threatintel
actor tracker
All actors

RomCom

romcom · primary source: Other · first observed 2022
RU · RussiaState-sponsoredModerate confidencelast cited Aug 10, 2025 · 9mo ago

Russia-aligned intrusion set conducting hybrid espionage and financially-motivated operations — ESET, Microsoft, and Unit 42 track it as a single actor straddling state-objective targeting (Ukrainian government, NATO summit attendees, European defense and energy organizations) and cybercrime (the Industrial Spy and Underground extortion brands). Repeated zero-day exploitation: WinRAR CVE-2023-38831 in 2023, a chained Firefox + Windows zero-day in November 2024, and a new WinRAR zero-day in August 2025.

Aliases

Storm-0978MicrosoftTropical ScorpiusOtherUNC2596MandiantVoid RabisuOtherUnderground TeamOther

Motivations

espionagefinancial gain

Target sectors

governmentdefenseenergypharmaceuticalinsurancelegal

Target countries

UAUSDEPLCAGB

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • RomCom
  • Russia
  • espionage
  • financial gain
Capability
Infrastructure
  • advanced-ip-scaner.com
  • combinedresidency.org
Victim
  • government
  • defense
  • energy
  • UA
  • US
  • +1 more

MITRE ATT&CK techniques

T1190T1203T1566.001T1059.001

Timeline

2 events
  1. CompromiseHigh2025-08-11·ESET Research

    RomCom exploits WinRAR zero-day in spear-phishing against EU + Canada

    ESET disclosed that RomCom had exploited a previously-unknown WinRAR vulnerability (CVE-2025-8088) in spear-phishing campaigns 18-21 July 2025 targeting financial, manufacturing, defense, and logistics organizations across Europe and Canada. The lure was malicious WinRAR archives delivering a cyber-espionage payload; WinRAR patched the bug in version 7.13 on 30 July 2025.

    zero-daywinrarrussiaespionage
  2. CompromiseHigh2024-11-26·ESET Research

    RomCom chains Firefox + Windows zero-days for click-less backdoor delivery

    ESET disclosed that RomCom chained two zero-days — a Firefox use-after-free (CVE-2024-9680) and a Windows local privilege escalation (CVE-2024-49039) — into a true zero-click exploit chain delivering the RomCom backdoor. The campaign targeted European and North American defense, energy, pharma, insurance, and legal organizations. Mozilla patched the Firefox bug on 9 October 2024; Microsoft patched the Windows escalation in the November 2024 cycle.

    zero-dayzero-clickbrowserrussia

Indicators of compromise

3 indicators
csv
TypeValueFirst seenSource
Domain
advanced-ip-scaner[.]com
family · RomCom RAT
Typosquat of advanced-ip-scanner.com used by Storm-0978 (Microsoft's tracker for the RomCom operator) to deliver trojanized installers - documented in the Microsoft Security Blog write-up that disclosed CVE-2023-36884 exploitation.
Jul 10, 2023Microsoft Threat Intelligence
SHA-256
b5978cf7d0c275d09bedf09f07667e139ad7fed8f9e47742e08c914c5cf44a53
family · RomCom RAT
ROMCOM RAT sample observed by Palo Alto Networks Unit 42 in the August 2022 Tropical Scorpius / Cuba ransomware intrusions - the first public attribution of the backdoor to this operator.
Jul 31, 2022Palo Alto Networks Unit 42
Domain
combinedresidency[.]org
family · RomCom RAT
Tropical Scorpius staging domain documented by Unit 42 in their August 2022 Cuba ransomware / ROMCOM report. Listed alongside optasko[.]com as actor-controlled infrastructure.
Jul 31, 2022Palo Alto Networks Unit 42

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-05-19). RomCom — actor profile. Retrieved from https://threatintel.local/actors/romcom

latest cited activity · 2025-08-11 · 3 cataloged indicators