A Ukrainian flag flies above the ruins of buildings destroyed during fighting between Ukrainian and Russian occupying forces on Oct. 24, 2022, in Kam'yanka, Kharkiv oblast, Ukraine. (Photo by Carl Court/Getty Images)Researchers on Wednesday reported that the RomCom threat group has been running a series of new attacks via a remote access trojan (RAT) that leverage the brands of SolarWinds, KeePass, and PDF Technologies.In a blog post, BlackBerry researchers said while RomCom has primarily been targeting Ukraine, they believe that some English-speaking countries have been targeted, including the United Kingdom.Given the geography of the targets and the current geopolitical situation, the BlackBerry researchers say it's unlikely the RomCom RAT threat actor is cybercrime-motivated.
Given the targets and the nature of the attack, there's more than just a cybercriminal motivation in play, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said with the current geopolitical situation, it's quite likely there’s a state-level involvement behind the scenes. “At its core, though, this is an attack against human targets,” Parkin said. “They are primarily relying on victims being social engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface.”The RomCom attack looks like a direct copycat of some attacks we investigated during the pandemic where we saw a number of vendor products support tools being mimicked or "wrapped" with malware, said Andrew Barratt, vice president at Coalfire.“The ‘wrapping’ means that the underlying legitimate tool is still deployed, but as part of that deployment some malware is dropped into the target environment,” Barratt said. “Major APTs like FIN7 have used these tactics in the past. Leveraging well-known brands that they have probably identified are in use gives an intruder a high possibility of a positive response by a user they mislead.”
Threat actors have exploited 159 CVEs during the first three months of 2025, compared with 151 during the last quarter of 2024, with almost a third of vulnerabilities leveraged in attacks within a day of their disclosure, according to The Hacker News.
Attacks involving ransomware were discovered by NCC Group to have totaled 600 in March which is 32% lower than in February but 46% higher than the same month last year with the month-to-month decline believed by NCC Head of Threat Intelligence Matt Hull to be a "red herring" after the recent surge in intrusions, Infosecurity Magazine reports.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
