Bridewell Uncovers ‘Operation Deceptive Prospect’ Targeting UK Organizations via Feedback Portals
Ddos 
Cyber threat actor RomCom—also tracked as Storm-0978, Tropical Scorpius, UNC2596, Void Rabisu, and UAC-0180—has launched a new cyber espionage campaign targeting UK-based retail, hospitality, and critical national infrastructure (CNI) organizations. Disclosed by Bridewell’s CTI team, the campaign, dubbed Operation Deceptive Prospect, marks a novel approach in RomCom’s arsenal: weaponizing customer feedback portals as the attack vector.
“The threat actor leveraged externally facing customer feedback portals to submit phishing emails directed at customer service representatives of two Bridewell customers,” the report explains.
RomCom submitted convincing fake complaints via customer feedback channels using Yahoo email addresses designed to appear legitimate. Each email followed a consistent, formulaic structure and contained links to supporting documents supposedly hosted on Google Drive or Microsoft OneDrive. These were, in fact, domains controlled by the attackers, such as gdrive-share[.]online and 1dv365[.]live.
Bridewell analysts believe AI tools may have been used to generate the email content due to the structured nature and linguistic anomalies observed: “We hypothesised that it is highly likely that the threat actor used Artificial Intelligence (AI) to generate email content… with consistent structure and awkward formal tone.”
The themes ranged from stolen luggage at hotels to complaints about UK airport infrastructure—pretexts that triggered victim engagement and increased the likelihood of link-clicking.
Bridewell mapped the email contents against the Pillars of Social Engineering, observing the heavy use of trust exploitation and urgency:
- Trust: Impersonation of legitimate customers or seasoned travelers.
- Urgency: Threats to escalate to consumer protection agencies or damage company reputation.
- Authority: Claims referencing police reports or industry knowledge.
- Social Proof: References to shared experiences and comparisons with global airport hubs.
Clicking on the links launched a multi-stage redirection chain, starting with domains hosted via Rebrandly and Amazon S3, and eventually routing traffic to OVH France through the opn[.]to shortener. These endpoints finally led to fake OneDrive pages designed to deliver malware payloads.
The final payloads were hosted on attacker-controlled domains such as:
- gcloud-drive[.]com
- cloudedrive[.]com
- datadrv1[.]com
These domains masqueraded as cloud storage sites, offering a “PDF” download that was in reality a signed Windows executable with file names like:
- Evidence File april.exe
- Medical Report scan april.exe
- Attachment_Harassment evidence april.exe
“The file is signed by the organisation GMC CONSTRUCTION AND TRADING COMPANY LIMITED. This certificate is likely stolen or compromised,” the report notes.
Static and dynamic analysis of the retrieved executable points to possible evasion-by-design. Notably:
- Locale code: Polish (suggesting developer origin)
- PDF icon, but unrelated executable content
- Anti-analysis technique: querying Windows RecentDocs registry key
Bridewell noted strong overlaps with previous RomCom toolsets, particularly the SnipBot backdoor (RomCom 5.0), known for:
- Command-and-control flexibility
- Anti-sandbox evasion
- Compression and exfiltration via 7-Zip
- Use of hijacked COM components
“This file is detected as malicious only by ESET using the Win32/TrojanDownloader.RomCom.A. The name of the signature further supports our hypothesis that there is technical overlap with RomCom from a tooling perspective as well,” the report states.
RomCom has a diverse and evolving threat portfolio:
- Historically deployed Cuba ransomware
- Delivered backdoors through trojanized software installers
- Exploited CVE-2023-36884, CVE-2024-9680, and CVE-2024-49039 in zero-click Firefox attacks
- Active against targets in Ukraine, NATO members, legal, pharma, and energy sectors
Donate