GRU Unit 29155 Uses SocGholish to Target US Firm

In a significant escalation of the cyber threat landscape, Arctic Wolf Labs has identified a campaign where the financially motivated threat actor TA569 (operators of SocGholish) acted as a delivery mechanism for RomCom, a group acting on behalf of the Russian state. This collaboration marks a dangerous evolution, blending the wide reach of opportunistic e-crime with the precise, destructive intent of military espionage.

The investigation centers on a September 2025 attack targeting a U.S.-based civil engineering firm. While the attack began with the typical signature of a SocGholish infection—a “fake update” lure on a compromised website—it quickly pivoted to a targeted espionage operation.

Arctic Wolf Labs assesses with a “medium-to-high confidence level that Russia’s GRU unit 29155 is utilizing SocGholish to target victims.” This unit, Russia’s largest foreign intelligence agency’s offensive arm, has focused primarily on “disrupting international efforts to provide aid to Ukraine” since early 2022.

The report highlights the novelty of this tactic: “This is the first time that a RomCom payload has been observed being distributed by SocGholish.”

The infection chain revealed a highly disciplined and technical handoff between the criminals and the spies.

1. Initial Access: The victim was lured into downloading a malicious payload disguised as a Chrome browser update via SocGholish’s “malvertising” network.
2. The Handoff: Roughly 10 minutes post-exploitation, SocGholish deployed a specific loader named msedge.dll.
3. Target Verification: Unlike “spray and pray” attacks, this loader contained a hardcoded check. The payload “is not made until the target’s Active Directory domain had been verified to match a known value provided by the threat actor”.
4. Payload Execution: Once verified, the loader deployed the Mythic Agent, a cross-platform red-teaming tool weaponized for command and control.
5. Persistence: The attackers also uploaded VIPERTUNNEL, a custom Python backdoor, to maintain long-term access.

The choice of target was no accident. The U.S. engineering firm had previously performed work for a city with “close ties to Ukraine.” This precise targeting aligns perfectly with RomCom’s agenda, “underscoring RomCom’s tendency to target entities with ties to Ukraine, regardless of their geographic location.”

By leveraging SocGholish—a “Malware-as-a-Service” (MaaS) giant known for selling access to ransomware gangs like LockBit—the GRU effectively hid its targeted operations amidst the noise of common cybercrime.

Related Posts:

• SocGholish Malware Facilitates RansomHub Distribution
• SocGholish Campaign Targets Business Networks via Fake Browser Updates
• SocGholish Malware: The Silent Threat Lurking in Fake Browser Updates
• SocGholish and RansomHub: Sophisticated Attack Campaign Targeting Corporate Networks
• SocGholish Reloaded: Darktrace Uncovers Ransomware-Primed Loader Campaign