Skip to Content

RomCom backdoor

Updated on 2022-11-04

BlackBerry’s security team has a technical report on a suspected nation-state operation that appears to be using a backdoor typically employed by the cybercrime ecosystem to go after targets in Ukraine and the United Kingdom. This campaign, first spotted by CERT-Ukraine, is using cloned websites for popular enterprise software tools like SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro, to host boobytrapped versions of the respective tools, backdoored with a version of the RomCom RAT. Read more:

“Given the geography of the targets and the current geopolitical situation, it’s unlikely that the RomCom RAT threat actor is cybercrime-motivated.”

Overview: RomCom backdoor

CERT-UA says they saw a spear-phishing campaign targeting Ukrainian organizations last week, distributing a version of the RomCom backdoor malware. Authorities said they believe a threat actor named UNC2596 (Tropical Scorpius) is behind the attacks. This is the same group believed to operate the Cuba ransomware. BlackBerry’s security team also has an in-depth look at the technical side of this campaign, although they have not linked it to Cuba ransomware operators. Read more:

    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on