Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
RomCom Group Deployed SnipBot, RustyClaw and Mythic Agent Variants
A Russian speaking hacking group is exploiting a zero-day flaw in WinRAR, a sign of the group’s growing sophistication and evolution from a cybercrime outfit into a cyberespionage operation.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Researchers at security firm Eset uncovered the campaign, which has been active since July. The campaign exploited a vulnerability now tracked as CVE-2025-8088, a path traversal vulnerability. WinRAR published a patch July 31 after Eset researchers alerted the company.
RomCom, also tracked as Storm-0978, Tropical Scorpius and UNC2596, mainly deployed ransomware in the past. Since Russia’s 2022 invasion of Ukraine, the group has conducted cyberespionage operations aligned with Kremlin interests, along with conventional cybercrime operations. “This is at least the third time RomCom has used a zero-day vulnerability in the wild, highlighting its ongoing focus on acquiring and using exploits for targeted attacks,” Eset researchers said about the latest campaign.
It begins with phishing emails disguised as job applications. Hackers took advantage of the alternate data stream attribute in the Windows NTFS file system to embed malicious code that WinRAR automatically unpacked. Attackers use multiple alternate data stream entries with dummy data and invalid paths to hide their payloads.
Researchers observed three infection chains deploying different malware:
- Mythic agent: A DLL is executed via component object model hijacking, which manipulates how Windows looks up and loads COM objects. The malicious script retrieves the domain name for the infected machine – typically it’s the company name – and compares it with a hardcoded value, shutting down the script if the values don’t match. “This means that the attackers had conducted reconnaissance beforehand, confirming that this email was highly targeted,” Eset wrote. The infection chain ends by loading Mythic, an open-source red teaming platform.
- Snipbot variant: A malicious LNK file launches a tampered open source variant of PuTTY, a popular secure shell terminal. It loads shellcode that appears to be a variant of SnipBot, malware that Unit 42 has attributed to RomCom.
- RustyClaw and MeltingClaw: A malicious LNK deploys the RustyClaw downloader, which in turn drops a different downloader that partially matches malware dubbed MeltingClaw by Proofpoint, which attributed it to RomCom.
“The discovered campaign targeted sectors that align with the typical interests of Russian-aligned APT groups, suggesting a geopolitical motivation behind the operation,” Eset researchers said.
In addition to RomCom, another threat group tracked as Paper Werewolf and Goffee is exploiting the WinRAR flaw to target Russian companies, Moscow-based Bi.zone said.
Hacking campaigns using job impersonation were previously a hallmark of North Korean hackers, but cybercriminals across the world now deploy the same tactic (see: North Korean Hackers Spreading Malware Via Fake Interviews).