RomCom
RomCom is a remote access trojan/backdoor malware family associated with the Russia-aligned threat actor tracked as Storm-0978, Void Rabisu, Tropical Scorpius, and UNC2596. Reporting in the provided content describes it as a versatile RAT used for espionage and financially motivated operations, including data exfiltration, credential theft, lateral movement, and ransomware deployment. The malware has evolved over time, with newer iterations and related variants including SnipBot and SingleCamper; SnipBot is described as a RomCom 5.0 variant.
Observed delivery vectors include trojanized installers for legitimate software such as Adobe products, Advanced IP Scanner, SolarWinds Network Performance Monitor, SolarWinds Orion, KeePass, and Signal; spear-phishing emails with malicious Office documents; fake update chains via SocGholish/FAKEUPDATE; and weaponized WinRAR archives exploiting CVE-2025-8088. RomCom-linked activity also exploited CVE-2023-36884 via crafted Microsoft Word documents, and later campaigns exploited chained Firefox and Windows zero-days. Targeting described in the content includes government, military, defense, telecommunications, finance, manufacturing, logistics, health, digital services, and critical infrastructure organizations, especially in Ukraine, Europe, North America, and entities linked to support for Ukraine.
Capabilities directly described in the content include HTTPS-based C2 communications; command execution; file upload/download; drive and directory enumeration; process listing; targeted document exfiltration; SOCKS proxy and SSH tunneling support; registry storage of encrypted payloads; COM hijacking for persistence and code execution in explorer.exe; anti-sandbox and anti-analysis checks; and use of signed initial-stage downloaders. In one documented SnipBot intrusion, operators performed hands-on-keyboard activity, internal network discovery, and attempted exfiltration using renamed legitimate tools including AD Explorer, WinRAR, and PuTTY scp.
High-confidence infrastructure and indicators mentioned in the content include domains such as xeontime[.]com, drvmcprotect[.]com, linedrv[.]com, drv2ms[.]com, ilogicflow[.]com, campanole[.]com, melamorri[.]com, gohazeldale[.]com, srlaptop[.]com, imprimerie-agp[.]com, orlandoscreenenclosure[.]net, basilic[.]info, ozivoice[.]com, solarrayes[.]com, and carnesmemdesa[.]com; IPs including 91.92.250[.]240, 91.92.254[.]54, 91.92.254[.]234, 91.92.250[.]106, 79.141.170[.]34, and 91.92.250[.]104; mutex SnipMutex; registry paths including HKCU\SOFTWARE\AppDataSoft\Software and HKCU\SOFTWARE\Classes\CLSID{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}\InprocServer32; and filenames such as msedge.dll, keyprov.dll, config-pdf.dll, single.dll, ApbxHelper.exe, Complaint.exe, socks5.exe, ms-proxy.exe, svcnet.exe, and plink.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
RomCom is abusing a zero-day vulnerability, CVE-2023-36884, involving specially crafted Microsoft Word documents. | The threat actor uses trojanized versions of popular software — including products from Adobe, Advanced IP Scanner, SolarWinds Network Performance Monitor, SolarWinds Orion, KeePass and Signal — to install RomCom backdoors.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The threat actor uses trojanized versions of popular software — including products from Adobe, Advanced IP Scanner, SolarWinds Network Performance Monitor, SolarWinds Orion, KeePass and Signal — to install RomCom backdoors.
"RomCom malware used the SocGholish fake update loader to deliver Mythic Agent to a U.S. civil engineering firm."
...Void Rabisu APT group is using a remote access trojan called RomCom that uses HTTPS for C&C communications
"...the group’s primary weapon of choice is the RomCom remote access trojan (RAT)—a versatile tool enabling both data exfiltration and ransomware deployment."
...tactical similarities between the threat actors behind the RomCom RAT and a cluster ... delivering a loader dubbed TransferLoader.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniques“almost zero-interaction infection through malvertising.”
“Void Rabisu has been using Google Ads to entice their targets to visit the lure sites…” / “RomCom uses malvertising to redirect targets to lure websites…”
The threat actor uses trojanized versions of popular software — including products from Adobe, Advanced IP Scanner, SolarWinds Network Performance Monitor, SolarWinds Orion, KeePass and Signal — to install RomCom backdoors.
Initial Access
3 techniquesMicrosoft is warning about a phishing campaign from the threat actor known as RomCom that is targeting the defense industry and government entities in Europe and North America.
RomCom is abusing a zero-day vulnerability, CVE-2023-36884, involving specially crafted Microsoft Word documents.
Infection Vector: Delivered via email containing links that redirect to the SnipBot downloader.
Execution
2 techniquesRomCom is abusing a zero-day vulnerability, CVE-2023-36884, involving specially crafted Microsoft Word documents.
The threat actor uses trojanized versions of popular software — including products from Adobe, Advanced IP Scanner, SolarWinds Network Performance Monitor, SolarWinds Orion, KeePass and Signal — to install RomCom backdoors.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
4 techniques“they also utilize binary padding techniques… (we've seen a file with 1.7 gigabytes)” / “null bytes are appended to the file…”
“RomCom 3.0 binaries are protected with VMProtect.” / “RomCom uses VMProtect”
The emails pretended to be invitations to the current NATO Summit in Lithuania.
Defense Impairment
1 techniqueThis story includes detections for changes to 'ChannelAccess' and 'CustomSD' registry values, as well as the use of tools like 'sc.exe sdset', 'icacls' and 'subinacl' to modify securable objects (files, registry, services, etc) permissions.
Credential Access
1 technique“procsys.dll – a stealer… to retrieve browser cookies…” / “steals stored credentials and browsing history…”
Discovery
4 techniques“performs detailed network and domain discovery using tools like: netstat, nltest, arp, ping, and PowerShell-based port scans.”
“Nebulous Mantis harvests credentials with file searches (findstr “password”)…”
Lateral Movement
1 techniqueCollection
3 techniques“…stores it in predefined locations like C:\Users\Public\Music.”
“PhotoDirector.dll – a program that takes one or more screenshots…” / “RomCom can capture screenshots…”
“Once data collection is complete, Nebulous Mantis compresses user data using renamed WinRAR executables (mfc86x.exe)…”
Command and Control
5 techniques“RomCom 3.0 commands are received as responses to HTTP POST requests…” / “RomCom uses HTTPS for C&C communications”
“After the first-stage downloader is triggered, the malware connects to a command-and-control domain (e.g., drivedefend.com) and pulls down additional payloads, including a Keyprov.dll backdoor.”
“Run AnyDesk on the victim’s machine… send the AnyDesk ID to the C&C server” / “download the AnyDesk executable…”
“RomCom listens on the port range 5554-5600 when setting up localhost sockets” / “RomCom listens on port ranges 5554 to 5600…”
“RomCom… [uses] encrypted C2 channels… Exfiltration is conducted via RomCom’s encrypted C2 channels.”
Exfiltration
1 technique“Exfiltration is conducted via RomCom’s encrypted C2 channels.”
IOCs tracked for this family
45 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
31 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor malware delivered via malicious RAR archives exploiting CVE-2025-8088 to gain initial access and execute code (e.g., by placing executables in Windows Startup folders).
Loader/backdoor malware used in spear-phishing campaigns, associated with espionage and financial crime operations.
ROMCOM is a backdoor malware typically associated with the Void Rabisu threat group, known for cybercrime and espionage activities aligned with Russian interests. It is often deployed as a final payload in targeted spear-phishing campaigns.
Malware operation observed using SocGolish as a delivery mechanism to deploy RomCom payloads, targeting US companies supporting Ukraine.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.