Introduction
RomCom isn’t a genre… it’s a weapon. More specifically, it is a commodity malware operated as a polyvalent payload leveraged in state-aligned geopolitical espionage and financially motivated operations. Since its emergence, RomCom has demonstrated progressive adaptability, evolving through five distinct iterations, each introducing increased sophistication, modularity, and functionality.
What began with a report from the United Kingdom’s National Cyber Security Centre (NCSC) quickly unraveled into a sprawling investigation. A reference to a downloader known as Damascened Peacock served as the cornerstone of the puzzle that led AttackIQ’s Adversary Research Team (ART) to correlate 25 fragmented sources, spanning five years of threat activity.
As a result, we reconstructed the operational footprint of its operator, an eponymous criminal adversary whose operations are consistently aligned with the geopolitical interests of the Russian Federation, as demonstrated by sustained targeting of Ukraine and NATO-aligned nations.
Over time, both the operator and its payload have demonstrated operational overlaps and collaborative connections with other prominent cybercriminal entities. These connections suggest a shared or coordinated infrastructure and highlight the growing convergence between political espionage and financially driven extortion operations.
These connections, along with the behaviors exhibited by RomCom and its associated activities, are now emulated in seven newly released adversary emulations—AttackIQ’s largest emulation release to date. These emulations are designed to help organizations validate their security controls, assess detection coverage, and strengthen their defensive posture against this sophisticated and evolving threat.
Key Findings
- RomCom isn’t a genre… it’s a weapon. While initially focused on Ukraine and NATO-aligned nations, RomCom-associated activities have expanded to include targets in Government, Defense, and Humanitarian sectors.
- Polyvalent and evolving threat. RomCom has demonstrated progressive adaptability, evolving through five distinct iterations, each introducing increased sophistication, modularity, and functionality.
- Overlapping connections with Ransomware groups. Evidence shows tight integration between RomCom deployments and the use of Cuba, Industrial Spy, and Underground ransomware in double-extortion operations.
From Fragmented Clues to a Full Operational Picture
The breakthrough in ART’s investigation originated with a report on Damascened Peacock, a lightweight downloader first identified by the United Kingdom’s National Cyber Security Centre (NCSC). Subsequent analysis of its Tactics, Techniques, and Procedures (TTPs), along with associated payloads and infrastructure, exposed a broader ecosystem including multiple RomCom variants and revealing significant overlaps with ransomware operations.
RomCom has proven to be more than a single-purpose commodity. It operates as a versatile platform across campaigns, enabling environment reconnaissance, credential harvesting, staged data exfiltration and ultimately ransomware deployment. It is operated by the eponymous Russian adversary RomCom, also known as UAT-5647 and Storm-0978, an adaptive and increasingly sophisticated multi-motivational adversary that has been active since at least 2022.
RomCom in Action – Validate Your Defenses
RomCom’s operator closely monitors geopolitical developments surrounding the war in Ukraine, leveraging these dynamics to conduct credential harvesting and data exfiltration activities presumably in support of Russian intelligence objectives. Beyond its geopolitical targeting, RomCom also engages in opportunistic ransomware and extortion-focused operations, expanding its profile beyond pure espionage.
To help organizations prepare for this evolving threat, AttackIQ has released seven new emulations that replicate RomCom’s end-to-end TTPs, from initial delivery through post-compromise activity. Fully mapped to the MITRE ATT&CK framework, these emulations empower security teams to identify detection gaps, refine incident response playbooks and strengthen defense against real-world adversaries.
Test What Matters, Before It Matters
RomCom was initially developed as an eCrime commodity malware, engineered to facilitate the deployment and persistence of malicious payloads, enabling its integration into prominent and extortion-focused ransomware operations. However, RomCom transitioned from a purely profit-driven commodity to become a utility leveraged in nation-state operations. This evolution means that defenders can no longer rely on static indicators. Understanding behaviors is now essential.
This investigation unifies five years of fragmented intelligence into a unified operational picture, made possible by the broader cybersecurity community’s willingness to share samples, sightings and analysis. That collective foundation turned scattered insights into actionable knowledge.
AttackIQ’s emulations are designed to do the same for defenders: operationalize threat intelligence through real-world testing. Download the full report to explore our findings and strengthen your defenses.
