Cybersecurity experts at Bridewell identified a targeted campaign leveraging customer feedback portals to deliver the RomCom Remote Access Trojan (RAT) to UK-based organizations in the retail, hospitality, and critical national infrastructure (CNI) sectors.
Designated as “Operation Deceptive Prospect,” the intrusion set reveals substantial technical overlap with the RomCom threat group-also known as Storm-0978, Void Rabisu, and several other aliases-underscoring the ongoing evolution and adaptability of Russian-based state-aligned cyber adversaries.
The campaign capitalized on publicly accessible customer feedback forms, submitting professionally crafted phishing complaints to frontline staff.
These submissions presented as legitimate grievances or recruitment inquiries, often referencing specific facilities or events and supporting their claims with links to supposed “evidence” hosted on domains mimicking Google Drive or Microsoft OneDrive.
In reality, these links redirected victims through a series of domains using common URL shorteners and reputable hosting providers-such as Amazon S3-before ultimately delivering malicious payloads from attacker-controlled infrastructure.
Notably, RomCom’s infrastructure exhibits a recurring use of low-cost and less regulated generic top-level domains (gTLDs) such as .live, .online, and .pub, with domain names engineered to simulate cloud storage services.
The phishing material displayed AI-generated characteristics-formulaic structure, encoding anomalies, and impersonal yet convincing tone-which suggests the use of large language models to increase campaign scalability and efficacy.
Payload Delivery and Evasion Techniques
The infection chain involved multi-stage redirection, with victims instructed to download files purporting to be PDF documents.
The final payload, masquerading behind a PDF icon, was in fact a Windows executable signed using compromised certificates-one notably linked to a dissolved UK company.
This signature abuse, coupled with the use of file-sharing platforms like Mediafire for payload distribution, complicated detection efforts for traditional security controls.
Analysis of the delivered executable revealed minimal behavior in sandbox environments and employed anti-analysis techniques, including checks on the Windows RecentDocs registry key-an evasion tactic previously attributed to RomCom’s evolved SnipBot variant.
The use of Polish language locales and embedded developer alias strings indicated both regional targeting and iterative malware development.
RomCom has been active since at least 2022, previously conducting campaigns that blended espionage and financially motivated attacks, notably deploying ransomware and credential-theft malware.
The group is recognized for its rapid adaptation, exploiting high-profile vulnerabilities-such as chained Firefox and Windows zero-days in 2024-to deliver modular backdoors and maintain persistence in targeted environments.
Operation Deceptive Prospect demonstrates RomCom’s strategic pivot towards exploiting customer service processes, indicating a refined understanding of business workflows and an emphasis on social engineering.
The overlapping infrastructure, code signing abuse, and technical indicators corroborate attribution to the RomCom threat actor, aligning with wider patterns of Russian state-linked cyber operations across Europe and North America.
Bridewell’s analysis highlights the necessity for heightened scrutiny of customer-facing channels, improved email validation processes, and robust incident response protocols for organizations within targeted sectors.
As RomCom continues to refine its social engineering and delivery tactics, proactive threat intelligence sharing and cross-sector collaboration remain essential to mitigating the risks posed by advanced persistent threats operating at the nexus of cybercrime and espionage.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
