Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals [Malware] 6284fb51d5f94d20bcd98a56a69e02ffc45c2991e1f88f6ba97e7d2a9674332c Modified AstraChat installer 3e7bf3a34c4dfa6abfce8254f213cbc98331504fa956b8d35e0961966593034f ROMCOM dropper dd65c3ad7473f211ae661ccc37f8017b9697dfffb75d415cb035399c14bc1bc9 ROMCOM loader 7424de0984159e0c01da89a429e036835f253de35ec2bdade0b91db906ec54ec ROMCOM worker 96d1cd0a6038ee295b02f038a30ac756bae0ee5ae26f5a64637adf86777d7e14 ROMCOM networking 8d805014ceb45195be5bab07a323970a1aa8bc60cdc529712bccaf6f3103e6a6 STEALDEAL stealer 6a3a0606293941ce9c3cebe0a3e63d7cdc6fb92fd4507d99b14c7675dd29ab40 STEALDEAL stealer 8b27b0482330d0cb38ac7b578576de5658faeba242d2abc9d94289271e2d16b3 Modified AstraChat installer ca0ccf331b2545102452e3b505a64444f50ab00d406564dda6ea5987f0194208 ROMCOM dropper 597dd1e09bd23cd18132ce27a731d0b66c78381e90292ece0f23738773743a7c ROMCOM networking ad39ad35084d8339744299def3af979e666add8103ebd706de3cd1430d3ca8a1 ROMCOM loader ac1fce0ca42f05d54dfbf96415d558f9de1c87abc940531a051536d97bee5c32 ROMCOM worker 45bfc3928dd2bb3f7ed388ddd0e109b93aebe3dd0e22609d743673c6c0425732 Modified Remote Desktop Manager ZIP archive 116ec1c306a2ee93ad5371d189bdbc15b23588be0322622b329f763c7f8622f1 ROMCOM dropper 615bfe8f7f3903bb380f59bca6339d1b37125cc9d303f935e7197ff0706fded7 ROMCOM networking e58fcd4a8d13cb1847f08fd3db6f86473c589f935bcf76ff2837bfac3e8f8f6e ROMCOM loader a552b0b1c948e0ef4e51088f059c280a967ff40bf93ff9d62ebeb74e80f36fc5 Modified GoTo Meeting installer 3b26e27031a00a32f3616de5179a003951a9c92381cd8ec552d39f7285ff42ee ROMCOM dropper 916153d8265a2f9344648e302c6b7b8d7e1f40f704b0df83edde43986ab68e56 ROMCOM loader e7914f823ed0763c7a03c3cfdbcf9344e1da93597733ac22fe3d31a5a4e179aa ROMCOM worker 3e293680e0f78e404fccb1ed6daa0b49d3f6ea71c81dbaa53092b7dd32e81a0d ROMCOM networking 6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d Modified Remote Desktop Manager installer 0501d09a219131657c54dba71faf2b9d793e466f2c7fdf6b0b3c50ec5b866b2a ROMCOM networking 65778e3afc448f89680e8de9791500d21a22e2279759d8d93e2ece2bc8dae04d ROMCOM loader 2ba51d7e338242bc6a8109317b91dd13137e296693c535ceacc1288775acc81f ROMCOM worker ff8eccca561e07a4d3b1a229b307cd1e787fe9fe21a781f361e3f01750def89c Modified installer 7c72e817069bc966a8166a701da397508d44fe9da0e72a047fcf3d694eee81e9 ROMCOM networking 555ef671179b83989858b6d084b3aee0a379c9d8c75ca292961373d3b71315f8 ROMCOM loader 244885707e1ccfb02160ae60d749bafcfbcfd1d2572afed9113010609cd43820 ROMCOM worker [Domain names] 4qzm[.]com C&C domain combinedresidency[.]org C&C domain dgtlocean[.]com C&C domain gangstergo[.]com C&C domain hexactor[.]com C&C domain hl-analytics[.]net C&C domain kagomadb[.]com Redirect page to ROMCOM lure site notfiled[.]com C&C domain optasko[.]com C&C domain rdpcamp[.]com C&C domain singlesign[.]online C&C domain sparklingprice[.]com C&C domain startleague[.]net C&C domain wexonlake[.]com C&C domain you-supported[.]com C&C domain advanced-ip-scaner[.]com Malware hosting / lure page advanced-ip-scanners[.]com Malware hosting / lure page astrachat[.]us Malware hosting / lure page astrachats[.]com Malware hosting / lure page chatgpt4beta[.]com Malware hosting / lure page cnealsoftware[.]com Malware hosting / lure page convertmypdfnow[.]net Malware hosting / lure page cozy-sofware[.]com Malware hosting / lure page decropingsof[.]com Malware hosting / lure page decropsoftware[.]com Malware hosting / lure page devolrdm[.]com Malware hosting / lure page devolutionrdp[.]com Malware hosting / lure page dirwinstat[.]com Malware hosting / lure page gllmp[.]com Malware hosting / lure page gotomeet[.]us Malware hosting / lure page icarusoftwares[.]com Malware hosting / lure page kee-pass[.]com Malware hosting / lure page keepas[.]org Malware hosting / lure page keepasss[.]info Malware hosting / lure page lnfo-messengers[.]com Malware hosting / lure page mansoftwarecoz[.]com Malware hosting / lure page mypodsblocked[.]com Malware hosting / lure page nerobiom[.]com Malware hosting / lure page nexiandevel[.]com Malware hosting / lure page npm-solar[.]com Malware hosting / lure page pass-shield[.]com Malware hosting / lure page pdf-filer[.]com Malware hosting / lure page pdffiller-review[.]com Malware hosting / lure page pdffreader[.]com Malware hosting / lure page pdfilier[.]com Malware hosting / lure page pdfillers[.]com Malware hosting / lure page putmastering[.]com Malware hosting / lure page rdp-devolutions[.]com Malware hosting / lure page readerpdf[.]net Malware hosting / lure page remsoftman[.]com Malware hosting / lure page singularlabs[.]org Malware hosting / lure page veeame[.]com Malware hosting / lure page vectordmanagesoft[.]com Malware hosting / lure page winscpn[.]com Malware hosting / lure page wormakejean[.]com Malware hosting / lure page wveeam[.]com Malware hosting / lure page 94[.]142[.]138[.]244 Decryption key payload [Signatures used by these companies] Wechapaisch Consulting & Construction Limited Noray Consulting LTD Great C Technologies Inc. Blythe Consulting sp. z o.o. SEA PANDA SOFTWARE, LLC [SSH servers] 51[.]195[.]49 [.]215