RomCom (also tracked as Microsoft DEV-0978 [legacy] and Storm-0978 [current Microsoft naming].
Palo Alto Networks Unit 42 Tropical Scorpius / Transforming Scorpius.
Cisco Talos UAT-5647.
Trend Micro Void Rabisu.
Mandiant UNC2596; CERT-UA UAC-0180.
Symantec / Broadcom Hawker [for the Cuba-ransomware-developer cluster operationally-linked to RomCom]) is a Russia-speaking hybrid threat actor cluster active publicly since 2022. The cluster is operationally distinctive for blurring the line between organized cyber- criminal financially-motivated activity and state-aligned cyber-espionage targeting in support of Russian geopolitical interests, operating two simultaneous operational tracks under the same operator umbrella that Microsoft's canonical July 2023 Storm-0978 disclosure analytically separated as: (a) opportunistic ransomware-and-extortion operations against financial-sector and other commercial-sector targets (financially-motivated track), and (b) targeted credential- gathering and espionage operations against Ukrainian government, military, and Ukrainian-affiliated organizations in Europe, North America, and broader NATO partner countries (state-aligned-espionage track). The hybrid dual-track operational pattern is operationally distinctive in modern cyber-threat-intelligence reporting and has prompted analytical debate as to whether the cluster operates under Russian state coordination, under Russian state tolerance, or as an organized-cybercrime cluster that operationally selects targets in alignment with Russian geopolitical interests. No formal Russian state-sponsorship attribution has been asserted by any government cybersecurity authority, but the cluster's operational targeting alignment with Russian geopolitical interests in Ukraine is operationally consistent with state-tolerated-with-targeting-coordination operations. The cluster's operational signature is the RomCom RAT custom backdoor family (developed and operated exclusively by the cluster) and the cluster's name is derived from this signature backdoor. RomCom RAT operational versions have evolved iteratively across the cluster's operational history through five publicly-tracked major versions, with version 5.0 (Cisco Talos naming SingleCamper, also tracked as SnipBot) operationally distinctive for loading directly from the Windows registry into memory using a loopback address to communicate with its loader, providing operationally- distinctive in-memory persistence-and-execution tradecraft. Additional cluster custom backdoor families include DustyHammock (Rust-based late-stage backdoor), ShadyHammock (C++-based backdoor predecessor to DustyHammock), and multi-language downloaders RustyClaw and MeltingClaw. The cluster's multi-language tooling investment (GoLang, C++, Rust, Lua) demonstrates sustained operational-development capability across multiple programming-language ecosystems , operationally distinguishing the cluster from typical organized-cybercrime clusters that operate predominantly in a single programming-language ecosystem. The cluster's signature operational tradecraft includes: (1) ZERO-DAY EXPLOIT ACQUISITION-AND-RESEARCH CAPABILITY. The cluster is one of the only publicly-attributed clusters with three distinct publicly-confirmed zero-day exploitation campaigns across an approximately two-year operational window: (a) CVE-2023-36884 Microsoft Office/Windows HTML RCE (July 2023 exploitation, canonical Microsoft Storm-0978 disclosure attribution)
(b) CVE-2024-9680 Mozilla Firefox/ Thunderbird Animation Timeline UAF + CVE-2024-49039 Windows kernel privilege escalation chained zero-click exploit (October-November 2024)
(c) CVE-2025-8088 WinRAR path- traversal (July-August 2025, ESET disclosure). The operational pattern is operationally distinctive versus typical organized-cybercrime clusters and operationally suggests state-tolerated-or-state-aligned access to zero- day inventories beyond what financially-motivated organized- cybercrime clusters typically have. Industry-rate-card valuation for unpatched Microsoft Office and Firefox / Thunderbird remote-code-execution capability exceeds approximately US$100,000-150,000 per exploit.
the cluster's demonstrated multi-zero-day-deployment operational pattern represents significant operational-capability investment. (2) MULTIPLE-RANSOMWARE-FAMILY-DEPLOYMENT PATTERN. The cluster operationally deploys multiple distinct ransomware payloads across operational campaigns rather than developing a single signature ransomware encryptor (operationally similar to FIN8, separately curated as fin8.yaml, in this operational pattern dimension): Cuba ransomware (historical operational overlap.
strong technical-and-infrastructure links with the Hawker cluster Symantec tracks as Cuba's developer)
Industrial Spy ransomware (2022 onward); Underground ransomware (2023 onward, operationally related to Industrial Spy)
Trigona ransomware (observed in at least one operation)
RomCom-own-developed ransomware family (2023 onward). The Cuba ransomware operations are curated separately in this corpus as cuba_ransomware.yaml.
CISA has assessed possible operational links between Hawker (Cuba developer), RomCom, and the Industrial Spy ransomware operators. (3) TROJANIZED LEGITIMATE-SOFTWARE DISTRIBUTION SIGNATURE PATTERN. The cluster operationally distributes trojanized versions of popular legitimate software (Adobe products, Advanced IP Scanner, SolarWinds Network Performance Monitor, SolarWinds Orion, KeePass, Signal Messenger, others) from malicious domains impersonating the legitimate-software- vendor download sites (e.g., advanced-ip-scaner[.]com, missing "n", masquerading as Advanced IP Scanner). The trojanized installers deliver the RomCom RAT alongside the legitimate-software functionality to evade immediate detection by the user. The pattern is operationally distinctive across the cluster's longitudinal operational history. (4) EDGE-DEVICE PIVOT TRADECRAFT VIA PUTTY PLINK. Cisco Talos UAT-5647 disclosure documented the cluster's signature tradecraft of targeting edge devices from inside compromised networks using PuTTY Plink reverse-tunneling to map internal admin ports of edge devices to attacker-controlled remote servers. The edge-device pivot tradecraft supports long- term-persistence operational goals consistent with the cluster's state-aligned-espionage operational track. (5) SUSTAINED UKRAINIAN AND UKRAINIAN-AFFILIATED TARGETING. Following the Russian February 2022 invasion of Ukraine, the cluster has sustainedly targeted Ukrainian government, military, and Ukrainian-affiliated organizations alongside continued opportunistic financially-motivated ransomware operations. The October 2023 PEAPOD campaign (Trend Micro tracking) extended targeting to women political leaders in multiple European countries through targeted social- engineering operations impersonating legitimate political- conference and human-rights-organization communications. Operational tempo of Ukrainian-targeting operations correlates with Russian-Ukrainian war developments and Ukrainian- government cyber-defense responses. (6) CREDENTIAL HARVESTING + SAM HASH DUMP IN RANSOMWARE OPERATIONS. Microsoft Storm-0978 disclosure documented the cluster's signature tradecraft in ransomware operations of dumping password hashes from the Windows Security Account Manager (SAM) using the Windows registry, requiring SYSTEM- level privileges that the cluster typically acquires via privilege-escalation operations during the post-compromise phase. Targeted sectors across the cluster's operational history include government administration, defense and military, foreign affairs ministries, intelligence services, critical infrastructure, energy, telecommunications, financial services, banking, insurance, manufacturing, logistics and supply chain, technology, IT services, higher education, research institutes, non-governmental organizations, political organizations, media and journalism, pharmaceutical and healthcare, and individually-targeted women political leaders (PEAPOD October 2023 campaign). Targeted geographies are primarily Ukraine (sustained state-aligned-targeting geography), Poland (signature secondary targeting), and broader Western and Central-Eastern European NATO member countries (United States, United Kingdom, Germany, France, Belgium, Netherlands, Italy, Canada, Latvia, Lithuania, Estonia, and others). The cluster is operationally significant as one of the most operationally-distinctive examples of hybrid criminal-and- state-aligned cyber operations in modern cyber-threat- intelligence reporting. The cluster's sustained operational tempo across approximately three-plus years, demonstrated multi-zero-day-deployment operational capability, multi- language-tooling-development investment, multi-ransomware- family-deployment operational pattern, and operationally- coordinated targeting alignment with Russian geopolitical interests in Ukraine make RomCom one of the highest-impact Russia-aligned threat-actor clusters in the modern post- February-2022 operational period. The cluster fills the modern hybrid-Russia-aligned-cluster cell in this corpus, complementing the broader Russian state-sponsored APT coverage (apt28_fancybear.yaml, apt29_cozybear.yaml, sandworm_team.yaml, turla.yaml, cadet_blizzard.yaml, dragonfly_energetic_bear.yaml, gamaredon.yaml, star_blizzard_callisto.yaml) and the broader Russia-speaking organized-cybercrime ransomware coverage (alphv_blackcat.yaml, darkside_blackmatter.yaml, revil_sodinokibi.yaml, wizard_spider_conti.yaml, cuba_ransomware.yaml, and others).