RomCom Threat Actor Evolution (2023–2025)

RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu, has evolved from a regional cyber-espionage group into a sophisticated hybrid threat actor. In 2025, RomCom exploited the WinRAR zero-day vulnerability CVE-2025-8088, a path traversal flaw with a CVSS score of 8.4, to deliver backdoor malware including SnipBot, RustyClaw, and Mythic Agent. 

These attacks targeted financial, manufacturing, defense, and logistics sectors in Europe and Canada through spear-phishing emails disguised as job applications. The group has previously exploited other zero-day vulnerabilities, such as CVE-2023-36884 in Microsoft Word and CVE-2024-9680 in Firefox, to gain unauthorized access to systems. 

RomCom's evolving tactics and use of zero-day exploits make it a significant threat to organizations worldwide.

RomCom Target Sectors and Geography

RomCom’s victimology reflects its evolution from a regional threat to a global hybrid adversary.

In 2022, the group primarily targeted Ukraine, Poland, and neighboring regions, aligning operations with Russian strategic interests. By 2023–2024, its scope widened to include defense and government organizations across Europe and North America, often using phishing lures referencing NATO or Ukrainian politics.

In 2025, RomCom moved aggressively into private industry:

• Operation Deceptive Prospect (early 2025) targeted retail, hospitality, and critical infrastructure in the UK [1].

• Later campaigns hit financial, defense, logistics, and manufacturing organizations in Europe and Canada [2].

This shift illustrates RomCom’s ability to alternate between long-term espionage against government agencies and monetization-focused operations against enterprises.

RomCom Tactics, Techniques & Procedures (TTPs): How They Operate

RomCom’s playbook spans the entire attack chain, blending social engineering, zero-day exploits, and custom malware with strong evasion practices.

Initial Access

RomCom relies heavily on social engineering and impersonation. Early entry often comes through:

Spearphishing with decoys — Personalized emails (job applications, invoices, supplier messages, customer compliant portals where issues like stolen luggage or substandard airport facilities are “reported”) that carry malicious attachments or links. Typical decoys are a “resume” or invoice PDF that either contains a loader or launches a trojanized executable while displaying a benign decoy to the user.

Common artifacts:

• .exe disguised as .pdf, weaponized Office docs, password-protected archives (.rar, .zip) with a decoy file [3]. 
• URLs disguised as Google Drive or Microsoft OneDrive files as follows [4].
  • gdrive-share[.]online
  • 1dv365[.]live

Here is an example of an email that RomCom is known to use to gain initial access (where the target is the retail/hospitality sector). 

Compromised customer-facing portals & uploads — In 2025 RomCom began abusing feedback/upload forms and similar channels to deposit malicious archives or links, bypassing some email defenses that focus on inbound mail [4].

CVEs Targeted by RomCom Threat Actor: Identifying Vulnerabilities Under Attack

RomCom distinguishes itself by repeatedly leveraging unpublished vulnerabilities, a capability rarely seen outside advanced APTs.

• CVE-2023-36884 — Microsoft Word RCE used in June 2023.

Microsoft observed in-the-wild exploitation of a Microsoft Office/Windows HTML RCE (CVE-2023-36884) used in phishing campaigns in mid-2023; Microsoft’s post ties the campaign to the actor cluster tracked as Storm-0978 (RomCom alias) [5]. 

• CVE-2024-9680 + CVE-2024-49039 — Firefox/Thunderbird + Windows chain (Oct–Nov 2024)

Known reports describe a chained, zero-click exploit that used a Mozilla use-after-free (CVE-2024-9680) and a Windows privilege-escalation (CVE-2024-49039) to deliver a RomCom backdoor [6]; multiple summaries and NVD entries confirm the CVE assignments and active exploitation. Patch/advisory dates around early–mid October / November 2024.

• CVE-2025-8088 — WinRAR path-traversal (July/Aug 2025) via job-themed phishing archives 

Researchers reported a WinRAR directory-traversal zero-day (CVE-2025-8088) that was exploited in social-engineering campaigns packaged as job/application RAR archives; known reports link RomCom to active exploitation [7]. 

Three distinct zero-days across three years reflect either an internal exploit-development pipeline or privileged access to exploit brokers.

RomCom’s SlipScreen Loader Malware (2025)

Once inside, RomCom uses multi-stage loaders and evasive techniques to ensure persistence on compromised systems. 

One of its key loaders, SlipScreen, employs advanced evasion strategies to avoid detection, while maintaining control over the system.

Evasion Mechanism: Recent User Activity Validation

SlipScreen checks the Windows Registry to verify at least 55 recent documents. This process helps confirm that the malware is running in an environment with user activity, which avoids sandboxes (often devoid of user activity). 

If the threshold isn’t met, SlipScreen halts execution to avoid detection.

Here is the code piece from SlipScreen, where it is looking for registry keys.

This key stores a list of recently opened documents. SlipScreen uses it to confirm user interaction and determine whether it’s running in a sandbox.

Evasion Mechanism: Shellcode Decryption & Execution

Once the environment is validated, SlipScreen proceeds to decrypt and load shellcode directly into memory. This allows it to evade file-based detection methods by avoiding writing to the disk. The shellcode then establishes communication with the C2 server for further instructions.

Persistence via COM Hijacking: COM Hijacking for Persistence

To maintain persistence, SlipScreen hijacks COM objects to ensure that it automatically executes when explorer.exe restarts. 

This technique leverages registry entries to register malicious DLLs to be loaded by system processes, making detection more difficult.

These registry keys control COM object activation, ensuring that the malicious DLL is loaded automatically when the system reboots or when explorer.exe restarts, keeping the malware active and undetected.

DustyHammock & ShadyHammock Malware

The RomCom threat group leverages DustyHammock and ShadyHammock as highly effective, complementary backdoors essential for their sophisticated espionage campaigns. They use these tools for persistence and evasion, not just as single-stage implants. 

• DustyHammock, being RUST-based, is technically challenging to analyze, serving as the core backdoor for long-term C2 communication and remote command execution after the initial infection. 

• ShadyHammock, a C++ component, specializes in stealth by loading the main payload, the XOR-encoded SingleCamper RAT DLL, directly from the Windows Registry into memory, thereby minimizing disk-based indicators. 

This modular, multi-language approach ensures redundancy, complicates defensive measures, and establishes a stable, covert platform for exfiltrating strategic data from targeted entities in countries like Ukraine and Poland.

SnipBot Backdoor (also known as RomCom 5.0 or SingleCamper)

SnipBot is the highly evolved and sophisticated Remote Access Trojan (RAT) central to the RomCom threat group's espionage operations, designed for extreme stealth and long-term control. Its primary defensive measure is custom, advanced code obfuscation, specifically a unique window message-based control-flow obfuscation algorithm. 

This technique splits the malware's execution logic into numerous unordered blocks, triggered only by custom Windows messages, creating a highly complex and non-linear structure that effectively defeats automated sandbox and static analysis tools. 

The initial multi-stage infection chain begins with a downloader, often a signed executable (using a stolen/fraudulent valid code-signing certificate) disguised as a benign document like a PDF or resume, which then fetches the SnipBot module (usually a DLL) from remote, sometimes transient, C2 infrastructure like the temp.sh file-sharing service. 

Once deployed, SnipBot acts as the ultimate Core Capability by enabling attackers to execute arbitrary commands via a hidden cmd.exe process and download supplemental modules like Plink.exe for secure tunneling. 

Finally, for Reconnaissance, it collects crucial victim data (computer/domain name, MAC address, Windows build number) and transmits it to the C2 over HTTPS (Port 443), allowing the threat actors to vet the compromised machine for potential human-operated exploitation.

Post-Exploitation

After gaining persistence, RomCom pivots for either espionage or disruption:

• Credential Theft: RomCom steals credentials through SAM hive dumping to escalate privileges and deepen system access.

• Lateral Movement: Using tools like Impacket’s SMBExec and WMIExec, RomCom spreads across networks to infect additional systems.

• Reconnaissance: RomCom gathers system details with systeminfo, nltest, and custom tools to map the victim's environment and identify valuable assets.

• Outcomes:

  • Espionage: RomCom conducts covert exfiltration of sensitive documents and intelligence, often aligning with state-sponsored espionage goals.

  • Ransomware: RomCom deploys Industrial Spy, Underground, and Cuba ransomware in double extortion campaigns, demanding ransom and threatening public data leaks.

RomCom Evolution in 2024–2025: Regarding Malware Arsenal

By 2024, RomCom had fully embraced its hybrid nature. It ran parallel campaigns: prolonged espionage against government entities and monetization-driven breaches against enterprises. Campaigns were no longer regional, they spanned North America, Europe, and beyond.

The group also invested in an expanding malware arsenal:

• MeltingClaw / RustyClaw — phishing downloaders introduced in 2024.

• DustyHammock / ShadyHammock — stealthy backdoors for reconnaissance.

• SlipScreen — first-stage loader for SnipBot, evading sandboxes.

• SnipBot — evolved RomCom RAT with stronger modularity and stealth.

Campaigns highlighted continual adaptation. Operation Deceptive Prospect abused trusted web feedback portals, while the July 2025 WinRAR campaign exploited CVE-2025-8088 through carefully crafted job lures. Archives hid malicious payloads, achieved persistence via DLL hijacking and COM abuse, and attempted stealth deployment. 

Even when unsuccessful, these campaigns proved RomCom’s agility in weaponizing new vulnerabilities.

Collaboration and Attribution

RomCom does not operate in isolation.

Researchers revealed overlap with UNK_GreenSec, with both clusters sharing [8]:

• The TransferLoader malware loader.

• Compromised MikroTik routers running REM Proxy for phishing traffic.

RomCom also maintained strong ties to Cuba ransomware, sharing infrastructure and payload delivery. Its blend of espionage-aligned targeting with ransomware deployment suggests a Russia-linked ecosystem where state interests and cybercrime intersect.

MITRE ATT&CK Mapping of RomCom Cyber KillChain

How Picus Helps Defend Against RomCom Threat Actor’s Attacks?

The Picus Security Validation Platform safely simulates RomCom actor’s tactics, techniques, and procedures using its continuously updated Threat Library, identifying blind spots across EDRs, NGFWs, and SIEMs before attackers can exploit them. 

You can also test your defenses against hundreds of other malware variants, such as SnipBot, SlipScreen Loader, RustyClaw, within minutes with a 14-day free trial of the Picus Platform.

References

[1] “UK Infrastructure Hit by Russian Linked Cyber Group.” Available: https://www.scworld.com/brief/uk-infrastructure-hit-by-russian-linked-cyber-group

[2] “Monthly Threat Brief August 2025.” Available: https://www.connectwise.com/blog/monthly-threat-brief-august-2025

[3] “ESET Research: Russian RomCom group exploits new vulnerability, targets companies in Europe and Canada,” ESET Newsroom. Available: https://www.eset.com/us/about/newsroom/research/eset-research-russian-romcom-group-exploits-new-vulnerability-targets-companies-in-europe-and-canada/. [Accessed: Sep. 29, 2025]

[4] J. Penny, S. C. Analyst, and Y. Solanki, “Bridewell,” Bridewell, Apr. 29, 2025. Available: https://www.bridewell.com/insights/blogs/detail/operation-deceptive-prospect-romcom-targeting-uk-organisations-through-customer-feedback-portals. [Accessed: Sep. 29, 2025]

[5] M. T. Intelligence, “Storm-0978 attacks reveal financial and espionage motives,” Microsoft Security Blog, Jul. 11, 2023. Available: https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/. [Accessed: Sep. 30, 2025]

[6] Z. Zorz, “RomCom hackers chained Firefox and Windows zero-days to deliver backdoor,” Help Net Security, Nov. 26, 2024. Available: https://www.helpnetsecurity.com/2024/11/26/romcom-backdoor-cve-2024-9680-cve-2024-49039/. [Accessed: Sep. 30, 2025]

[7] “Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability.” Available: https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability. [Accessed: Sep. 30, 2025]

[8] “10 Things I Hate About Attribution: RomCom vs. TransferLoader,” Proofpoint, Jun. 27, 2025. Available: https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader. [Accessed: Sep. 30, 2025]