’s social engineering techniques closely exploit belief, with emails following a structured grievance format and incorporating intimidation by threatening escalation inside tight deadlines.
The usage of AI-generated content material is suspected as a consequence of formulaic language and formatting anomalies, underscoring RomCom’s adaptability in crafting plausible lures.
Almost 100 domains mimicking cloud storage providers have been recognized, predominantly utilizing generic top-level domains like .click on and .reside, hosted on bulletproof infrastructure equivalent to HZ Internet hosting and AEZA Group Ltd.
Whereas static and dynamic evaluation of the payloads exhibits restricted overt malicious conduct, the overlap with RomCom’s recognized techniques and ESET’s detection as Win32/TrojanDownloader.RomCom.
A counsel a deeper menace requiring additional investigation. Organizations are urged to scrutinize buyer suggestions channels, monitor for suspicious domains, and improve endpoint detection to mitigate this evolving menace from a bunch suspected of aligning with Russian state pursuits.
Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, & X to Get On the spot Updates!
