RomCom Leverages SocGholish Fake Updates to Deploy Mythic Agent Malware

RomCom Uses SocGholish Fake Update Attacks to Deliver Mythic Agent Malware

RomCom, a Russia-aligned threat group, deployed the Mythic Agent via SocGholish fake update attacks against a U.S. civil engineering firm in November 2025. The attack chain was halted after 30 minutes, with defenders verifying the threat actor’s targeting of Ukraine-linked entities.

Why This Matters

SocGholish acts as an initial access broker, exploiting poorly secured websites to deliver payloads like Mythic Agent, a post-exploit framework. While this attack failed, the speed of execution—from fake update alert to reverse shell—highlights the danger of unpatched vulnerabilities. The cost of such breaches, including data exfiltration and lateral movement, can exceed $1.5M per incident (IBM, 2024), underscoring the need for real-time threat detection.

Key Insights

• “First use of SocGholish by RomCom in 2025, targeting U.S. engineering firms” (Arctic Wolf Labs, 2025)
• “Reverse shell established within 30 minutes of initial compromise” (Arctic Wolf Labs, 2025)
• “Mythic Agent linked to GRU-backed operations since 2022” (CISA, 2025)

Practical Applications

• Use Case: U.S. engineering firms targeted via fake Chrome/Firefox update alerts
• Pitfall: Poor website security enabling JavaScript injection via outdated plugins

References:

• https://thehackernews.com/2025/11/romcom-uses-socgholish-fake-update.html