RomCom

RomCom is a Russia-linked threat actor also tracked as Storm-0978, Tropical Scorpius, UNC2596, UNC4895, CIGAR, Void Rabisu, Underground Team, and in some reporting Storm-0671. The content describes the group as operating out of Russia and as a mixed-motive actor conducting both financially motivated cybercrime and espionage, including ransomware and extortion activity alongside intelligence-collecting operations. Multiple sources in the content characterize the group as Russia-aligned; one cited assessment attributes RomCom activity with medium-to-high confidence to Russia’s GRU Unit 29155. RomCom has targeted defense industry and government entities in Europe and North America, as well as telecom and financial organizations. Additional targeting described in the content includes organizations with ties to projects supporting Ukraine, and financial, manufacturing, defense, and logistics firms in Europe and Canada. The content states the group has consistently targeted entities linked to Ukraine and its defense against Russia. The group is associated with spearphishing and highly targeted phishing campaigns, including lures themed around the Ukrainian World Congress, NATO Summit invitations, and fake job applications or CVs. It has exploited multiple zero-days in the wild. The content specifically links RomCom to exploitation of CVE-2023-36884, a Microsoft Office and Windows remote code execution vulnerability delivered through crafted Word documents, and CVE-2025-8088, a WinRAR path traversal zero-day used in July 2025 spearphishing campaigns. GTIG reporting in the content also states that CIGAR/UNC4895, publicly reported as RomCom, exploited CVE-2024-9680 and CVE-2024-49039 as zero-days in 2024. The content further notes this was at least the third time RomCom had been observed exploiting a significant zero-day in the wild. RomCom distributes malware through trojanized legitimate software and fake software updates. Software named in the content includes Adobe products, Advanced IP Scanner, SolarWinds Network Performance Monitor, SolarWinds Orion, KeePass, and Signal. Delivery via SocGholish operated by TA569 is also described. Malware and tooling associated with RomCom in the content include the RomCom backdoor/RAT, Mythic agent, SnipBot, RustyClaw, and fake OneDrive loaders. Successful exploitation of CVE-2025-8088 delivered a SnipBot variant, RustyClaw, and the Mythic agent. The RomCom backdoor is described as capable of executing commands and downloading additional modules, and one reference notes use of HTTPS for command-and-control. The content also links the group to Underground ransomware, likely spread by RomCom, and notes use of Industrial Spy ransomware in financially motivated attacks. The content also includes reporting on overlaps between RomCom-related aliases and Cuba ransomware activity. Tropical Scorpius/UNC2596 is described in one cited report as linked to the Cuba attackers and use of BURNTCIGAR and signed drivers to terminate security products. Mandiant reporting in the content attributes COLDDRAW/Cuba ransomware intrusions to UNC2596. GTIG reporting separately describes CIGAR/UNC4895, also known as RomCom, as a Russian threat group conducting both financially motivated and espionage operations.