A U.S.-based civil engineering firm specializing in Ukraine-related infrastructure projects fell victim to a highly targeted cyberattack orchestrated by Russian GRU Unit 29155 in September 2025. The threat actors exploited fake browser update pop-ups to deploy SocGholish malware, which then delivered the RomCom Mythic Agent loader within minutes of initial infection. The attack leveraged compromised legitimate websites to inject malicious JavaScript, tricking employees into downloading a fake 'msedge.dll' payload disguised as a browser update.The payload executed only when the victim’s system matched a predefined domain, indicating precision targeting. Once activated, it established a connection to Mythic C2 servers, granting attackers remote access for potential espionage or data exfiltration. While Arctic Wolf’s Aurora Endpoint Defense detected and quarantined the payload before full compromise, the incident highlights the evolving threat landscape where malware-as-a-service (SocGholish) previously associated with ransomware is now repurposed for state-sponsored cyber operations. The attack’s link to GRU-affiliated groups suggests motives beyond financial gain, likely aiming to disrupt pro-Ukrainian entities or gather intelligence on critical infrastructure projects. The use of bulletproof hosting and advanced obfuscation techniques further complicates attribution and mitigation.
Source: https://cyberpress.org/socgholish-malware/
Moffatt & Nichol cybersecurity rating report: https://www.rankiteo.com/company/moffatt-&-nicho
"id": "MOF59100659112625",
"linkid": "moffatt-&-nicho",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Civil Engineering',
'location': 'United States',
'name': 'U.S.-based civil engineering firm (unnamed)',
'type': 'Private Company'}],
'attack_vector': ['Fake Browser Update Pop-ups',
'Compromised Legitimate Websites',
'Malicious JavaScript Injection',
'Social Engineering'],
'customer_advisories': ['General warning about fake browser updates and '
'SocGholish malware'],
'data_breach': {'data_exfiltration': ['Potential (remote access established, '
'but payload quarantined)']},
'date_detected': '2025-09',
'date_publicly_disclosed': '2025-09',
'description': 'Cybersecurity researchers at Arctic Wolf Labs uncovered a new '
'cyberattack campaign where Russian-linked threat actors (GRU '
'Unit 29155) used fake browser update pop-ups to deploy the '
'SocGholish malware, marking the first known instance of the '
'RomCom threat group using SocGholish for potential '
'state-sponsored espionage. The attack targeted a U.S.-based '
'civil engineering firm involved in Ukraine-related projects '
'in September 2025. The SocGholish infection led to the '
'deployment of the RomCom Mythic Agent loader, disguised as '
"'msedge.dll,' which established remote access via Mythic C2 "
'servers. Arctic Wolf’s Aurora Endpoint Defense detected and '
'quarantined the payload, preventing full compromise. The '
'campaign highlights the evolution of SocGholish from '
'financially motivated attacks to targeted espionage, '
'leveraging compromised legitimate websites and advanced '
'obfuscation techniques.',
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'targeted espionage campaign'],
'operational_impact': ['Potential remote access by threat actors',
'Quarantined payload prevented full '
'compromise'],
'systems_affected': ['At least one system in a U.S.-based civil '
'engineering firm']},
'initial_access_broker': {'backdoors_established': ['RomCom Mythic Agent '
"loader ('msedge.dll')"],
'entry_point': ['Fake browser update pop-ups on '
'compromised legitimate websites'],
'high_value_targets': ['U.S.-based civil '
'engineering firms involved '
'in Ukraine-related '
'projects']},
'investigation_status': 'Completed (payload quarantined, no full compromise)',
'lessons_learned': ['SocGholish malware-as-a-service is evolving from '
'financially motivated attacks to state-sponsored '
'espionage.',
'Compromised legitimate websites pose a significant risk '
'for initial access.',
'Fake browser update lures remain highly effective for '
'malware delivery.',
"Advanced obfuscation techniques (e.g., 'obf-io') are "
'being used to evade detection.',
'Targeted attacks may use domain-specific payloads to '
'avoid detection.'],
'motivation': ['Espionage',
'State-Sponsored Cyber Operations',
'Targeting Pro-Ukrainian Entities'],
'post_incident_analysis': {'corrective_actions': ['Deploy EDR solutions like '
'Arctic Wolf’s Aurora '
'Endpoint Defense.',
'Enhance employee training '
'on phishing and social '
'engineering tactics.',
'Monitor for connections to '
'bulletproof hosting '
'providers linked to RomCom '
'C2 infrastructure.',
'Implement stricter '
'controls on PowerShell and '
'script execution.'],
'root_causes': ['Successful social engineering via '
'fake browser updates.',
'Lack of user awareness about '
'unsolicited update prompts.',
'Use of compromised legitimate '
'websites for malware '
'distribution.',
'Advanced obfuscation techniques '
'evading traditional defenses.']},
'recommendations': ['Enable PowerShell logging to detect malicious activity.',
'Deploy Endpoint Detection and Response (EDR) solutions '
'for real-time threat detection.',
'Train employees to ignore unsolicited browser update '
'prompts.',
'Monitor for connections to known Mythic C2 '
'infrastructure (e.g., imprimerie-agp[.]com, '
'ozivoice[.]com).',
'Implement network segmentation to limit lateral '
'movement.',
'Use threat intelligence feeds to block indicators of '
'compromise (IoCs) associated with SocGholish and '
'RomCom.'],
'references': [{'date_accessed': '2025-09', 'source': 'Arctic Wolf Labs'}],
'response': {'communication_strategy': ['Public disclosure by Arctic Wolf '
'Labs',
'Advisories on mitigating SocGholish '
'threats'],
'containment_measures': ['Aurora Endpoint Defense detected and '
'quarantined the payload'],
'enhanced_monitoring': ['Recommended: Enable PowerShell logging, '
'use EDR solutions'],
'incident_response_plan_activated': True,
'third_party_assistance': ['Arctic Wolf Labs']},
'stakeholder_advisories': ['Arctic Wolf Labs public disclosure and mitigation '
'recommendations'],
'threat_actor': ['RomCom Threat Group',
'TA569',
'GRU Unit 29155 (Russian Military Intelligence)'],
'title': 'Russian-Linked Threat Actors Use Fake Browser Updates to Deploy '
'SocGholish Malware in Targeted Espionage Campaign',
'type': ['Malware Infection',
'Espionage',
'Targeted Attack',
'Initial Access Broker'],
'vulnerability_exploited': ['Human Trust in Browser Update Prompts',
'Lack of Endpoint Detection and Response (EDR) in '
'Some Systems']}