We often highlight how adversaries are evolving their behaviors increasingly fast (in contrast with the long-held belief that behaviors are largely static). But when we discuss behavioral evolution, we most often mean Technique- and Procedure-level changes. The actor behind the “RomCom” backdoor (Void Rabisu) represents a rarer case of Tactic-level evolution.
Originally associated with (financially motivated) ransomware activity, since late 2022, Void Rabisu’s overall goals (Tactics) appear to have shifted to emphasizing likely espionage-motivated information collection (with targeting apparently aligned with Russian strategic priorities). Last week, researchers documented the first known case where SocGholish loader malware was used to deliver RomCom malware payloads, marking a significant shift in how the group is achieving its goals. SocGholish is traditionally sold to cybercriminal actors, so its association with geopolitical-focused activity would represent a notable development for that threat cluster as well.
12/2/25: SocGholish RomCom Distribution – Spotlight Procedures
Threat-Led Defense commentary: Monitor for downloads and execution of executables from unexpected sources, especially those masquerading as software updates, and where known, restrict execution of files at specific, targeted paths. Also educate users to recognize social engineering, especially fake update-themed prompts.
Threat-Led Defense commentary: While relatively late in the SocGholish infection chain, this step still comes before (or alongside) the start of RomCom post-exploitation behaviors, giving opportunities for detection and response before potential impact. Our relevant Procedure Cluster, PC1000064, highlights dozens of other similar observed attacker actions and summarizes detection- and mitigation-focused measures, such as auditing tasks for legitimacy, focusing first on ones running with high privileges.