Russian RomCom Uses SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine
Researchers have identified the first confirmed instance of RomCom malware being delivered through the SocGholish framework, marking a significant evolution in the threat landscape. In this case, a U.S.-based engineering firm with ties to Ukraine was targeted after interacting with a SocGholish FAKEUPDATE lure injected into a compromised website. Roughly ten minutes after initial access, the attackers deployed RomCom’s Mythic Agent loader, which validated the victim’s domain before executing shellcode. The infection chain aligned with TA569’s typical playbook, including reconnaissance, PowerShell-based persistence, and delivery of secondary payloads such as VIPERTUNNEL. The speed of the operation, which was under thirty minutes from lure to loader, highlights how quickly a SocGholish compromise can escalate into a nation-state intrusion. Evidence uncovered during the investigation supports a medium-to-high confidence assessment that Russia’s GRU Unit 29155 is leveraging SocGholish infrastructure to identify and target entities associated with Ukraine. TA569’s infrastructure continues to rely on compromised legitimate websites, aggressive malvertising, and highly obfuscated loaders capable of tailoring payload delivery to specific victims. RomCom’s involvement expands the operational scope, showing that nation-state actors are now leveraging SocGholish’s scale to deliver advanced tools, such as Mythic agents, selectively. Organizations should treat any SocGholish detection as a precursor to high-impact intrusions and prioritize immediate containment, endpoint triage, and hardening against malicious JavaScript and PowerShell activity.
HashJack: A New Class of AI Browser Exploitation
HashJack is a new indirect prompt-injection technique that hides malicious instructions in URL fragments that appear after the “#” and never leave the client device. When an AI browser loads a legitimate webpage, it forwards the full URL to its AI assistant as context, causing those hidden instructions to execute even though the site itself is clean. This makes any legitimate website a potential delivery mechanism for hostile prompts without requiring server compromise or phishing infrastructure. In tests across Comet, Copilot for Edge, and Gemini for Chrome, HashJack reliably manipulated assistant output, with Comet’s agentic features enabling the most severe outcomes. The attack remains invisible to traditional defenses because fragments never appear in packets, logs, or CSP evaluations. As a result, users see a trusted page but receive AI-generated content that has been silently hijacked. The technique enables multiple attack scenarios, including callback phishing, misinformation, credential theft, malware installation guidance, and automatic data exfiltration in agentic browsers. Comet was the only browser observed autonomously sending user or page context to attacker endpoints, significantly escalating the risk. Copilot and Gemini were also affected, though link gating and search-URL rewriting reduced but did not eliminate the impact. HashJack succeeds because AI browsers treat URL fragments as harmless context, allowing attackers to influence the model without interacting with the webpage itself. This creates new risks as AI assistants gain more privileged access to user data and browser actions. Addressing this issue will require both prompt-injection safeguards and changes to how AI browsers collect and pass contextual inputs to their LLMs.
Update: FlexibleFerret Evolves Through Sophisticated Fake Recruitment Workflows Targeting macOS Users
FlexibleFerret continues to evolve as DPRK-aligned operators refine their Contagious Interview recruitment lures to deliver multilayered macOS malware under the guise of job assessments. Recent samples analyzed by Jamf Threat Labs show attackers using convincing recruitment portals that tailor job listings, company names, and assessments to each target before instructing them to run a Terminal command that silently drops the first-stage loader. The JavaScript stagers build a curl command on the fly, download a shell script to a temporary directory, and launch it in the background to begin execution. This script determines architecture, fetches the appropriate second-stage archive, installs a LaunchAgent for persistence, and launches a decoy application designed to harvest credentials. The decoy uses Chrome-style prompts to capture passwords and exfiltrate them through a legitimate cloud storage API. These behaviors align closely with prior FlexibleFerret variants tied to DPRK social-engineering pipelines that abuse technical hiring workflows. The final stage uses a Golang backdoor that registers a unique identifier, establishes a communication channel to a hardcoded command-and-control server, and executes reconnaissance, file manipulation, and data theft commands. Handlers support system profiling, remote command execution, file uploads and downloads, Chrome credential harvesting, and persistence checks to maintain long-term access. The broader campaign underscores that fake recruitment portals and Terminal-based “fix” instructions remain a high-risk vector for macOS compromise. Organizations should instruct users to immediately report unsolicited assessments requiring Terminal commands and reinforce policies prohibiting the execution of code supplied through recruitment channels.
