Compromiseseverity: High2024-11-26

RomCom chains Firefox + Windows zero-days for click-less backdoor delivery

published by ESET Research

Actor

RomComRU · RussiaAPT

Russia-aligned intrusion set conducting hybrid espionage and financially-motivated operations — ESET, Microsoft, and Unit 42 track it as a single actor straddling state-objective targeting (Ukrainian…

Summary

ESET disclosed that RomCom chained two zero-days — a Firefox use-after-free (CVE-2024-9680) and a Windows local privilege escalation (CVE-2024-49039) — into a true zero-click exploit chain delivering the RomCom backdoor. The campaign targeted European and North American defense, energy, pharma, insurance, and legal organizations. Mozilla patched the Firefox bug on 9 October 2024; Microsoft patched the Windows escalation in the November 2024 cycle.

Primary source

welivesecurity.com

Other RomCom events

2025-08-11RomCom exploits WinRAR zero-day in spear-phishing against EU + Canada

Summary

Tags

Primary source

Other RomCom events