Threat Actor RomCom Leverages Drive-By Downloads

The cybercriminal group known as RomCom, also tracked as Void Rabisu, is actively using the SocGholish malware framework to distribute a post-exploitation tool called Mythic Agent. The attack vector begins with drive-by downloads initiated on compromised websites. These websites host a malicious JavaScript framework, commonly identified as SocGholish, which presents visitors with deceptive overlays masquerading as legitimate browser update notifications for services like Google Chrome or Mozilla Firefox.

When a user clicks on the fake update, a malicious ZIP archive is downloaded. Inside this archive is a JavaScript file designed to execute the next stage of the attack upon launch. This method relies on social engineering to trick users into manually running the initial payload, bypassing some automated security measures.

Infection Chain and Mythic Agent Payload

Once the initial JavaScript file is executed, it establishes a connection with a command-and-control (C2) server to download the final payload. In these campaigns, the payload delivered is Mythic Agent. This malware is a variant of a post-exploitation framework built upon the open-source Mythic C2 project. Its primary function is to give the RomCom operators remote control over the compromised system.

Mythic Agent provides the attackers with capabilities for persistent access, command execution, and reconnaissance within the infected network. The malware is used to gather information and facilitate lateral movement. The use of the SocGholish framework as an initial access vector allows the RomCom group to target a wide range of victims before deploying more sophisticated tools like Mythic Agent for specific objectives.

Source: https://thehackernews.com/2025/11/romcom-uses-socgholish-fake-update.html