The Russian cybercriminal group RomCom has launched a new wave of cyberattacks against Ukrainian government agencies and unidentified Polish entities since late 2023. These attacks feature a modified version of the RomCom RAT, called SingleCamper (also known as SnipBot or RomCom 5.0), according to a report by Cisco Talos, which is monitoring the activity under the code name UAT-5647.
RomCom, also tracked as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has been involved in ransomware, extortion, and targeted credential theft since its emergence in 2022. Recent activities show an increased operational tempo with a clear espionage agenda, aiming to set up long-term access to compromised networks and steal sensitive data.
The attacks begin with spear-phishing emails that deliver downloaders written in C++ (MeltingClaw) or Rust (RustyClaw), which install backdoors like ShadyHammock and DustyHammock. These backdoors enable remote control, execute commands, and initiate data exfiltration. SingleCamper, the latest RomCom RAT version, conducts various post-compromise tasks such as network reconnaissance, lateral movement, and remote tunneling using PuTTY’s Plink tool.
The campaign’s goal appears twofold: maintaining long-term espionage access to steal critical information, and potentially deploying ransomware for financial gain. Researchers believe Polish entities may also have been targeted due to the malware’s ability to check keyboard language settings.